Windows Analysis Report
DOC031022-03102022004246_Squamose_10-2022-06.exe

Overview

General Information

Sample Name: DOC031022-03102022004246_Squamose_10-2022-06.exe
Analysis ID: 722148
MD5: 80e5c7d8998aa2c78665dcc7fe26ba15
SHA1: 30d2a10b97beee0d6281b01cd25d5cc46e870ae1
SHA256: 844956284f698514c92b7dd3e64815fad360c362797f14eb187205e178b405e1
Tags: exe
Infos:

Detection

GuLoader
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Mass process execution to delay analysis
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Too many similar processes found
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe Virustotal: Detection: 65% Perma Link
Uses 32bit PE files
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Habitters\Arkivers\Sker Jump to behavior
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405861
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_004026F8 FindFirstFileA, 0_2_004026F8
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0040639C FindFirstFileA,FindClose, 0_2_0040639C
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512795226.00000000027A6000.00000004.00000800.00020000.00000000.sdmp, DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512094248.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1026.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512795226.00000000027A6000.00000004.00000800.00020000.00000000.sdmp, DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512094248.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1026.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512795226.00000000027A6000.00000004.00000800.00020000.00000000.sdmp, DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512094248.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1026.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512795226.00000000027A6000.00000004.00000800.00020000.00000000.sdmp, DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512094248.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1026.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512795226.00000000027A6000.00000004.00000800.00020000.00000000.sdmp, DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512094248.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1026.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512795226.00000000027A6000.00000004.00000800.00020000.00000000.sdmp, DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512094248.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1026.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512795226.00000000027A6000.00000004.00000800.00020000.00000000.sdmp, DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512094248.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1026.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512795226.00000000027A6000.00000004.00000800.00020000.00000000.sdmp, DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512094248.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1026.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512795226.00000000027A6000.00000004.00000800.00020000.00000000.sdmp, DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512094248.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1026.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512795226.00000000027A6000.00000004.00000800.00020000.00000000.sdmp, DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512094248.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1026.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512795226.00000000027A6000.00000004.00000800.00020000.00000000.sdmp, DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512094248.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1026.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512795226.00000000027A6000.00000004.00000800.00020000.00000000.sdmp, DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512094248.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1026.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512795226.00000000027A6000.00000004.00000800.00020000.00000000.sdmp, DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512094248.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1026.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512795226.00000000027A6000.00000004.00000800.00020000.00000000.sdmp, DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512094248.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1026.dll.0.dr String found in binary or memory: http://www.avast.com0/
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512795226.00000000027A6000.00000004.00000800.00020000.00000000.sdmp, DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512094248.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1026.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512795226.00000000027A6000.00000004.00000800.00020000.00000000.sdmp, DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000002.512094248.000000000040A000.00000004.00000001.01000000.00000003.sdmp, lang-1026.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_004052FE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004052FE
Too many similar processes found
Source: conhost.exe Process created: 71
Uses 32bit PE files
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
PE file does not import any functions
Source: lang-1026.dll.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe, 00000000.00000000.245457771.000000000043D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameKrikkers Scamps.exe4 vs DOC031022-03102022004246_Squamose_10-2022-06.exe
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe Binary or memory string: OriginalFilenameKrikkers Scamps.exe4 vs DOC031022-03102022004246_Squamose_10-2022-06.exe
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040330D
Creates files inside the system directory
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe File created: C:\Windows\resources\0409 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00406725 0_2_00406725
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00404B3D 0_2_00404B3D
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00651C64 0_2_00651C64
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065186F 0_2_0065186F
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00651872 0_2_00651872
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00655044 0_2_00655044
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650054 0_2_00650054
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065045E 0_2_0065045E
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00651C28 0_2_00651C28
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00651837 0_2_00651837
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650001 0_2_00650001
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065D40E 0_2_0065D40E
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065E409 0_2_0065E409
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650814 0_2_00650814
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650410 0_2_00650410
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006524EB 0_2_006524EB
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006500CC 0_2_006500CC
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006504C9 0_2_006504C9
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006508DF 0_2_006508DF
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006518DE 0_2_006518DE
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00651CA4 0_2_00651CA4
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006518A3 0_2_006518A3
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065048F 0_2_0065048F
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00655492 0_2_00655492
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065009C 0_2_0065009C
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00655166 0_2_00655166
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00651D7C 0_2_00651D7C
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065057A 0_2_0065057A
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065F145 0_2_0065F145
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065014A 0_2_0065014A
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065555F 0_2_0065555F
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065095A 0_2_0065095A
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00651927 0_2_00651927
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00655123 0_2_00655123
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065053F 0_2_0065053F
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065050D 0_2_0065050D
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065010A 0_2_0065010A
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00651D14 0_2_00651D14
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065091B 0_2_0065091B
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00660DE8 0_2_00660DE8
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006509F7 0_2_006509F7
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006505C4 0_2_006505C4
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006501C6 0_2_006501C6
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006519C6 0_2_006519C6
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006519C9 0_2_006519C9
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006565CB 0_2_006565CB
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650DAF 0_2_00650DAF
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650183 0_2_00650183
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00651988 0_2_00651988
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065098A 0_2_0065098A
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00651660 0_2_00651660
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650676 0_2_00650676
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00651670 0_2_00651670
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650A42 0_2_00650A42
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650251 0_2_00650251
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00658E5A 0_2_00658E5A
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065DA32 0_2_0065DA32
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00651A04 0_2_00651A04
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650600 0_2_00650600
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065020A 0_2_0065020A
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00658AE5 0_2_00658AE5
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065DEE9 0_2_0065DEE9
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006506EA 0_2_006506EA
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006516F6 0_2_006516F6
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006562D2 0_2_006562D2
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650EB4 0_2_00650EB4
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650ABD 0_2_00650ABD
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006502BC 0_2_006502BC
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006516B8 0_2_006516B8
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650A83 0_2_00650A83
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00651A9A 0_2_00651A9A
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650763 0_2_00650763
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650340 0_2_00650340
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00651B53 0_2_00651B53
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065F325 0_2_0065F325
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650B27 0_2_00650B27
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00655F2F 0_2_00655F2F
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065173C 0_2_0065173C
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650306 0_2_00650306
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00658306 0_2_00658306
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00651B0D 0_2_00651B0D
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650BF7 0_2_00650BF7
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006517FC 0_2_006517FC
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006517C5 0_2_006517C5
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006503CA 0_2_006503CA
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006507DD 0_2_006507DD
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650BBF 0_2_00650BBF
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00651781 0_2_00651781
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650380 0_2_00650380
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00651B83 0_2_00651B83
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650B8C 0_2_00650B8C
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650792 0_2_00650792
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe Virustotal: Detection: 65%
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe File read: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Jump to behavior
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A41D7 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656176C0 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x41286F85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72342289 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692295 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x78383295 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C22CC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302E85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x70203289 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692291 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783A95 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30296B8B -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x723322FC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A54CC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x727477C4 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C416EC9 -bxor 677
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6F632ACC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783395 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783195 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30302E85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x692032DD -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x34302BD5 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A51C0 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x74466BC9 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x65506DCC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6E7467D7 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x28697096 -bxor 677
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x31343091 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x202C22CC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302ECC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BCC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7230FC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C652ACC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72332E85 -bxor 677
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x69207094 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C2A6B85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BCC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3332389F -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x43616EC9 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x57696CC1 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6F7752D7 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x69723385 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C692295 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C22CC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BFC -bxor 677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A41D7 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656176C0 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x41286F85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72342289 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692295 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x78383295 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C22CC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302E85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x70203289 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692291 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783A95 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30296B8B -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x723322FC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A54CC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x727477C4 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C416EC9 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692291 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783395 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783195 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30302E85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x692032DD -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x34302BD5 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A51C0 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x74466BC9 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x65506DCC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x28697096 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x31343091 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x202C22CC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302ECC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BCC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7230FC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x28697096 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692291 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C652ACC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72332E85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x69207094 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783A95 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C2A6B85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BCC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x31343091 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3332389F -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x43616EC9 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x57696CC1 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656176C0 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C692295 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C22CC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BFC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040330D
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4976:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3104:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1916:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1076:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3388:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4404:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1648:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4800:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3468:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3920:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2016:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:496:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3124:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:996:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:816:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3592:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5580:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4928:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4184:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1860:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4724:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5160:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5172:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5296:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4024:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1772:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6104:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2080:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4840:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3272:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:636:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5396:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4552:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:868:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5220:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5140:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1672:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6072:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5276:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4424:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5888:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5028:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5356:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5288:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3956:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1560:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5020:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5300:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5380:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1664:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3268:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5312:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_01
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Chiromantis Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe File created: C:\Users\user\AppData\Local\Temp\nsk6318.tmp Jump to behavior
Source: classification engine Classification label: mal68.troj.evad.winEXE@204/7@0/0
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_004020CB CoCreateInstance,MultiByteToWideChar, 0_2_004020CB
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_004045CA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004045CA
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Habitters\Arkivers\Sker Jump to behavior
Source: DOC031022-03102022004246_Squamose_10-2022-06.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.512410508.0000000000582000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.512462587.0000000000597000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DOC031022-03102022004246_Squamose_10-2022-06.exe PID: 732, type: MEMORYSTR
Source: Yara match File source: 00000000.00000002.512634732.0000000000650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_10002D20 push eax; ret 0_2_10002D4E
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00655866 push edi; retf 0_2_00655869
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650010 pushad ; ret 0_2_00650013
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006548EF push edi; ret 0_2_0065495F
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_006548A1 push edi; ret 0_2_0065495F
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00650CB6 push esi; iretd 0_2_00650CB7
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_10001A5D
Drops PE files
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Chiromantis\Maalscore\Brachiosaurus\Juxtaposed\lang-1026.dll Jump to dropped file
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe File created: C:\Users\user\AppData\Local\Temp\nsb66D3.tmp\nsExec.dll Jump to dropped file
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe File created: C:\Users\user\AppData\Local\Temp\nsb66D3.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Mass process execution to delay analysis
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A41D7 -bxor 677
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656176C0 -bxor 677
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x41286F85 -bxor 677
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72342289 -bxor 677
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692295 -bxor 677
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x78383295 -bxor 677
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Window / User API: threadDelayed 435 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe TID: 4832 Thread sleep time: -43500s >= -30000s Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Chiromantis\Maalscore\Brachiosaurus\Juxtaposed\lang-1026.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00651C64 rdtsc 0_2_00651C64
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405861
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_004026F8 FindFirstFileA, 0_2_004026F8
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0040639C FindFirstFileA,FindClose, 0_2_0040639C
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe API call chain: ExitProcess graph end node
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00655044 mov eax, dword ptr fs:[00000030h] 0_2_00655044
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00658D86 mov eax, dword ptr fs:[00000030h] 0_2_00658D86
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065DA17 mov eax, dword ptr fs:[00000030h] 0_2_0065DA17
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00658AE5 mov eax, dword ptr fs:[00000030h] 0_2_00658AE5
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065F325 mov eax, dword ptr fs:[00000030h] 0_2_0065F325
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00658B27 mov eax, dword ptr fs:[00000030h] 0_2_00658B27
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0065B7CC mov eax, dword ptr fs:[00000030h] 0_2_0065B7CC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_10001A5D
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_00651C64 rdtsc 0_2_00651C64
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A41D7 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656176C0 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x41286F85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72342289 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692295 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x78383295 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C22CC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302E85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x70203289 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692291 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783A95 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30296B8B -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x723322FC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A54CC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x727477C4 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C416EC9 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692291 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783395 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783195 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30302E85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x692032DD -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x34302BD5 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x46696EC0 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3A3A51C0 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x74466BC9 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x65506DCC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x28697096 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x31343091 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x202C22CC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302ECC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BCC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2E7230FC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x28697096 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20692291 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6C652ACC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x72332E85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x69207094 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30783A95 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x30303295 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C2A6B85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656C3197 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BCC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x31343091 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x3332389F -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x43616EC9 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x57696CC1 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x656176C0 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C692295 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x6B6570CB -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x2C206B85 -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x302C22CC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe 0x20302BFC -bxor 677 Jump to behavior
Source: C:\Users\user\Desktop\DOC031022-03102022004246_Squamose_10-2022-06.exe Code function: 0_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040330D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 722148 Sample: DOC031022-03102022004246_Sq... Startdate: 13/10/2022 Architecture: WINDOWS Score: 68 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected GuLoader 2->41 7 DOC031022-03102022004246_Squamose_10-2022-06.exe 7 40 2->7         started        process3 file4 33 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->33 dropped 35 C:\Users\user\AppData\Local\...\System.dll, PE32 7->35 dropped 37 C:\Users\user\AppData\Local\...\lang-1026.dll, PE32 7->37 dropped 43 Mass process execution to delay analysis 7->43 11 powershell.exe 7->11         started        13 powershell.exe 7->13         started        15 powershell.exe 7->15         started        17 70 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 17->27         started        29 conhost.exe 17->29         started        31 67 other processes 17->31
No contacted IP infos